Privacy Act breaches in a real-estate campaign

The Privacy Act 2020 framework

The Privacy Act 2020 replaces the 1993 Act and is the principal NZ statute governing personal information handling. It applies to any agency — including real-estate agencies, inspectors, marketing providers, and third-party data processors — that collects or holds personal information about identifiable individuals. The Act is built around thirteen Information Privacy Principles (IPPs).

The IPPs most relevant to a real-estate campaign are: IPP 1 (purpose of collection), IPP 3 (collection directly from the individual with notice), IPP 5 (storage and security), IPP 10 (use limited to purpose of collection), IPP 11 (disclosure only with authorisation or statutory basis), IPP 12 (cross-border transfer), and IPP 13 (unique identifiers).

Common breach patterns

• Open-home sign-in sheets re-used for marketing. A visitor signs in at an open home for access; their details are later added to the agency's general marketing list without specific notice or consent. Potential IPP 3 and IPP 10 breach.
• Unsolicited direct marketing from related service providers. The vendor's details are shared with a mortgage broker, insurer, or mover with whom the agency has a referral arrangement. Without the vendor's prior authorisation, IPP 11 is engaged.
• Photography retained and re-used. Campaign photography commissioned and paid for by the vendor is reused by the agency for its own marketing — agency web-site stock shots, testimonial pages, brochures — after the sale. Without an express license, use is limited to the campaign purpose.
• Neighbour letterbox drops identifying the vendor's property and circumstances. "John and Mary's house at 12 Example Street has just sold for over CV" — identifying a specific vendor in neighbourhood marketing without consent touches IPP 10 and IPP 11.
• Buyer enquiry lists sold or traded. A buyer who enquires on a specific property is added to a list that is later shared with other agencies or marketing partners.
• Retention beyond the sale. Documents — disclosure statements, building reports, financial information — retained by the agency after the campaign, with no purpose and no documented retention schedule. IPP 9 (retention only as long as necessary).
• Unsecured storage or transmission. Vendor and buyer documents emailed unencrypted, stored on shared drives without access control, or left on a shared CRM accessible to unrelated staff. Potential IPP 5 breach.

What "consent" actually requires

Burying consent in a sign-in sheet's fine print does not meet IPP 3. The Office of the Privacy Commissioner has consistently held that collection notice must be specific, prominent, and given before the information is collected. "By signing below you agree to receive marketing communications from [agency] and our partners" at the foot of an open-home clipboard is weak under the Act and is routinely challenged.

In the agency agreement, pre-authorisation language may permit the agency to share vendor information with specific classes of third party for specific purposes. Pre-authorisation in a signed contract is stronger than a clipboard clause — but it must still be specific. Generic "may share with partners" language does not authorise every conceivable onward use.

Documenting a suspected breach

If you suspect a breach — whether as a vendor, a buyer who visited an open home, or a neighbour whose details were used — document the following before taking action:

• The information involved (what was collected, what was disclosed, what was used).
• The identity of the sender or caller, the date, and the contact channel (email, SMS, letterbox drop, phone call).
• How you believe they obtained your information. If the chain is uncertain, log the uncertainty.
• The link (if any) to a specific transaction — the property, the listing agent, the agency.
• Screenshots or originals of any marketing, signs, or forms involved.

The written enquiry

Before escalating to the Office of the Privacy Commissioner, a written enquiry to the agency is almost always the first step. Under IPP 6, you have the right to access personal information an agency holds about you; under IPP 7, you have the right to request correction. A privacy enquiry also invokes the agency's internal process and creates a record.

Dear [agency privacy officer],

I am making a Privacy Act 2020 request in relation to personal information the agency holds about me.

1. Under IPP 6, please provide a copy of all personal information the agency holds about me, including the source of that information and the dates of collection.

2. Please identify every third party (including related agencies, referral partners, and service providers) to whom my personal information has been disclosed, the date of disclosure, and the lawful basis for each disclosure under IPP 11.

3. Please confirm the purpose for which my information was originally collected, and whether any subsequent use has been outside that purpose (IPP 10).

4. Please confirm the agency's retention schedule for my information and the date by which it will be destroyed (IPP 9).

The Privacy Act 2020 requires response within 20 working days. I look forward to hearing from you by [date].

Regards,
[Name]

Escalation to the Office of the Privacy Commissioner

If the agency's response is inadequate, evasive, or confirms the breach without offering a substantive remedy, the complaint can be escalated to the Office of the Privacy Commissioner (OPC). The OPC operates a free, non-adversarial complaints regime. Most complaints are resolved through facilitated agreement; a minority proceed to formal investigation and published finding.

The complaint process:

• Submission via the OPC online portal at privacy.org.nz or by post.
• Initial assessment by the OPC (typically 4–8 weeks).
• If accepted, OPC facilitates between the complainant and the agency. Remedy is typically an apology, deletion, a practice change, and occasionally a modest payment for humiliation or loss of dignity.
• If the agency refuses to settle, the OPC may issue a finding. Findings are published (with or without identifying detail depending on severity).
• Serious or repeated breaches can be escalated to the Human Rights Review Tribunal, which can award damages for loss, humiliation, loss of dignity, and injury to feelings under section 103 of the Privacy Act 2020. Reported NZ awards typically sit in the NZD 5,000–75,000 range; higher awards exist but are unusual.

Interaction with the REA

Privacy Act breaches in a real-estate context often also constitute breaches of the PCCC Rules 2012, particularly Rule 9.2 (unfair advantage) and Rule 6.3 (acting in good faith). A parallel complaint to the Real Estate Authority is possible. The two regimes are independent; a finding in one does not bind the other, but either can be pursued — or both.

Notifiable privacy breaches

Since 1 December 2020, the Privacy Act has required agencies to notify both the OPC and affected individuals of any privacy breach causing "serious harm" (Part 6). A leaked database, an unprotected CRM accessible on the open internet, or a misdirected mass email that exposed multiple individuals' sensitive information triggers the notifiable-breach regime. Agencies that fail to notify face substantially enhanced regulatory consequences.

Where this guide sits

Related: Who drafts your disclosure document?, REA complaints: the realistic outcome.

Rules cited: Privacy Act 2020, PCCC Rules 2012.