Information Sheet 16-2002: Application of Key NPPs to Due Diligence and Completion when Buying and Selling a Business

PDF, Word

Background

This Information Sheet is designed to help organisations involved in the sale and purchase of a business to comply with their obligations under the Privacy Act 1988 (Cth) (the Privacy Act). The Information Sheet was developed in collaboration with the Law Council of Australia.

Sales of businesses are generally structured as either an asset sale, or an entity sale (that is, a sale of shares). The sale of a business may involve the disclosure and collection of a number of different types of personal information including:

  • employee information;
  • customer information;
  • trading partners / business associates information;
  • marketing files.

If the personal information is 'sensitive' it may attract additional protection under the Privacy Act [1]

How the Privacy Act applies to due diligence and completion of a sale may be affected by issues other than the National Privacy Principles (NPPs) in the Privacy Act. For example, if the personal information involved is credit-related information, Part IIIA of the Privacy Act may apply to it. Also, if the information is about employees, the employee records exemption may apply. In some cases, the small business exemption and the exceptions to the exemption may have an impact on a vendor's or a purchaser's obligations (see Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions for information about the exemptions). However, this Information Sheet focuses mainly on the way the NPPs apply.

Also, this Information Sheet assumes that the reader is familiar with the NPPs and the Privacy Commissioner's Guidelines and other Information Sheets. If you have not read these they can be found at www.privacy.gov.au. [2]

Due diligence

Personal information may be disclosed by a vendor of a business (vendor organisation) to prospective purchasers of that business (prospective purchaser organisations), for the purposes of due diligence investigations. [3] Such disclosure will occur before the sale has been completed, (that is, at a time when the relevant contract has not yet been signed, or is still conditional upon completion of investigations).

Information involved in due diligence

Generally, during a due diligence investigation, prospective purchaser organisations, their lawyers, financial advisers and corporate advisers will review information (including personal information) relating to the business of the vendor organisation, including:

  • contracts with trading partners and business associates; for example, agreements with subcontractors, joint venture or partnership agreements, supply agreements, purchase agreements, distribution agreements, management agreements, fee share agreements, and other related party agreements. Some of these agreements will contain personal information (for example, business contact information about contact people in supplier companies);
  • information about the employees of the business. This may include review of some individual employee records (for example, relating to key executive staff, or key service personnel), or may involve review of aggregated information about the employees of the business, such as de-identified information about leave entitlements and long service leave entitlements. Other information relating to employees may include time and wages records, records of employee claims, enterprise bargaining agreements, details of trade unions of which employees are members, applicable state and federal awards and agreements with employees containing material provisions (such as compensation for loss of office, or payment of any bonuses or profit shares);
  • customer information, which will generally be limited to aggregated statistical non-personal information about the vendor's customer base, but may sometimes contain personal information about customers; and
  • financial information.

The amount of personal information that needs to be disclosed during a due diligence exercise will depend on the nature of the business being sold. For example, if the value of a business is directly linked to the expertise of its staff, then it may be necessary to disclose more personal information about those staff during the due diligence process than would otherwise be the case.

Disclosure and collection of information in the course of due diligence - NPP obligations

Where due diligence processes involve the handling of personal information, including sensitive personal information, organisations subject to the Privacy Act will need to comply with the NPPs. [4]

During due diligence investigations, a vendor organisation:

  • cannot disclose personal information unless the disclosure is permitted under NPP 2; and
  • must consider the requirements of NPP 4 (data security) when personal information is disclosed, and conduct the sale transaction in a way that reasonably protects the privacy of the individuals whose personal information has been disclosed.

During due diligence investigations, a prospective purchaser organisation:

  • must consider its obligations in relation to the collection of personal and sensitive information (NPP 1 and NPP 10); and
  • must be aware that there may be limitations on how it can use and disclose that information (NPP 2), and that it may need to comply with reasonable restrictions imposed by the vendor organisation.

Due diligence - vendor's obligations when disclosing to prospective purchaser

It may sometimes be necessary for a vendor organisation to disclose personal information to a prospective purchaser organisation in the course of a sale of business.

