IT was a dramatic change that happened quietly in the background, which would normally have gone largely unnoticed.
As public scrutiny of PRD Presence Newcastle's business operations intensified last month, amid allegations of potential privacy breaches and data sharing, the real estate firm started playing catch-up.
The Newcastle Herald can reveal that in the past few weeks, PRD has made drastic changes to its privacy policy, which sets out how the company uses its clients' personal information.
As questions were being raised about the firm, and its related entities, in relation to concerns about their business practices, the public-facing privacy policy, which must appear on a real estate agent's website, underwent a series of significant changes from March 7.
According to the tracked changes, the document went from 1125 words titled "Privacy policy", to at least two different versions of an exhaustive 10,600-word document called "Privacy policy and collection notice".
"Unless you give your express consent otherwise, the following policy governs how we handle your personal information and safeguards your privacy," the new policy reads.
"By providing your personal information to us you agree to this policy."
The original document, last tracked on PRDs website on March 7, made no mention of PRD sharing clients' personal information with other real estate-related businesses run by PRD majority owner Mark Kentwell, including his telesales hub known as the Growth Centre or Real Business Engine, which are both run under his company NEXR Pty Ltd.
As previously reported by the Herald, the Growth Centre works as a telesales hub, where junior staff use real estate databases to call people to tout for business.
Former staffers at the Honeysuckle-based call centre have detailed how they would access PRD's, and other real estate firms', databases prospecting for leads.
Training scripts seen by the Herald reveal that staff would promote PRD for buying or selling, linked buyers agency Henderson Advocacy for people looking to buy, PRD's rental arm Safe Hands and finance deals with Loan Market and the Commonwealth Bank.
Under current laws there is no obligation for companies to inform people that they have changed their privacy policies, meaning they have changed the way they use peoples' personal information.
The updated versions of PRD's privacy policy disclose that people's personal information can be used by the Growth Centre and a range of other businesses linked to PRD.
The documents also provide some insight into the link between PRD and buyer's agency Henderson Advocacy.
A Herald investigation revealed last month that the state's property services watchdog is making "active inquiries" into PRD Presence Newcastle and director Mark Kentwell's links to Future Property Co, which trades as Henderson Advocacy.
It is understood NSW Fair Trading is looking at a number of property sales where PRD Presence represented the sellers and Henderson Advocacy represented the buyers.
Agents in NSW are not permitted to act for the buyer and seller of a property at the same time, or to profit from both sides of a sale.
Mr Kentwell has denied any wrongdoing, saying he does not work for Henderson Advocacy, has not profited from the half share of the business that is linked to him and PRD made "adequate disclosures" about the business relationship to clients.
Numerous PRD clients, whose homes were bought by people being represented by Henderson Advocacy, told the Herald they had no idea the two businesses were linked.
Mr Kentwell told the Herald neither he nor any of his family members were a beneficiary of the corporate trustee, BA Expansion, which is a joint owner of Henderson Advocacy.
As the sole director and shareholder of BA Expansion, he manages the trust and the distribution of assets to beneficiaries.
While we will probably never know the identity of the person or company that is the beneficiary, changes to PRD's privacy policy, and a recent PRD agency agreement seen by the Herald, provide some insight.
A version of the updated privacy policy, which appeared briefly on PRD's website last month before it was further amended, said the beneficiary was "related" to Mr Kentwell. The same wording also appeared in the agency agreement.
Under the heading "Disclosure of potential rebates, discounts, commissions and beneficial relationships", the privacy policy stated that Henderson Advocacy is a buyers agency service that is solely owned by Henderson Metro NSW Pty Ltd.
"Henderson Metro NSW Pty Ltd is partly owned by an entity whose beneficiary is related to a director of Kenterprise [PRD Presence]," it read.
"The monetary sum is dependent on the value of the transaction and then respective business profitability. The benefit therefore is unable to be ascertained at the time of signing but will be provided if Henderson Advocacy purchase the property on behalf of its clients."
The Herald asked Mr Kentwell, who is the sole director of Kenterprise that trades as PRD Presence Newcastle, what was meant by the term "related", but he did not answer the question.
The privacy policy has since been updated again and the reference to the beneficiary being "related" to Mr Kentwell has been removed.
It now reads: "Henderson Advocacy is a buyers agency service that is solely owned by Henderson Metro NSW Pty Ltd.
"Henderson Metro NSW Pty Ltd is partly owned by a director and shareholder of Kenterprise, Mark Kentwell as a director and shareholder of BA Expansion Trust. Mark Kentwell is not a beneficiary of this trust and does not receive profit distributions or dividends."
Mr Kentwell said he signed on as the director of BA Expansion in July last year to provide guidance and support in the lead up to "a potential national expansion of the buyers agency concept".
