Privacy law is rapidly expanding and impacting how businesses handle individuals’ personal information. We have previously discussed the Australian data breaches scheme and the impact of changes to EU privacy law on Australian businesses. This article will explore a Seller’s privacy obligations under the Privacy Act 1988 (the Act) in a business sale.

What are the obligations?

Trade in personal information commonly occurs when a business sells their customer list as a business asset or discloses personal information of their customers or third party contractors to potential purchasers during due diligence. If a business subject to the Act is trading personal information, they must obtain the concerned individuals’ consent before the trade is made.

Is your business subject to the Act?

All private health service providers must comply with the Act. Additionally, businesses in the private sector and organisations in the not-for-profit sector with an annual turnover of more than $3 million must comply.

A business with an annual turnover of less than $3 million will only be subject to the Act if they:

  • sell or purchase personal information;
  • are related to a larger body corporate that is subject to the Act, for instance if they are a subsidiary company;
  • provide services under a contract with the Australian Government;
  • are credit providers or credit reporting bodies; or
  • operate a residential tenancy database.

Practical recommendations

There are some practical steps you can take to ensure your business is compliant with the Act during due diligence.

Obtain consent

If you are the Seller and your business’s full data set (including personal information) is to be provided on settlement or earlier, you must first obtain the customer’s informed consent.

The consent process might include the Seller informing customers of the sale, the Buyer’s identity, proposed use of information and privacy policy, and seeking the required consent.


Any personal information database provided to the Buyer as part of due diligence should be depersonalised. Although this will diminish the value to the Buyer, it will enable the Buyer to make an assessment of the credibility of your business.