For instance, the vendor organisation will need to disclose preliminary information to enable prospective purchaser organisations to conduct due diligence investigations. To ensure that such disclosures are not misleading or deceptive under section 52 of the Trade Practices Act 1974 (Cth) or section 1041H of the Corporations Act 2001 (Cth) the information provided must not be incomplete. A vendor organisation may consider it needs to disclose certain personal information to meet these obligations, particularly if the personal information is important to a prospective purchaser organisation's decision about whether to buy a business and for how much.

The vendor organisation may disclose personal information if the disclosure is permitted under NPP 2. In most cases, the vendor organisation's disclosure would be directly related to the primary purpose of collecting the information and within the individual's reasonable expectations, so that NPP 2 would not require the vendor to get the individual's consent before disclosing the information to the prospective purchaser.

Disclosure of personal information about employees
The Privacy Act exempts personal information about employees from coverage where the act or practice concerning the information relates to the employment relationship. [5] However, actions in relation to the employee records taken by a prospective purchaser organisation will not fall within the employee record exemption (unless and until the prospective purchaser organisation becomes the employer of the relevant individual).

Where the vendor organisation discloses personal information about employees, the disclosure will fall within the employee record exemption if the information disclosed directly relates to a current or former employment relationship between the employer and the individual and to the employee record held by the organisation. The disclosure must also relate directly to such employment relationship. Examples would be where the disclosure is necessary to enable the prospective purchaser to assess whether or not to employ particular individuals from the vendor organisation. If information is provided about contractors or employees of other related organisations, it will not fall within this exemption.

The Commissioner encourages vendor organisations always to consider whether disclosure of aggregated information relating to their employees is adequate for due diligence purposes regardless of whether the exemption might apply.

Disclosure of personal information about trading partners, business associates, customers, contractors
In most cases, disclosures of information about trading partners, business associations, customers or contractors during due diligence investigations would be for a purpose related to the primary purpose of collection and would reasonably be expected by the individual (having regard to standard business practice). Therefore, in most cases, the Commissioner's view is that disclosure by a vendor organisation for the purpose of the sale of its business will be permitted under NPP 2.1(a).

However, as set out below, the Commissioner expects vendor organisations to impose restrictions on the handling of personal information by prospective purchaser organisations which aim to protect the privacy of the relevant individuals.

Tips for compliance - vendor organisations

The Commissioner expects vendor organisations to take reasonable steps to protect personal information it discloses to prospective purchasers from unlawful access, modification, use or disclosure. The steps which are reasonable will depend on the circumstances and may involve the organisations considering a number of due diligence protocols including:

  • " ensuring that, wherever possible and appropriate, a prospective purchaser only inspects documents rather than keeping copies;
  • " ensuring that it only discloses personal information that is necessary for the prospective purchaser organisation to carry out its investigations;
  • " ensuring personal information is de-identified if access to identifiable information is not necessary for a prospective purchaser's assessment of the business (for example, providing totals of accrued employee benefits instead of detailed lists);
  • " restricting who has access to the personal information (for example, to a limited number of management staff of the prospective purchaser organisation and their advisers);
  • " if practicable, not allowing the prospective purchaser to copy personal information;
  • " requiring that the personal information is only used for the purposes of due diligence until completion of the sale;
  • " requiring that the personal information is protected by the prospective purchaser and its advisers in terms of data security, and
  • " requiring that any personal information collected by the prospective purchaser is returned or destroyed after completion of due diligence (including any copies).

Due diligence - prospective purchaser's obligations when collecting personal information about employees, trading partners, business associates, customers, or contractors

As noted above, it may be necessary for a prospective purchaser to review personal information (possibly including sensitive information) held by the vendor organisation. This paragraph applies to the collection of sensitive information and other personal information.

Inspecting records of personal information during a due diligence exercise may not require the 'collection' of personal information by the inspecting party / prospective purchaser organisation (prospective purchaser). If it is not necessary for the prospective purchaser to do anything except inspect records and make a note of the fact that the records have been inspected (without recording the details of particular personal information), then it has not 'collected' the personal information for the purposes of the Privacy Act (because no personal information is 'held in a record' by the prospective purchaser).

