This article is the third in a series of articles from Hamilton Locke’s IP and Technology team called “Technology Law Insights”. You can read the first article in the series here. Stay tuned for regular updates and commentary on topical issues across the sector.

* * *

The Privacy Act: Considerations for Vendors in Business Sales

When offering a business for sale, a question often arises as to whether the Privacy Act 1988 (Cth) (the Act) prevents the vendor from providing copies of its business records to prospective purchasers.

Our previous article outlined the relevant organisations that may be caught by the Act and summarised their obligations. This article examines some of the privacy risks vendors face during the due diligence process. Addressing these risks before commencing the sale process will lead to a more efficient, cost-effective and straightforward transaction.

What privacy considerations should vendors be aware of?

For many businesses, some of their most valuable assets can be their databases of personal information. Most sales will involve some form of due diligence process through which the prospective purchaser(s) will review the vendor’s records.  If there is any personal information in these records (such as in marketing databases, or as contained in key customer and supplier contracts) this will be a ‘disclosure’ of personal information under the Act.

For this reason, it is best to provide aggregated or de-identified information to purchaser(s).  However, if this is not possible, the vendor must satisfy itself it has the appropriate consents from the affected individuals and has taken the necessary steps to protect that personal information, as set out below.

Does a vendor need consent to disclose personal information during the due diligence process?

In short, yes.  However, the vendor may be able to establish this consent:

• If its privacy policy and related documents have been properly drafted such that the individuals have already given their consent; or
• If the ‘disclosure’ for the due diligence process is related to the original purpose for which the personal information was collected and the individual would reasonably expect this secondary disclosure. This may apply where, for instance, the personal information of a key customer was collected by the vendor for the original purpose of offering services to the customer. In that situation, the due diligence of the vendor’s business by a third party who will continue offering those same services to the customer is likely to be a ‘secondary purpose’ for which the customer would reasonably expect the vendor to disclose the customer’s personal information. On the other hand, this may not apply in respect of a smaller customer where it is less clear that review of the personal information is necessary for the due diligence.  (If the personal information in question falls into the category of “sensitive information” – such as medical records or information relating the individual’s religious beliefs – stricter disclosure obligations will apply.)

The vendor would only need to seek specific consent from the affected individuals if it cannot meet either of the options above.

Disclosure overseas

If a purchaser is based overseas, the vendor must also comply with Australian Privacy Principle 8, which requires the vendor to:

• Ensure the purchaser does not breach the Australian Privacy Principles; or
• Satisfy itself the purchaser is bound by a similar scheme which can be enforced; or
• Expressly inform the affected individuals of the intended disclosure and obtain their consent.  This could significantly delay the due diligence process so should be used as a last resort.

What steps should a vendor take to protect personal information during the due diligence process?

Even with consent to the disclosure, the vendor must still take reasonable steps to protect personal information from misuse, loss, unauthorised access and unauthorised disclosure.  This may include:

• Legal restrictions, such as:
  • Confidentiality or non-disclosure deeds with the potential purchaser;
  • Limiting access to the purchaser’s representatives only; and
  • Contractually requiring that all personal information be returned or destroyed after the due diligence process.
• Technical restrictions within the data room, such as:
  • Only allowing purchasers to inspect, but not copy, personal information;
  • Restricting data room access;
  • Monitoring access to the data room; and
  • Encrypting/locking data room files.

Our next article will discuss the privacy considerations that may arise for vendors when structuring the sale of a business.

 

---