Privacy obligations: sale of business and the insolvency practitioner (Part 1)

This article was initially published in the Lexis Nexis Privacy Law Bulletin, January 2024 (Vol 20 No 9).

Extract

This Part 1 of two articles considering privacy obligations of insolvency practitioners in relation to sale or other disposal of a business, considers what personal information is held by businesses and outlines privacy watchpoints in relation to an ordinary sale. It also introduces the particular privacy hazards for insolvency practitioners and how the ARITA Code of Ethics addresses use of information. Part 2 of the article (to follow) examines in detail the rights and obligations of the insolvency practitioner in relation to privacy protection.

Key Takeaway Points

• Insolvency practitioners have unique privacy obligations distinct from regular business sellers, even though both may fall under the Privacy Act
• They manage sensitive information held by distressed companies and individuals, including data classified as ‘personal information’ under privacy laws.
• These practitioners wield powers under the Corporations Act 2001 that impact individuals’ privacy.
• Legal advisors for both business buyers and insolvency practitioners should inform their clients about their specific privacy obligations.

Introduction

Business insolvencies in Australia have increased significantly over 2023.[i] These included the high-profile demise of builders such as Porter Davis Homes, and trucking and delivery services such as Scott’s Refrigerated Logistics, Deliveroo and Milkrun. This trend is expected to increase in 2024.

Such “distressed” businesses hold significant amounts of personal information relating to their customers, suppliers, directors, officers, other workers and additional stakeholders. Consumer delivery services, for example, could hold customer names, addresses (including emails), payment information, order and geolocation data as well as their corporate data.[ii] They may also hold personal information concerning trade debtors and creditors of the failed firm. Currently these firms may not be subject to the Privacy Act 1988 (Privacy Act), if for example the business falls within the small business exemption.

Further, not all insolvency firms are ‘APP entities’ under the Privacy Act and subject to the relevant obligations.[iii] If they are not they may have limited day-to-day awareness of privacy issues even if the business over which they are appointed is an APP entity.  If an insolvency firm is appointed, the data it collects in the course of its business adds a further layer of complication to appropriate information handling within the insolvency firm.

Where possible, upon appointment, the insolvency practitioner will attempt to sell the company’s business. Many firms commence appointments by taking a copy of the distressed company’s database and IT systems and then, from this information, develop their own databases for the purposes of the insolvency administration, employee, other creditor and debtor lists being a requirement of insolvency administration.

In light of this significant collection and handling of personal information, both ordinary business buyers and insolvency firms and the entities they are appointed over should be aware of their privacy obligations. These may arise under the Privacy Act but also under other legislation and industry regulation such as the ARITA[iv] Code of Ethics discussed below, according to each business’s individual circumstances. Buyers and insolvency practitioners must ensure the careful handling of both personal information they are holding and personal information in transit during sale or other disposal of a business. Their own risk management frameworks should reflect the principles and processes this careful handling entails, since there can be significant penalties for breach.

We recommend that insolvency practitioners review the following expectations under the Privacy Act as a stepping off point for responsible information handling during the course of their business.

A recap on privacy and ‘ordinary’ sale of a business

The Privacy Act regulates the way ‘APP entities’ must handle personal information.[v] This will include the collection, use and disclosure of personal information in the course of selling a business. If the business being sold is covered by the Privacy Act then both the vendor and any prospective buyer must take care to protect individuals’ privacy rights. However, if the business is a small business – that is, has annual turnover of less $3 million – then at present it generally will not be covered by the Privacy Act unless an exception to the small business exemption applies, notably if the small business trades in personal information.[vi]

Vendor obligations

Many vendors will be covered by industry-specific legislation that mandates the information relating to their business that must be made publicly available, as for example under the Franchise Disclosure Register.[vii] However, generally information required to be published does not constitute personal information.

Before sale, during the due diligence process when potential buyers may seek additional information that is not publicly available, vendors that are APP entities should only provide prospective buyers with personal information if that provision would be consistent with the vendor’s privacy obligations in respect of use or disclosure.

