Due diligence personal information

Personal information may be disclosed by a vendor of a business (vendor organization) to prospective purchasers of that business (prospective purchaser organizations), for the purposes of due diligence investigations. Such disclosure will occur before the sale has been completed, (that is, at a time when the relevant contract has not yet been signed, or is still conditional upon completion of investigations).

Information involved in due diligence

Generally, during a due diligence investigation, prospective purchaser organizations, their lawyers, financial advisers and corporate advisers will review information (including personal information) relating to the business of the vendor organization, including:

  • contracts with trading partners and business associates; for example, agreements with subcontractors, joint venture or partnership agreements, supply agreements, purchase agreements, distribution agreements, management agreements, fee share agreements, and other related party agreements. Some of these agreements will contain personal information (for example, business contact information about contact people in supplier companies)
  • Information about the employees of the business. This may include review of some individual employee records (for example, relating to key executive staff, or key service personnel), or may involve review of aggregated information about the employees of the business, such as de-identified information about leave entitlements and long service leave entitlements. Other information relating to employees may include time and wages records, records of employee claims, enterprise bargaining agreements, details of trade unions of which employees are members, applicable state and federal awards and agreements with employees containing material provisions (such as compensation for loss of office, or payment of any bonuses or profit shares);
  • customer information, which will generally be limited to aggregated statistical non-personal information about the vendor's customer base, but may sometimes contain personal information about customers; and
  • Financial information.

The amount of personal information that needs to be disclosed during a due diligence exercise will depend on the nature of the business being sold. For example, if the value of a business is directly linked to the expertise of its staff, then it may be necessary to disclose more personal information about those staff during the due diligence process than would otherwise be the case.

Disclosure of personal information about employees

The Privacy Act exempts personal information about employees from coverage where the act or practice concerning the information relates to the employment relationship. [5] However, actions in relation to the employee records taken by a prospective purchaser organization will not fall within the employee record exemption (unless and until the prospective purchaser organization becomes the employer of the relevant individual).

Where the vendor organization discloses personal information about employees, the disclosure will fall within the employee record exemption if the information disclosed directly relates to a current or former employment relationship between the employer and the individual and to the employee record held by the organization. The disclosure must also relate directly to such employment relationship. Examples would be where the disclosure is necessary to enable the prospective purchaser to assess whether or not to employ particular individuals from the vendor organization. If information is provided about contractors or employees of other related organizations, it will not fall within this exemption.

The Commissioner encourages vendor organizations always to consider whether disclosure of aggregated information relating to their employees is adequate for due diligence purposes regardless of whether the exemption might apply.

Tips for compliance - vendor organizations

The Commissioner expects vendor organizations to take reasonable steps to protect personal information it discloses to prospective purchasers from unlawful access, modification, use or disclosure. The steps which are reasonable will depend on the circumstances and may involve the organizations considering a number of due diligence protocols including:

  • Ensuring that, wherever possible and appropriate, a prospective purchaser only inspects documents rather than keeping copies;
  • Ensuring that it only discloses personal information that is necessary for the prospective purchaser organization to carry out its investigations;
  • Ensuring personal information is de-identified if access to identifiable information is not necessary for a prospective purchaser's assessment of the business (for example, providing totals of accrued employee benefits instead of detailed lists);
  • Restricting who has access to the personal information (for example, to a limited number of management staff of the prospective purchaser organization and their advisers);
  • If practicable, not allowing the prospective purchaser to copy personal information;
  • Requiring that the personal information is only used for the purposes of due diligence until completion of the sale;
  • Requiring that the personal information is protected by the prospective purchaser and its advisers in terms of data security, and
  • Requiring that any personal information collected by the prospective purchaser is returned or destroyed after completion of due diligence (including any copies).

Due diligence - prospective purchaser's obligations when collecting personal information about employees, trading partners, business associates, customers, or contractors

As noted above, it may be necessary for a prospective purchaser to review personal information (possibly including sensitive information) held by the vendor organization. This paragraph applies to the collection of sensitive information and other personal information.

