If an individual's identity can be determined from business information, then this information is also personal information. If the organisation handling such information is covered by the Privacy Act (see information sheet 12) they will have to comply with the National Privacy Principles. In most circumstances, the Privacy Act does not restrict the normal flow of personal information relating to individuals acting in their business capacity (see NPP 2.1(a)).

In some situations, however, organisations may need to give consideration as to how they handle personal information collected in the business context. If the information is sensitive information, and the employee record exemption does not apply, businesses will need to obtain consent before collecting such information.

Businesses may also need to exercise care when using and disclosing personal information about sole traders. This is because the distinction between personal information relating to sole traders' businesses and their personal lives is likely to be less clear. The business using and disclosing personal information about a sole trader should consider the purpose for which they collected the information, and what the sole trader would reasonably expect (see NPP 2.1(a)).

Personal information may be used for any lawful purpose if the individual has given their consent. In many cases consent could be implied from the context of the business transaction.