Personal information

The Residential Tenancies and Rooming Accommodation Act 2008 (the Act) addresses the collection, storage, and destruction of personal information for residential tenancies. The RTA cannot provide information on privacy laws outside the scope of the Act, so you are encouraged to conduct your own research or seek independent legal advice to understand how other privacy laws may apply.

The Act refers to personal information as information or opinion about a specific person, or someone who can be reasonably identified, whether the information is true or not. This includes whether the information is recorded or not, and covers photographs or images of someone's personal possessions or standard of living.

Responsibilities of property managers/owners

Property managers/owners have responsibilities for personal information collected and stored during the application process and throughout the management of the tenancy agreement.

Collection of personal information

Personal information can only be collected if it is relevant to the application process or managing the premises. This includes photographs taken during property inspections. Personal information must not be used for any other purpose without the tenant's or prospective tenant’s consent.

There are restrictions on what information and supporting documents can be requested by a property manager/owner during the rental application process. For more information, read our Application process webpage.

Storing, accessing and sharing personal information

A property manager/owner must ensure personal information is kept secure, that access is restricted to relevant persons, and that it is destroyed within the required time frame. 

  • Secure storage and access
    Personal information must be stored securely and only accessed for the purpose of assessing the suitability of the applicant as a tenant/resident for the premises. This applies to both physical and digital records.
     
  • Sharing
    Personal information may need to be shared in cases such as a change of property manager/owner during the agreement. This must be done securely and in accordance with other applicable privacy laws.

Retention and destruction of personal information

The Act specifies the minimum timeframe for keeping certain documents and destroying personal information.

Minimum retention periods
The following records must be kept for a minimum of one year after the agreement ends:

  • a copy of the tenancy agreement
  • a copy of the entry condition report
  • records of rent payments (including receipts or rent payment records).

Penalties apply for non-compliance.

Destruction of personal information
Property managers/owners must ensure that all personal information and records collected during the application process and throughout the tenancy are securely stored and destroyed in compliance with legislative requirements. They must be securely destroyed:

  • after 3 months for unsuccessful applicants
  • within 7 years after the tenancy ends.

This includes photographs taken during inspections.

These rules only apply to tenancy agreements that commenced on or after 1 May 2025. This requirement does not apply to tenancies that commenced before 1 May 2025.

The maximum penalty for non-compliance is 20 penalty units.

The Act does not define 'securely destroyed' however it typically means the information is permanently erased or destroyed in a way that makes it impossible to access or reconstruct. This may include securely shredding paper documents or deleting digital files. The Act does not specifically reference information stored in database or cloud driven systems, only that personal information must be securely destroyed.

Misuse of personal information

If there are concerns that a property manager/owner is misusing personal information, the tenant, or prospective tenant can contact the relevant regulatory body to file a complaint. These organisations can investigate whether the rights under privacy legislation are being breached.

State and Federal privacy protections

Property managers/owners must also comply State and Federal with the privacy legislation that relates to the collection, storage and destruction of personal information. 

More information:

Frequently asked questions