Since due diligence investigations must be conducted confidentially to protect the interests of the organisations involved, the Commissioner takes the view that, even if personal information is recorded by a prospective purchaser, it would generally be reasonable at this time for the prospective purchaser organisation to take no steps under NPP 1.5 to advise the individual about whom personal information is collected of the NPP 1.3 matters. However, taking no steps would only be reasonable where the prospective purchaser organisation decides not to proceed with the purchase of the business, and returns or destroys all records of personal information to the vendor organisation.

It is expected that in only limited circumstances would an organisation need to collect sensitive information in the course of a due diligence process. In many cases, it should be possible to achieve the due diligence purpose either by not recording information or by using de-identified information. In other cases, it may be possible to imply an individual's consent to such collection. However, where these options are not possible or will not meet the due diligence needs of the prospective purchasing organisation, the organisation will need to get the individual's consent in order to comply with NPP 10.

Tips for compliance - prospective purchaser:

The Commissioner expects prospective purchaser organisations to take reasonable steps to protect the personal information they collect from vendor organisations in the course of due diligence from unlawful access, modification, use or disclosure. The steps which are reasonable depend on the circumstances and may involve the following:

  • " where appropriate, only inspecting and not 'collecting' the personal information;
  • " only inspecting or collecting the personal information that is necessary to make the appropriate investigations;
  • " if it is practicable, not taking copies of personal information;
  • " restricting access to personal information collected from vendor organisations to those persons who need to make the appropriate investigations;
  • " only using the personal information collected during due diligence for due diligence purposes until the sale is completed;
  • " if the sale is not completed, returning the personal information to the vendor, or destroying it, when the due diligence process is completed; and
  • " complying with relevant due diligence protocols as required by the vendor (see tips for compliance - vendor).

Completion

At completion, if the sale is a sale of assets, personal information will need to be transferred to the purchaser organisation to enable it to conduct the business. If the sale is the sale of shares in a company, there will be no transfer of personal information as the personal information is already located in the company which has been acquired. This section applies the NPPs in the 'sale of assets' scenario.

Completion - vendor's obligations when disclosing to purchaser organisation

Disclosure of personal information about employees
The Commissioner considers that disclosure of information about employees on completion of a sale would generally be directly related to the employment relationship and so would be exempt from the Privacy Act. However, if the disclosure is not directly related to the employment relationship, the vendor would need to ensure that the disclosure is permitted by one of the provisions of NPP 2.

Disclosure of personal information about trading partners, business associates, customers, contractors
If the vendor organisation is satisfied (for example, by means of provisions in the contract of sale) that the new business will continue to provide essentially the same goods or services as the business that it provided prior to the sale, it could proceed with disclosure to the purchaser of the business (the purchaser organisation) on the grounds that it is consistent with the primary purpose of collection.

Where this does not apply, disclosure may be permitted if it can be shown that disclosure of personal information to the purchaser organisation is made for a purpose related to the primary purpose of collection and reasonably expected by the individuals concerned. For example, if the assets of the business include premises owned by the business which is subject to a lease and the organisation holds personal information about the tenant, the information will have been collected for the primary purpose of leasing the premises to the tenant. When the premises are sold the disclosure of personal information about the tenant to the new owner will be necessary to continue the lease. A similar result is likely to follow in the circumstances where contractual rights are assigned by the vendor organisation to the purchaser organisation.

Another example is the transfer of personal information in customer transaction histories. Disclosure to the purchaser organisation might not be necessary for the primary purpose of collection. However this information may be necessary for the purchaser organisation to plan its resourcing to meet future orders. This purpose is closely related to the primary purpose, and an individual would reasonably expect that when a business is sold, the information would be passed to the purchaser organisation, particularly where the purchaser is continuing to provide the same goods or services.

By contrast, where a business is not sold as a going concern, or the purchaser organisation contemplates significant changes to the character or operations of the business, the vendor organisation will need to give very close consideration to the question of whether a proposed disclosure is permitted under NPP 2.1. This will depend on the circumstances in which the vendor organisation originally collected the personal information and an objective analysis of what the relevant individuals would 'reasonably expect'. If the disclosure would fall outside what the relevant individuals would reasonably expect, the vendor organisation must get individuals' consent before disclosing the personal information.