"However, neither I, nor any of my family members, are the beneficiaries of the associated trust," he said.
"The steps that I took relating to my involvement with BA Expansion Pty Ltd complied with the act and associated regulations included the engagement of leading industry legal professionals who confirmed that this structure was not in conflict with my established businesses."
The Herald has also revealed that Henderson Advocacy staff had access to PRD's database and would make calls claiming to be from PRD and try to refer business to Henderson.
The latest version of PRD's privacy policy applies to all personal information collected by PRD and host of related businesses, including its rental arm Safe Hands Property Management, Newcastle New Projects, Present and Future, Presenting Prestige and NEXR.
It applies to customers, including rental applicants and people selling or buying properties, suppliers and job applicants.
Privacy experts told the Herald that real estate agents have almost free rein on what information they can ask to collect from people, beyond protection against basic discrimination based on background or disability.
Rental application requirements vary greatly between agencies, but in a lot of cases tenants were asked to provide a broad range of information almost every time they search for a new rental.
That can include submitting years of work and rental history, bank statements, payslips, multiple identifying documents such as a driver's licence or passport, access to social media accounts, as well as the make, model and registration of a person's car.
Digital Rights Watch executive director James Clark said it's enough to steal or defraud an identity if the data was breached.
Mr Clark said there was a "large power imbalance" between real estate firms and clients, especially in the case of tenants due to the current rental crisis.
"Real estate agents have the power to make people homeless," he said. "So people will give them what they ask for. In the case of renters there is rarely a choice of whether you can use their product or not."
He said while agencies have the power to change their privacy policies whenever they like, effectively changing how they can use your personal information with the stroke of a pen, he was hopeful upcoming changes to Australian privacy laws would give people more rights.
"We saw recently in Melbourne that Harcourts were the victim of a data breach," he said.
"We saw that renters' information and other clients' personal information was caught up in that breach. So similar to any company that collects a whole bunch of personal information, the risk of data breaches and poor data security is always there, and the only real way to protect against that is not to collect and store the information to begin with."
Privacy expert and Electronic Frontiers Australia board member John Pane said privacy policies were required by law and designed to be a transparency mechanism.
He said one of the biggest problems was less than 1 per cent of people read privacy policies and collection notices.
"Usually they're quite large and written in arcane language, legalese, and not presented in ways that consumers can readily and quickly understand," he said.
"It's not like reading the nutrition label on the back of a packet of chips. You understand straight away from that label, which communicates clearly and simply, if this stuff is good for me or not. That's the way our privacy policies in future times will hopefully look."
Mr Pane said once people handed over their personal information to companies, they had no right to have it erased.
He said companies could change the way they use the information and there was little people could do about it.
""The real issue is whether or not they conduct a legal assessment when engaging in new or unique uses or disclosures of personal information that were not contemplated nor disclosed previously to the individual." he said.
"So if they start using the information to disclose it to third-party businesses and they are in a different stream of work ... If they had to do a legal assessment of that, more than likely, it wouldn't meet the reasonable expectations of individuals for that disclosure to occur."
According to survey findings by the Office of the Australian Information Commissioner, people are more concerned about their privacy than ever before, quickly abandoning companies they believe abuse their information.
The findings reveal an overwhelming majority of respondents believe their personal information is misused when it is collected for one reason and used for another.
The Community Attitudes to Privacy study, which is issued every three years and has tracked Australians' attitude on privacy since 1990, shows the majority of respondents stop engaging with companies over privacy concerns.
A new right to have personal information collected by companies erased is one of the key recommendations of a two-year sweeping review of the nation's privacy laws.
Attorney-General Mark Dreyfus is overseeing another round of consultations on the "right to request erasure" proposal and 115 other reforms put forward in the review of the Privacy Act.
His department's report will lay the groundwork for the most comprehensive overhaul of privacy law since the act was introduced in 1988, but any changes could still be at least a year away.
The right-to-erasure proposal is modelled on the EU's data protection regime, considered to be the strongest privacy and security law in the world.
If adopted, the changes would require small businesses to comply with the act, a major change from their current exempt status.
Under current laws, real estate agents must not use or disclose confidential information obtained while acting on behalf of a client or dealing with a customer unless it has been authorised by the person, or the agent is required to by law.
Organisations with an annual turnover of more than $3 million must comply with the Australian Privacy Principles under the Federal Privacy Act 1988.
For agents and organisations with an annual turnover of less than $3 million, an exemption applies and the Australian Privacy Principles provide best practice guidelines for managing personal information.
The 13 principles set out standards for the collection, use, disclosure, correction and disposal of personal information.
Read Mark Kentwell's full statement here and a second statement here.