Inspecting records of personal information during a due diligence exercise may not require the 'collection' of personal information by the inspecting party / prospective purchaser organization (prospective purchaser). If it is not necessary for the prospective purchaser to do anything except inspect records and make a note of the fact that the records have been inspected (without recording the details of particular personal information), then it has not 'collected' the personal information for the purposes of the Privacy Act (because no personal information is 'held in a record' by the prospective purchaser).

Since due diligence investigations must be conducted confidentially to protect the interests of the organizations involved, the Commissioner takes the view that, even if personal information is recorded by a prospective purchaser, it would generally be reasonable at this time for the prospective purchaser organization to take no steps to advise the individual about whom personal information is collected of the matters. However, taking no steps would only be reasonable where the prospective purchaser organization decides not to proceed with the purchase of the business, and returns or destroys all records of personal information to the vendor organization.

t is expected that in only limited circumstances would an organization need to collect sensitive information in the course of a due diligence process. In many cases, it should be possible to achieve the due diligence purpose either by not recording information or by using de-identified information. In other cases, it may be possible to imply an individual's consent to such collection. However, where these options are not possible or will not meet the due diligence needs of the prospective purchasing organization, the organization will need to get the individual's consent.

Tips for compliance - prospective purchaser:

The Commissioner expects prospective purchaser organizations to take reasonable steps to protect the personal information they collect from vendor organizations in the course of due diligence from unlawful access, modification, use or disclosure. The steps which are reasonable depend on the circumstances and may involve the following:

  • where appropriate, only inspecting and not 'collecting' the personal information;
  • only inspecting or collecting the personal information that is necessary to make the appropriate investigations;
  • if it is practicable, not taking copies of personal information;
  • restricting access to personal information collected from vendor organizations to those persons who need to make the appropriate investigations;
  • only using the personal information collected during due diligence for due diligence purposes until the sale is completed;
  • if the sale is not completed, returning the personal information to the vendor, or destroying it, when the due diligence process is completed; and
  • Complying with relevant due diligence protocols as required by the vendor (see tips for compliance - vendor).

A Properly conducted Due Diligence Search can benefit both seller and buyer and may lead to long- term relationships and business synergies.

All of us have at some stage in our lives been sold a "lemon" or have, after making a purchase that didn't quite meet our expectations, been coldly told "caveat emptor" or buyer beware! The only reassuring thing about this fact is that we are not alone - but the magnitude of the resulting fallout can differ enormously ranging from a slight annoyance to a complete catastrophe.

Unfortunately, the same is also true in business, and in particular in the buying, selling, licensing or franchising of Intellectual Property (IP) where the need to prevent a disappointing outcome or to militate against threats of negligence is in even sharper focus. But more than that, by taking some simple precautions, there is an opportunity to turn a good deal into a great investment, and to make significant savings or gains depending on which side of the transaction fence you belong to.

It is very common during the selling or licensing process to concentrate solely on the number crunching exercise and to overlook aspects that are equally, if not more important, such as: Who is the true owner of the IP? Is it still valid? Will the transfer of rights be exclusive?

So when undertaking a Due Diligence Investigation during a company merger, acquisition, takeover or sale; or when negotiating a license or franchise agreement; or when buying or selling a patent, trademark or copyright or other types of IP, a check list containing at least the following should be applied:

  • Discuss fully with your IP professional what it is that you think you are getting out of the transaction.
  • Understand what is being bought or sold, and your obligations to the buyer or seller.
  • Commission a full Independent Search on the ownership of the IP, the IP history and maintenance fees, or renewal fees to ensure that rights are still in force. Such a Search is important to confirm validity of the information being presented.
  • Request from the seller of the IP right details of other IP rights, which may affect or restrict your usage of the IP right in question.
  • Check out Copyright implications - who own the literature, manuals, brochures etc.
  • Ascertain if there is any mortgage on the IP.
  • For patents request details of any improvement patents that might exist.
  • Ascertain whether the IP is the subject of any litigation or infringement suits.
  • Understand and request details of all significant timelines involved with the IP such as the duration of the license.
  • Request details on significant third parties and

Always, always ensure that the seller is entitled to sell the IP.