Are you Privacy-ready — and is your current approach putting clients at risk?
From 1 July 2026, real estate professionals across Queensland will be subject to new laws that, for the first time, require them to verify their clients' identities. Alongside that obligation comes an important question many agencies haven't yet considered: what happens to that identity information once you've collected it?
The answer has significant privacy implications — and for most agencies, the way they currently handle identity documents is already a problem.
Book a demoThe Privacy Act now applies to every reporting entity — including small businesses under $3 million turnover. For most agencies, this is brand new.
The Office of the Australian Information Commissioner (OAIC) is clear:
"All reporting entities that are required to comply with the AML/CTF Act are also required to comply with the Privacy Act when handling personal information for AML/CTF obligations."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
This includes small businesses — regardless of turnover. For most real estate agencies, that's a new obligation that didn't exist before. That means the way your agency collects, stores and retains client identity information is now regulated — and some very common current practices are likely to fall foul of the law.
Across the industry, many agents currently verify identity by taking a photo of a client's licence or passport on their smartphone, or keeping a photocopy on the client's file. It's quick, it's familiar — and both regulators are now clear that it is the wrong approach.
AUSTRAC's reform guidance states plainly: "You aren't required to keep scanned copies or photocopies of identity documents themselves, such as driver's licences."
The OAIC goes further: "You should not keep copies of full identification documents (such as driver's licences or passports) for AML/CTF record keeping purposes."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
This isn't a grey area. Both regulators have said, in plain terms, that keeping a photo or photocopy of a client's ID is not required — and under the Privacy Act, retaining personal information beyond what is necessary is not permitted.
"Collecting and retaining personal information you do not need may create cyber security risks, for your business, and to the people whose information you hold."
— OAIC, Privacy guidance for AML/CTF reporting entities (February 2026)
A file — or a smartphone photo — containing a client's full name, date of birth, document number, expiry date and residential address is, in practice, almost as valuable to an identity thief as the document itself. Data breaches in real estate are not hypothetical. Agencies hold some of the most sensitive personal and financial information of any small business sector — and from 1 July 2026, they will be holding more of it than ever before. A smartphone containing unencrypted photos of dozens of clients' passports and driver's licences is a significant liability.
Livesign's digital identity verification platform is designed to meet your verification of identity obligations while keeping your clients' information — and your business — protected.
Your new privacy obligations don't have to create new risks for your clients. Livesign helps you meet them — compliantly, and without the liability that comes with a camera roll full of your clients' passports.
