The collection, use and disclosure of personal information in the course of business is not specifically addressed by the Privacy Act 1988. However, the Privacy Act regulates the way in which an 'APP entity' must handle personal information, and this will include the collection, use and disclosure of personal information in the course of the sale of a business.

The vendor and any prospective purchasers must take care to protect individuals’ privacy rights if the Privacy Act covers the business being sold.

If the business is a small business that the Privacy Act doesn’t cover, then the due diligence process when selling is not affected, unless trading in personal information is involved.

Vendors

A vendor must comply with the Australian Privacy Principles during due diligence. When providing information to a prospective purchaser, a vendor should give careful consideration to whether the information to be provided includes personal information. A vendor should only provide a prospective purchaser with personal information if the provision of that information is consistent with the vendor's obligations concerning the use or disclosure of the information.

In most cases, it is unlikely that the person that the information is about would expect their personal information to be used or disclosed to a prospective purchaser. It is also unlikely, in most cases, that the use or disclosure of the information for this purpose will be related to the purpose for which the information was collected.

If information required by a prospective purchaser would include personal information, a vendor should consider whether the information can be de-identified. Generally, a vendor would be able to provide a prospective purchaser with:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • aggregated information about employee entitlements (such as long service leave)
  • aggregated statistical customer information.

A vendor may also be able to provide a prospective purchaser with information about key employees that is relevant to their employment relationship with the vendor. However, unless they have the consent of the employees, or the information is de-identified, a vendor should avoid providing records of other employees.

When providing information about its customer base, a vendor should avoid providing a prospective purchaser with the names and other identifiers of its customers.

Where personal information cannot be de-identified, and the vendor does not have the consent of the person, the vendor should generally avoid giving the information to the prospective purchaser.

Where personal information is to be provided to a prospective purchaser, or to protect against any unintended disclosure or use of personal information, a vendor should consider taking reasonable steps to maintain control of information provided to a prospective purchaser, including by:

  • maintaining physical control of the information—which may involve the vendor retaining the information at its own premises and imposing physical restrictions on access to the information, such as allowing a prospective purchaser to attend at the vendor's place of business to review documents but not make copies of them;
  • maintaining legal control of the information—such as, including privacy clauses in the vendor's confidentiality agreement with a prospective purchaser
  • in the case of information held electronically, only providing limited electronic access to the information—for instance, by making the information available through a data room.

A business which sells assets, including personal information held in their customer database, is ’trading in personal information’. The Privacy Act covers any organisation trading in personal information. For more information about selling a whole business see, Trading in Personal Information.

Prospective purchasers

A prospective purchaser must also take care to protect individuals’ privacy rights during the due diligence process and comply with privacy clauses included in the confidentiality agreement between them and the vendor.

Generally, where possible, a prospective buyer should avoid 'collecting' personal information. However, if the provision of information by a vendor would involve the collection of personal information by a prospective purchaser, the purchaser must follow the Australian Privacy Principles .

Taking notes which include personal information or taking a copy of a document, which has personal information in it, is collecting personal information. Accessing personal information made available by a vendor, without making or keeping a record of it, would not be a 'collection of' that personal information. As discussed above, generally, a prospective purchaser would be able to review:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • information about key employees relevant to their employment relationship
  • aggregated information about employee entitlements (such as long service leave)
  • aggregated statistical customer information.

As also discussed above, the vendor should give a prospective purchaser de-identified information if possible. After completing a due diligence process, if a prospective purchaser has collected any personal information from the vendor, the purchaser should either destroy or return the personal information they collected.

Related pages

Small business

Does the Privacy Act cover your small business?

Arrow

Trading in personal information

The Privacy Act applies if you trade in personal information

Arrow
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia