Technology Law Insights: The Australian Privacy Act and Due Diligence for Vendors

This article is the third in a series of articles from Hamilton Locke’s IP and Technology team called “Technology Law Insights”. You can read the first article in the series here. Stay tuned for regular updates and commentary on topical issues across the sector.

* * *

The Privacy Act: Considerations for Vendors in Business Sales

When offering a business for sale, a question often arises as to whether the Privacy Act 1988 (Cth) (the Act) prevents the vendor from providing copies of its business records to prospective purchasers.

Our previous article outlined the relevant organisations that may be caught by the Act and summarised their obligations. This article examines some of the privacy risks vendors face during the due diligence process. Addressing these risks before commencing the sale process will lead to a more efficient, cost-effective and straightforward transaction.

What privacy considerations should vendors be aware of?

For many businesses, some of their most valuable assets can be their databases of personal information. Most sales will involve some form of due diligence process through which the prospective purchaser(s) will review the vendor’s records.  If there is any personal information in these records (such as in marketing databases, or as contained in key customer and supplier contracts) this will be a ‘disclosure’ of personal information under the Act.

For this reason, it is best to provide aggregated or de-identified information to purchaser(s).  However, if this is not possible, the vendor must satisfy itself it has the appropriate consents from the affected individuals and has taken the necessary steps to protect that personal information, as set out below.

Does a vendor need consent to disclose personal information during the due diligence process?

In short, yes.  However, the vendor may be able to establish this consent:

The vendor would only need to seek specific consent from the affected individuals if it cannot meet either of the options above.

Disclosure overseas

If a purchaser is based overseas, the vendor must also comply with Australian Privacy Principle 8, which requires the vendor to:

  • Ensure the purchaser does not breach the Australian Privacy Principles; or
  • Satisfy itself the purchaser is bound by a similar scheme which can be enforced; or
  • Expressly inform the affected individuals of the intended disclosure and obtain their consent.  This could significantly delay the due diligence process so should be used as a last resort.

What steps should a vendor take to protect personal information during the due diligence process?

Even with consent to the disclosure, the vendor must still take reasonable steps to protect personal information from misuse, loss, unauthorised access and unauthorised disclosure.  This may include:

  • Legal restrictions, such as:
    • Confidentiality or non-disclosure deeds with the potential purchaser;
    • Limiting access to the purchaser’s representatives only; and
    • Contractually requiring that all personal information be returned or destroyed after the due diligence process.
  • Technical restrictions within the data room, such as:
    • Only allowing purchasers to inspect, but not copy, personal information;
    • Restricting data room access;
    • Monitoring access to the data room; and
    • Encrypting/locking data room files.

Our next article will discuss the privacy considerations that may arise for vendors when structuring the sale of a business.


If you require any assistance relating to privacy, personal information and the sale of your business, please contact Sarah Gilkes (Partner) or Ben Cameron (Senior Associate).