If a small business is subject to the Privacy Act the vendor and potential purchasers will have to take care to protect individual's privacy rights in the due diligence process.

Vendors will need to comply with the National Privacy Principles. Disclosures of personal information are allowed if they are related to the reason the information was collected and within the reasonable expectations of the individuals concerned.

De-identified information should be provided where possible. Only personal information necessary to assessment of business should be disclosed. Generally, vendors would be able to disclose:

• financial information
• contractual documents with trading partners, suppliers and contractors
• information about key employees relevant to their employment relationship
• aggregated information about employee entitlements (long service leave etc)
• aggregated statistical customer information

Vendors should take reasonable steps to protect personal information. Privacy clauses should be included in confidentiality agreements with the prospective purchasers. Where possible, purchasers should only inspect and not copy documents. Personal information collected by the prospective purchaser should be returned or destroyed after completion of the due diligence.

For more information see Information Sheet 16-2002: Application of key NPPs to due diligence and completion when buying and selling a business.