Lipstick on a Pig: Why IPP3A Fixation Won’t Fix Property Management’s Bigger Privacy Problem

Written By Sarina Gibbon

Here’s a number for you: The number of property management agencies in New Zealand with a comprehensive privacy policy is alarmingly close to zero.

These agencies hold bank account numbers, property details, tenancy histories and personal information of thousands of people - tenants AND owners. They share that information, daily, with maintenance platforms, trust account systems, CRMs, listing portals and contractors. Most of them have never told their clients any of this is happening.

On 1 May, a new privacy rule called IPP3A kicks in. If you collect personal information about someone from a source other than that person, you have to tell them. If you run your PM business on any kind of tech stack, this hits you.

IPP3A is real. You have to meet it.

But here's what bothers me: Your IPP3A efforts are likely nothing by lipstick on a pig.

*Oink*

The OPC's rental guidance has been this industry's privacy playbook. It landed after sustained media coverage of tenant blacklists and over-collection. Necessary intervention. It worked. Property managers now know there are limits on what you can ask on an application form.

Good.

The guidance addressed the symptoms. Collection limits. Transparency at application stage. Then the OPC moved on.

What it didn't cover: disclosure. Security. Retention. The full sweep of privacy obligations that run from the moment an owner signs a PMA to the day a tenancy ends.

The industry treated the guidance as the whole exam. It was one question.

Agencies updated their application forms and think they’ve “done privacy”.

You haven't. The application form is a fraction of the obligation.

Your tech stack has obligations. So do you.

Three principles collide the moment you plug into a SaaS platform.

IPP3. You collect information directly from a tenant or an owner. You have to tell them why, who gets it, how they can access it and correct it. Most agencies aren't doing this. Almost none are doing it for owners.

IPP11. You disclose that information to a platform. That's governed by IPP11. You need a lawful basis. Did you tell the person their data would go to that platform? If yes, you're probably fine. If no, you're probably not.

IPP3A. The platform receives information about someone and transmits it to you such as when a tenant talks to a maintenance chatbot and the data comes back into your system. You are the indirect collector. You have to notify the tenant.

Section 11. Critical distinction. If the platform is handling data purely on your behalf and not using it for its own purposes then it is your “agent”. The obligations stay with you. Its compliance is your compliance. You need to know it's meeting the standard the Act requires of your agency. The moment the platform using the information for their own purpose (such as benchmarking, AI training etc), then they are the agent and they have their own full suite of privacy obligations like you. But that is more a them problem than a you problem.

Have you asked your provider which one they are?

If you haven’t met IPP3 and IPP11 then IPP3A doesn’t create one gap. It exposes three. And if you don’t know whether your SaaS providers are section 11 agents, you don’t know who is carrying the can.

The blind spot nobody talks about

Every privacy conversation in this industry is about tenant data.

Property managers also hold a huge amount of the owners’ personal information. IPP3 applies. IPP11 applies. From 1 May, IPP3A applies to every recipient who gets owner information from you indirectly.

The Privacy Act doesn't care whose information it is. It covers all personal information held by an agency.

Owner privacy is invisible in this industry's compliance thinking. That's a big problem.

What a fix actually looks like

Don’t bolt privacy clauses into every PMA, tenancy agreement and application form. You’ll end up with bloated transactional documents no one is going to read. And each time the law changes, you’ve got to update three.

Have one comprehensive privacy policy covering tenants, owners and everyone whose information you handle. The transactional documents can carry concise clauses pointing the the policy statement.

I've been drafting these for agencies. What I've found has confirmed what I suspected. Most are starting from zero. The gap is real. It's also closable. The sooner you do it, the easier it is.

The pig can’t outrun the farmer

The OPC has shown itself to be susceptible to public sentiment. When the media started reporting extensively on tenant blacklists back in 2021, the Commissioner acted almost immediately.

Look at what's building now. SaaS platforms moving personal information in opaque two-way flows. Brand-badging that makes tenants think they're dealing with their property manager when they're actually talking to a separate company. Owners whose financial details are sitting in systems they've never heard of.

The OPC doesn't need to be actively policing. It needs one media story. One tenant who finds out. One owner who asks the wrong question.

The tinder box is right there.

1 May is the starting gun for a conversation that should have started years ago.

Sarina Gibbon
Next

Fish, Pet Clauses and Overkill: Why the ROI on Vendor Pet Packs Just Isn’t There