Sale of personal information by businesses
Businesses routinely store the personal information of customers and clients. At some stage a business may wish to sell this information. This could be as part of the sale of the business or a separate sale of a client database. Depending on the circumstances, a business may have to consider its legal obligations under the Privacy Act 1988 (Cth) (‘Privacy Act’).
What is ‘personal information’?
Personal information is defined under the Privacy Act as any information or opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Common examples of personal information include names, addresses, telephone numbers, dates of birth, medical records and bank account records.
Is your business trading in personal information?
A business is ‘trading’ in personal information if it collects from or discloses to someone else, an individual’s personal information for a benefit, service or advantage.
A business that sells customer information is therefore ‘trading in personal information’ for the purposes of the Privacy Act. Examples of trading in personal information include a business selling its customer list to a marketing company, or a business exchanging a customer list with another business.
If a business wishes to sell personal information, such as client or customer lists or records, it will only be able to do so if:
- it has the consent of the individuals concerned prior to the sale; or
- the sale of personal information is authorised by law.
However, a transaction involving the sale of an entire business (not just the sale of a personal information database) is not considered ‘trading in personal information’. The ownership of the business will have changed hands, but the business will not have given personal information to anyone outside the business. In this scenario the business will not be subject to sale of personal information obligations under the Privacy Act.
When does the exemption for small businesses apply?
If a business is a ‘small business’ for the purposes of the Privacy Act (i.e. with an annual turnover of $3 million or less), it is exempt from the Privacy Act. However, certain businesses must comply with Privacy Act obligations regardless of their turnover. These include:
- health service providers;
- small businesses related to larger corporations;
- small businesses trading in personal information (e.g. buying or selling a mailing list);
- small businesses that are Commonwealth contracted service providers; and
- small businesses operating residential tenancy databases.
To check whether you need to comply, you can complete the Office of the Australian Information Commissioner’s Privacy checklist for small business, or seek advice from your industry association or lawyer.
How does a business comply with personal information obligations?
First of all, you need to understand whether the Privacy Act applies to your business and then you need to determine whether you are collecting and storing personal information. If you are planning on selling personal information, you need to make sure that you have the consent of the individual or authorisation by law.
If your small business is covered by the Privacy Act you will have to comply with the Australian Privacy Principles. You can find out more information about your Privacy Act obligations from the Office of the Australian Information Commissioner.
The Corporate and Commercial team at Panetta McGrath can assist businesses in understanding their obligations under the Privacy Act. To contact us, click here.