Data Protection for Brokers & Lenders

Matt LeeburnWritten byMatt Leeburn
Updated 12 Mar 2026

As a broker, ACL holder, or lender, you collect sensitive personal and financial information every day: payslips, bank statements, tax returns, ID documents. The Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) govern how you must handle this data. Breaches can trigger OAIC enforcement, civil penalties, and loss of client trust.

This guide covers your practical obligations, common mistakes, and concrete steps to protect client data.

What personal information do brokers collect?

Typical data collected during the lending process includes:

  • Identity & contact: name, date of birth, address, email, phone
  • Financial: bank account details, income (payslips, tax returns), liabilities, credit history
  • Employment: employer name, role, tenure
  • Documents: driver's licence, passport, utility bills, proof of income

Some of this is sensitive personal information (e.g. bank account details, health-related information). Loss or unauthorised access can result in identity fraud, financial loss to clients, and regulatory action against you.

Your obligations under the Privacy Act and APPs

The Privacy Act requires you to:

Collection (APP 3, 5): Collect information only for a lawful lending purpose. Notify clients what you collect and why. Don't collect unnecessary data.

Use and disclosure (APP 6): Use and disclose information only for the lending purpose or a directly related purpose (e.g. referral to a lender, credit reporting). Don't use client data for marketing without consent. Disclose to third parties (lenders, aggregators, valuers) only as needed.

Security (APP 11): Protect personal information from misuse, loss and unauthorised access or disclosure. This means encryption, secure storage, access controls and safe handling practices.

Retention and destruction (APP 1, 11): Keep data only as long as needed. Destroy it securely when it's no longer required. Don't hold client payslips and tax returns indefinitely.

Access (APP 12): Provide clients access to their personal information on request.

Practical steps to protect client data

Secure file sharing: Don't email unencrypted payslips, tax returns or bank statements. Use password-protected file transfer, secure cloud storage (with access controls) or encrypted email. Set document expiry dates where possible.

Encrypted storage: If storing files locally, use encrypted folders or drives. Use password managers for account credentials. Ensure backups are also encrypted.

Access controls: Limit who can access client data. Use role-based access in your CRM or document storage. Log who accesses sensitive documents.

Retention & destruction schedules: Define how long you keep payslips, tax returns and ID documents (typically 7 years for tax, then destroy). Document and regularly execute destruction (not just deletion—use secure deletion tools or physical shredding).

Client consent and notices: Include privacy collection notices in engagement letters. Make clear what data you collect and how you use it. Obtain consent before sharing with third parties beyond the lending process.

Common mistakes brokers and lenders make

  • Emailing unencrypted documents: Sending payslips and bank statements in plaintext email or unencrypted attachments. This is a data breach risk and violates APP 11.
  • Storing on personal devices: Keeping client files on personal laptops, phones or USB drives without encryption. If lost or stolen, you've lost control and may breach the APPs.
  • No retention schedule: Hoarding client documents indefinitely. Excess retention increases the risk of breach and complicates compliance. Destroy data when no longer needed.
  • Unclear consent: Not making clear what data you collect and how you use it. Clients should know their information goes to lenders and may be reported to credit bureaus.
  • No access controls: Allowing all staff to access all client files. Limit to those who need it for the lending process.
  • Shared passwords: Using a single login for multiple staff members. Use individual accounts and audit who accesses what.

Notifiable data breaches

If you have an eligible data breach (unauthorised access or disclosure of personal information likely to result in serious harm), you must notify the OAIC and affected individuals "as soon as practicable."

Steps: (1) Detect and contain the breach (stop ongoing exposure). (2) Assess whether it's eligible (document your reasoning). (3) If eligible, notify the OAIC and affected clients within days, not weeks. Include what happened, what data was involved, likely impact and steps clients should take (e.g. monitor credit). (4) Keep records of your decision and notification.

Delayed or inadequate breach notification increases OAIC enforcement risk and reputational damage.

OAIC's role

The Office of the Australian Information Commissioner (OAIC) enforces privacy law:

  • Investigates complaints and notified breaches.
  • Can order you to take remedial action, apologise or pay compensation.
  • Can seek civil penalties in court for serious breaches.
  • Publishes guidance and determinations so you can learn from others' failures.

See the links below to OAIC resources and guidance on data handling in the lending context.

FAQ

Q: I emailed a payslip unencrypted. Is that a breach?

A: It's a serious risk. If the email goes to the wrong person or the recipient is compromised, you've likely breached APP 11. Use encrypted file transfer or secure cloud links going forward. Document what happened and notify your compliance officer.

Q: How long do I keep client documents?

A: Typically 7 years for tax and financial records (ATO retention rules). After that, destroy them securely. Check your professional indemnity insurance for longer retention requirements. Don't keep documents "just in case."

Q: Do I need a written privacy policy?

A: Yes, APP 1 requires it. It should describe what information you collect, why, how you use it, who you disclose it to, how clients can access it, and how you protect it. Keep it simple and clear for clients.

Q: What if a client asks for their data?

A: You must provide it within 30 days unless there's a lawful exemption. Respond promptly and keep a record of the request and response.

Q: Can I store client files in Google Drive or Dropbox?

A: Only if access is restricted (not publicly shared), folders are encrypted or you use a password-protected link, and you have a data processing agreement with the provider.

Q: What should I do if a client's details are breached?

A: Contain the breach (stop further access), assess whether it's eligible for notification, document your steps and notify the OAIC and client as soon as practicable if eligible.

Related guidance

  • Privacy Act — overview of your obligations
  • OAIC — enforcement, complaints and guidance

Key takeaways

Protecting client data is a compliance obligation and a trust issue. Collect and keep only what you need. Use encrypted file sharing and storage. Define and follow a data destruction schedule. Make clear what you collect and how you use it. If a breach occurs, assess quickly and notify within days if eligible. Keeping good records of your compliance decisions protects you if the OAIC questions your practices.

Get your quote in less than 3 minutes

More from the A to Z of Asset Finance

D

Dealers: Roles, Types, and How They Differ from Brokers

ReadD

Debt Adjusting: What It Means and Your Options

ReadD

Debt Collection Regulations: Rights, Duties & Enforcement

Read

Browse A to Z

ABCDEFGHIJKLMNOPQRSTUVWXYZ