Tips for compliance - vendor organisations

The transfer of customer information raises some of the most significant privacy concerns in sale of business circumstances. Particularly where a transfer of customer information would result in changes to the way the information is used or disclosed, vendor organisations would need to get customer consent for the disclosure rather than rely on customers' reasonable expectations.

Completion - purchaser organisation obligations on transfer when buying a business

Where a purchaser organisation acquires personal information through buying a business, its proposed uses or disclosures of the personal information will be limited by the NPPs. The primary purpose of collection remains the same as that which applied before the ownership of the business changed. This would be the case even if a related body corporate of a purchaser organisation seeks to collect newly acquired personal information from the purchasing organisation. Uses or disclosures of personal information for purposes unrelated to the pre-purchase primary purpose would generally require getting individuals? consent.

For example, where a business is not sold as a going concern or the purchaser organisation contemplates significant changes to the character or operations the purchaser would need to get consent for any proposed new uses or disclosures (unless the vendor has already done so).

However, if the purchaser organisation uses or discloses an individual's personal information in its new capacity as the owner of the business sold by the vendor organisation in a manner that is consistent with NPP 2 taking into account the pre purchase primary purpose of collection, then there is no requirement to inform, or seek consent from, the individual.

Completion - purchaser organisation?s obligations when collecting personal information

Collection of personal information about employees
When the purchaser organisation acquires personal information about employees the employee record exemption would apply once the organisation becomes the employer of the employees.

Collection of personal information about trading partners, business associates, customers, contractors
Where a purchaser organisation acquires personal information as the assets of a business (rather than by means of acquiring shares in the business) it will be collecting personal information from the vendor organisation.

If the purchaser organisation collects sensitive information on completion of a sale of assets, the purchasing organisation will need to give close consideration to whether collecting the personal information is permitted under NPP 10. In most cases, the purchasing organisation will need each individual's consent to be able to collect the personal information in these circumstances.

To meet the requirements of NPP 1.5, the purchaser organisation will need to take steps that are reasonable in the circumstances to inform the individuals concerned of NPP 1.3 matters. The exact steps the purchaser must take will need to be determined in each particular case. In considering what constitutes 'reasonable steps' factors to be taken into account include the privacy implications for the individual of not being informed of the relevant information and the cost to the organisation in providing that information.

In some circumstances the obligation to notify individuals may be satisfied easily. For example, if an asset sale agreement requires the vendor organisation to notify each party with whom the vendor organisation has contracts of the transfer of the business to the purchaser organisation it would be relatively easy for the vendor organisation to enclose the purchaser organisation's privacy statement with the notice (addressing the matters in NPP 1.3). The purchaser organisation could consider specific contractual provisions in the asset purchase agreement requiring the vendor organisation to co-operate with the purchaser organisation to satisfy its obligations under the Privacy Act.

In other cases, for example, where the purchase includes larger customer lists, the easiest way of satisfying this obligation may be to include a privacy notice with the next regular communication to the customer (for example, with the next account statement or a direct marketing letter). Other options to be considered could include a newspaper advertisement advising of the change of ownership which includes a brief privacy statement with information about where to get more information.

About Information Sheets

Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)

Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.

Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.

Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner
ISBN 1 - 877079 - 43 - X
Privacy Hotline 1300 363 992 (local call charge)

[1] For the definition of 'sensitive information' see section 6 of the Privacy Act, or the Key Concepts section of the Guidelines to the National Privacy Principles. For information about handling health information by health services see Guidelines on Privacy in the Private Health Sector.
[2] They include Guidelines to the National Privacy Principles, Guidelines on Privacy in the Private Health Sector and Information Sheets on a range of topics.
[3] 'Due diligence' is the term used to describe the process that a prospective purchaser of a company goes through to assess the value of an organisation, or an asset of an organisation and to assess the prospective liabilities involved in such a purchase.
[4] See the Privacy Commissioner's Guidelines to the National Privacy Principles and Information Sheets for general guidance.
[5] See Information Sheet 12: Coverage of and Exemptions from the Private Sector Provisions.

Return