Clever Use of the Power to Order Pre-Action Discovery
The New South Wales Supreme Court has ordered Channel Nine to provide a draft story to a plaintiff…
This article is the third in a series of articles from Hamilton Locke’s IP and Technology team called “Technology Law Insights”. You can read the first article in the series here. Stay tuned for regular updates and commentary on topical issues across the sector.
* * *
The Privacy Act: Considerations for Vendors in Business Sales
When offering a business for sale, a question often arises as to whether the Privacy Act 1988 (Cth) (the Act) prevents the vendor from providing copies of its business records to prospective purchasers.
Our previous article outlined the relevant organisations that may be caught by the Act and summarised their obligations. This article examines some of the privacy risks vendors face during the due diligence process. Addressing these risks before commencing the sale process will lead to a more efficient, cost-effective and straightforward transaction.
What privacy considerations should vendors be aware of?
For many businesses, some of their most valuable assets can be their databases of personal information. Most sales will involve some form of due diligence process through which the prospective purchaser(s) will review the vendor’s records. If there is any personal information in these records (such as in marketing databases, or as contained in key customer and supplier contracts) this will be a ‘disclosure’ of personal information under the Act.
For this reason, it is best to provide aggregated or de-identified information to purchaser(s). However, if this is not possible, the vendor must satisfy itself it has the appropriate consents from the affected individuals and has taken the necessary steps to protect that personal information, as set out below.
Does a vendor need consent to disclose personal information during the due diligence process?
In short, yes. However, the vendor may be able to establish this consent:
The vendor would only need to seek specific consent from the affected individuals if it cannot meet either of the options above.
If a purchaser is based overseas, the vendor must also comply with Australian Privacy Principle 8, which requires the vendor to:
What steps should a vendor take to protect personal information during the due diligence process?
Even with consent to the disclosure, the vendor must still take reasonable steps to protect personal information from misuse, loss, unauthorised access and unauthorised disclosure. This may include:
Our next article will discuss the privacy considerations that may arise for vendors when structuring the sale of a business.