28 October 2002

"Business has asked me for advice on how the Privacy Act applies to personal information handled in the due diligence process. In some cases, this can involve disclosure and collection of substantial amounts of personal information. This Information Sheet answers the key privacy questions and gives businesses useful tips that will assist in compliance with the Privacy Act" said Mr Crompton, presenting Information Sheet 16-2002 - Application of key NPPs to due diligence and completion when buying and selling a business.

'Due diligence', the process that a prospective purchaser of a company goes through to assess the value of their prospective purchase can involve the disclosure and collection of a number of different types of personal information including:

• employee information;
• customer information;
• trading partners / business associates information;
• marketing files.

If you are selling a business, and a purchaser has requested a due diligence process, you'll need to take reasonable steps to protect personal information that you disclose. Steps that will help you do this are:

• where possible and appropriate, try to provide the information by giving the purchaser access rather than by giving them copies
• only disclose personal information that is necessary for the prospective purchaser organisation to carry out its investigations;
• de-identify personal information where possible (for example, providing totals of accrued employee benefits instead of detailed lists);
• restrict access to the personal information to those directly involved in the prospective purchase (for example, a limited number of management staff and their advisers);
• require the prospective purchaser to undertake that they will only use the personal information for the purposes of due diligence until completion of the sale, and that they will meet data security requirements of the Privacy Act; and
• require the prospective purchaser to return or destroy any personal information they have collected in the process after completion of due diligence.

If you are buying a business and going through a due diligence process, you will also need to give consideration to privacy requirements. These tips will point you in the right direction:

• where appropriate, just inspect rather than take the personal information with you
• limit your information requests to those necessary to make the appropriate investigations;
• make sure only those people in your company and those advising the company that really need to see the information have access to it
• only use any personal information you do collect for the due diligence process
• return the personal information to the vendor, or destroy it if the sale is not completed
• comply with relevant due diligence protocols as required by the vendor.

Once the sale has been agreed, it may be that the vendor, and purchaser need to advise those whose personal information is recorded in the company or asset being sold of the change in ownership, and possibly seek these individuals' consent if the information is going to be used for a purpose different to that for which it was collected, or is to be disclosed to different organisations. If the ownership of sensitive information, such as health information is being transferred, then the consent of the individuals concerned will need to be sought.

Information sheet 16 on the Office of the Privacy Commissioner's website provides full advice on the issue.