Selling a business

Last updated: 8 August 2019

On this page

Privacy rights a vendor should be aware of when selling a business the Privacy Act covers, as should any prospective purchaser

The vendor and any prospective purchasers must take care to protect individuals’ privacy rights if the Privacy Act 1988 (Privacy Act) covers the business being sold.

If the business is a small business that the Privacy Act doesn’t cover, then the due diligence process when selling is not affected, unless trading in personal information is involved.

Vendors

A vendor must comply with the Australian Privacy Principles during due diligence. Disclosures of personal information are allowed during due diligence, if they’re related to the reason the information was collected and within the reasonable expectations of the individuals concerned.

A vendor should give a prospective purchaser de-identified information, if possible, and disclose only personal information necessary to assess the business. Generally, a vendor would be able to disclose:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • information about key employees relevant to their employment relationship
  • aggregated information about employee entitlements (such as long service leave)
  • aggregated statistical customer information

A vendor should take reasonable steps to protect personal information by:

  • including privacy clauses in their confidentiality agreement with a prospective purchaser
  • allowing, if possible, a prospective purchaser to inspect and not copy documents

A business which sells assets, including personal information held in their customer database, is ’trading in personal information’. The Privacy Act covers any organisation trading in personal information. For more information about selling a whole business see, Trading in Personal Information.

Prospective purchasers

A prospective purchaser must take care to protect individuals’ privacy rights during the due diligence process and comply with privacy clauses included in the confidentiality agreement between them and the vendor.

They must follow the Australian Privacy Principles if they collect personal information. Taking notes which include personal information or taking a copy of a document, which has personal information in it, is collecting personal information.

A prospective purchaser may review personal information necessary to assess the business. A vendor should give them de-identified information if possible. Generally, a prospective purchaser would be able to review:

  • financial information
  • contractual documents with trading partners, suppliers and contractors
  • information about key employees relevant to their employment relationship
  • aggregated information about employee entitlements (such as long service leave)
  • aggregated statistical customer information

After completing due diligence, a prospective purchaser should either destroy or return the personal information they collected during the process.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au