Rental law changes for personal information collected and stored during the application process and throughout the management of the tenancy agreement commence on 1 May 2025.
The Act refers to personal information as information or opinion about a specific person, or someone who can be reasonably identified, whether the information is true or not. It includes whether the information is recorded or not and also covers photographs or images of someone’s personal possessions or standard of living.
The Act specifically addresses the collection, storage, and destruction of personal information in the context of residential tenancies. The RTA cannot provide information on privacy laws outside the scope of the Act, so the RTA encourages individuals to conduct their own research or seek independent legal advice to understand how other privacy laws may apply to their situation.
Responsibilities of property managers/owners
Property managers/owners have responsibilities for personal information collected and stored during the application process and throughout the management of the tenancy agreement.
Collection of personal information
Personal information can only be collected if it is relevant to the application process or managing the premises. This includes photographs taken during property inspections. Personal information must not be used for any other purpose without the tenant's or prospective tenant’s consent.
- Application process
A property manager/owner can request no more than two documents from each of the following categories to support the tenancy application:
i. documents proving the prospective tenant's identity
ii. documents showing the prospective tenant's financial ability to pay rent
iii. documents assessing the prospective tenant's suitability for the rental
There are restrictions on what information and supporting documents can be requested by a property manager/owner during the rental application process. For more information, please read our Application process webpage.
It is an offence to request personal information from prospective tenants outside what is prescribed by the Act. The maximum penalty for non-compliance is 20 penalty units. - Management of tenancy
Personal information collected during the tenancy must be securely stored and handled in the same manner as other personal information.
Storing and accessing personal information
A property manager/owner must ensure the information is kept secure, that access is restricted to relevant persons, and that it is destroyed within the required time frame. Generally, when personal information is stored securely, it must be protected from unauthorised access, use, or theft.
- Secure storage
Personal information must be stored securely and only accessed for the purpose of assessing the suitability of the applicant as a tenant/resident for the premises. This applies to both physical and digital records.
Personal information can be stored in a database or on the cloud and must be handled in accordance with these requirements. - Access
Personal information may need to be shared in cases such as a change of manager or owner during the agreement. This must be done securely and in accordance with other applicable privacy laws.
Retention and destruction of personal information
The Act specifies the minimum timeframe for keeping certain documents and destroying personal information.
- Minimum retention periods
Penalties apply for non-compliance. The following records must be kept for a minimum of 1 year after the agreement ends:- a copy of the residential agreement
- a copy of the entry condition report
- records of rent payments (including receipts or rent payment records).
- Destruction of personal information
Although the Act does not offer a definition, ‘securely destroyed’ typically means the information is permanently erased or destroyed in a way that makes it impossible to access or reconstruct. This may include securely shredding paper documents or deleting digital files. The Act does not specifically reference information stored in database or cloud driven systems, only that personal information must be securely destroyed.
From 1 May 2025 personal information collected during the tenancy for the purpose of
managing the premises must be destroyed within 7 years of the agreement ending.
This is the maximum time limit for keeping these documents to stop them being kept forever. Which means a property manager/owner must now destroy certain documents at some point between 1 and 7 years after the tenancy ends.
Personal information collected during the tenancy for the purpose of managing the premises must be securely destroyed within 7 years of the agreement ending. This includes photographs taken during inspections.
The maximum penalty for non-compliance is 20 penalty units.
Misuse of personal information
If there are concerns that a property manager/owner is misusing personal information, the tenant, or prospective tenant can contact the relevant regulatory body to file a complaint. These organisations can investigate whether the rights under privacy legislation are being breached.
State and Federal privacy protections
Property managers/owners must also comply with the privacy protections in State and Federal legislation that relate to the collection, storage and destruction of personal information.
For more information:
- Information Privacy Act 2009 (Qld)
- Queensland Office of the Information Commissioner
- Office of the Australian Information Commissioner
- Privacy Act 1988 (Cth).