If the business is a small business that the Privacy Act doesn’t cover, then the due diligence process when selling is not affected, unless trading in personal information is involved.
Vendors
A vendor must comply with the Australian Privacy Principles during due diligence. Disclosures of personal information are allowed during due diligence, if they’re related to the reason the information was collected and within the reasonable expectations of the individuals concerned.
A vendor should give a prospective purchaser de-identified information, if possible, and disclose only personal information necessary to assess the business. Generally, a vendor would be able to disclose:
financial information
contractual documents with trading partners, suppliers and contractors
information about key employees relevant to their employment relationship
aggregated information about employee entitlements (such as long service leave)
aggregated statistical customer information
A vendor should take reasonable steps to protect personal information by:
including privacy clauses in their confidentiality agreement with a prospective purchaser
allowing, if possible, a prospective purchaser to inspect and not copy documents
A business which sells assets, including personal information held in their customer database, is ’trading in personal information’. The Privacy Act covers any organisation trading in personal information. For more information about selling a whole business see, Trading in Personal Information.
Prospective purchasers
A prospective purchaser must take care to protect individuals’ privacy rights during the due diligence process and comply with privacy clauses included in the confidentiality agreement between them and the vendor.
They must follow the Australian Privacy Principles if they collect personal information. Taking notes which include personal information or taking a copy of a document, which has personal information in it, is collecting personal information.
A prospective purchaser may review personal information necessary to assess the business. A vendor should give them de-identified information if possible. Generally, a prospective purchaser would be able to review:
financial information
contractual documents with trading partners, suppliers and contractors
information about key employees relevant to their employment relationship
aggregated information about employee entitlements (such as long service leave)
aggregated statistical customer information
After completing due diligence, a prospective purchaser should either destroy or return the personal information they collected during the process.
