Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

What happens if I sell my small business including a customer database?

Is selling a database covered by the Privacy Act?

A small business which sells assets, including personal information held in the customer database, is ‘trading in personal information’ and will therefore be covered by the Privacy Act 1988 (Privacy Act) (see I operate a small business. How do I know if I am covered by the Privacy Act?). A small business that wishes to sell its personal information holdings will only be able to do so if:

  • it has the consent of the individuals concerned before the sale is made; or
  • the sale of personal information is required or authorised by law.

However, a sale of a whole business is not ‘trading in personal information’, and the business will not have to comply with the Privacy Act, if the sale involves a change of ownership, or a sale of shares, of the business but the personal information is kept within the business. In this case, the business may have new shareholders, but the business itself has not given the personal information to anyone outside the business.

For more information on whether or not your small business is exempt from the Privacy Act see Privacy checklist for small business and Information sheet 16.

Back to Contents

Does the Privacy Act affect due diligence if I am selling an exempt small business?

If a small business is exempt from the Privacy Act the due diligence process will not be affected.

A sale of business assets may result in both the vendor and the purchaser becoming subject to the Privacy Act if personal information is exchanged as part of the business assets (for example, sale of a customer database). Generally speaking, the Privacy Act will only apply after the completion of the sale. For more information see Information sheet 16.

If a prospective purchaser is already covered by the Privacy Act, they will need to comply with it when conducting due diligence.

Back to Contents

How does a vendor comply with the Privacy Act in a due diligence process?

If a small business is subject to the Privacy Act, the vendor and potential purchasers will have to take care to protect individual's privacy rights in the due diligence process.

Vendors will need to comply with the Australian Privacy Principles. Disclosures of personal information are allowed if they are related to the reason the information was collected and within the reasonable expectations of the individuals concerned.

De-identified information should be provided where possible. Only personal information necessary to assessment of business should be disclosed. Generally, vendors would be able to disclose:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • information about key employees relevant to their employment relationship
  • aggregated information about employee entitlements (long service leave etc)
  • aggregated statistical customer information

Vendors should take reasonable steps to protect personal information. Privacy clauses should be included in confidentiality agreements with the prospective purchasers. Where possible, purchasers should only inspect and not copy documents. Personal information collected by the prospective purchaser should be returned or destroyed after completion of the due diligence.

For more information see Information sheet 16.

Back to Contents

How does a prospective purchaser comply with the Privacy Act in a due diligence process?

If a small business is covered by the Privacy Act, the potential purchasers will have to take care to protect individual's privacy rights in the due diligence process. Inspecting purchasers will need to comply with the Australian Privacy Principles if they collect personal information. Taking notes which include personal information or taking a copy of a document, which has personal information in it, is collecting personal information.

Only personal information necessary to assessment of business should be reviewed. De-identified information should be relied on wherever possible. Generally, purchasers would be able to review:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • information about key employees relevant to their employment relationship
  • aggregated information about employee entitlements (long service leave etc)
  • aggregated statistical customer information

Prospective purchases must take reasonable steps to protect the privacy of any personal information and comply with privacy clauses included in confidentiality agreements. Generally purchasers should only inspect and not copy documents. Personal information collected by the prospective purchaser should be returned or destroyed after due diligence is complete.

For more information see Information sheet 16.

Back to Contents