Data Retention & Destruction Policy

(Privacy Act 1988 (Cth) – Real Estate Practice)

Muscat Property Co. Aust Pty Ltd (ABN: 22691862218 ACN: 691 862 218)

1. Purpose

The purpose of this Data Retention & Destruction Policy is to ensure that personal information collected, held, and used by the agency is:

  • retained only for as long as necessary to fulfil its lawful purpose

  • protected from misuse, loss, unauthorised access, modification, or disclosure

  • securely destroyed or de-identified when no longer required

This policy supports compliance with:

  • the Privacy Act 1988 (Cth)

  • the Australian Privacy Principles (APPs), particularly APP 11

  • applicable real estate licensing, trust account, and record-keeping obligations

2. Scope

This policy applies to:

  • all personal information collected from clients, tenants, landlords, buyers, sellers, contractors, staff, and prospective clients

  • information held in electronic, paper, photographic, audio, or digital formats

  • all systems including CRM platforms, trust accounting software, email systems, cloud storage, marketing platforms, and physical files

3. Types of Information Covered

Personal information may include (but is not limited to):

  • names, addresses, phone numbers, and email addresses

  • identification documents (e.g. driver licences, passports)

  • tenancy applications and supporting documents

  • contracts, authorities, agency agreements, and correspondence

  • trust account records and financial transaction data

  • marketing records and enquiry details

  • complaints, dispute records, and compliance documentation

4. Retention Principles

The agency adopts the following principles:

  • Personal information is retained only where there is a legal, operational, or business need

  • Information must be accurate, complete, and up to date while retained

  • Retention periods reflect statutory obligations, industry best practice, and risk management requirements

  • When information is no longer required, it must be securely destroyed or permanently de-identified

5. Standard Retention Periods (Real Estate Practice)

Unless a longer period is required by law, the agency applies the following minimum retention periods:

5.1 Sales Records

  • Agency agreements, contracts for sale, correspondence, marketing materials
    Retention: Minimum 7 years after completion or termination

5.2 Property Management & Tenancy Records

  • Lease agreements, condition reports, tenancy applications, maintenance records
    Retention: Minimum 7 years after the tenancy ends

5.3 Trust Account Records

  • Trust ledgers, receipts, reconciliations, audit reports
    Retention: Minimum 7 years in accordance with trust accounting laws

5.4 Financial & Accounting Records

  • Invoices, commissions, expense records, tax documentation
    Retention: Minimum 7 years

5.5 Marketing & Enquiry Data

  • Enquiries, appraisal requests, campaign records
    Retention: Until no longer required for marketing purposes or consent is withdrawn

5.6 Complaints & Dispute Records

  • Complaints, investigations, correspondence
    Retention: Minimum 7 years after resolution

6. Secure Storage During Retention

While retained, personal information must be protected by:

  • secure digital systems with access controls and user permissions

  • password protection, encryption, and secure cloud storage where applicable

  • locked filing cabinets and restricted office access for physical records

  • limiting access to authorised staff only

7. Destruction & De-Identification

When personal information is no longer required:

7.1 Destruction Methods

  • Paper records: cross-cut shredding or certified document destruction services

  • Electronic records: secure deletion, overwriting, or permanent removal from systems

  • Backup data: deletion in accordance with system retention cycles

7.2 De-Identification

Where destruction is not practical, information may be permanently de-identified so that individuals can no longer be reasonably identified.

8. Legal Holds & Exceptions

Personal information must not be destroyed if it is:

  • required for ongoing or anticipated legal proceedings

  • subject to regulatory investigation, audit, or dispute

  • otherwise required by law to be retained for a longer period

In such cases, destruction is suspended until the issue is resolved.

9. Breach Prevention & Monitoring

The agency:

  • regularly reviews stored information to ensure compliance with retention periods

  • conducts periodic audits of physical and electronic records

  • investigates and responds to any suspected data breach in accordance with its Data Breach Response Plan

10. Staff Responsibilities

All staff must:

  • comply with this policy and related privacy procedures

  • only retain personal information where authorised

  • notify management of information that is no longer required or improperly stored

  • complete privacy and data-handling training as required

11. Policy Review

This policy is reviewed:

  • at least every two (2) years, or

  • earlier if there are changes to privacy law, real estate legislation, or business operations

12. Contact

Questions regarding this policy or requests relating to personal information should be directed to the agency’s Privacy Officer.

Back to home