Few individual data subjects would expect their personal information to be used or disclosed to a prospective purchaser, and it is unlikely that this use or disclosure of information would be related to the purpose for which it was collected, such as enquiring about building a home or buying a takeaway meal. Accordingly, while vendors should be able to provide prospective buyers with relevant financial information and contractual documents, only aggregated information about employee entitlements or statistical customer information may be provided.

Where disclosure, absent consent and without deidentification, cannot be avoided, vendors may also seek to minimise potential privacy impacts on individuals by legal and physical measures such as:

• Inclusion of privacy clauses in confidentiality agreements between vendor and prospective buyers; and
• Using a hardcopy data room rather than a virtual one and only making information available for inspection for a limited time, preferably on the vendor’s premises, with no copying permitted.

Prospective buyer obligations

Prospective buyers, whether or not they are covered by the Privacy Act, should also aim to handle personal information in ways that protect individuals’ privacy.

First, if they are given access to personal information, they should avoid ‘collecting’ it by means including copying or taking notes of the contents of documents. Simply viewing the information would not be considered ‘collecting’ it.

If a prospective buyer does wish to collect personal information made available by a vendor, and both are APP entities, the prospective purchaser will be bound by the Australian Privacy Principles (APPs). Lawyers advising buyers should ensure that they have a justifiable reason for collecting personal information during due diligence, in light of APP 3.2 which states:

If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.

While insolvency practitioners may have little difficulty demonstrating reasonable necessity by reason of, for example, the legal requirement that they identify creditors and levels of indebtedness[viii] (including unpaid wages), prospective buyers may need assistance in distinguishing between actual necessity and preference in respect of certain personal information sought.

Legal advisers should also remind clients that at the conclusion of the due diligence process, and if personal information is no longer required by or under law or by court or tribunal order, they should take reasonable steps to destroy or deidentify any personal information that has been collected, in accordance with APP 11.2.

Of course, prospective buyers are also bound by the privacy clauses of any confidentiality agreement entered into with the vendor.

Privacy hazards and pitfalls for insolvency practitioners

• Do insolvency practitioners face different privacy hazards from those of the ordinary business buyer of a company?
• What are the pitfalls?

Insolvency practitioner clients have told us they’re looking for guidance on how to navigate or reconcile laws governing privacy, data protection and confidentiality with their business obligations under the Corporations Act 2001 (CA), particularly those relating to coercive powers. Some also want practical guidance on how to operationalise relevant high-level requirements of the ARITA Code of Ethics (the Code).

The Code offers high level guidance by way of general principle. The Code’s clause 5.17, Use of Information, provides:

Members must use information obtained in the conduct of their Professional Services appropriately.

1. Members who acquire confidential or personal information must not use that information for any purpose other than the purpose it was properly obtained or in accordance with the law.

This requirement is consistent with APP 6.  It may be particularly material where a practitioner has information collected through one appointment that could be of consequence in connection with another separate and independent appointment (and indeed, where information already held may be material to another appointment, that may also be a red flag regarding whether the proposed liquidator has a conflict that may preclude accepting the second appointment).

To avoid breach of both APP 6 and clause 5.17, practitioners may need to apply to a Court for guidance or approval. They should also consider whether the information they have collected is covered by a Harman undertaking, for example if it was collected through public examinations. Harman undertakings protect the interests of parties who are required by the coercive power of the courts to disclose their confidential and personal information.[ix] We discuss Harman undertakings further in Part 2 of this article.

But other than in clause 5.17, the Code is silent on the many other privacy considerations covered by the APPs. Therefore, in individual cases, insolvency practitioners may need to obtain specific privacy advice or be guided by additional authorities.

These include the Australian Financial Security Authority (AFSA), which provides guidance respecting personal insolvency (bankruptcy). Many of its points are of general application. So, in Inspector-General Practice Guideline 2,[x] practitioners are reminded that financial assets are not the only assets of value held on trust by a bankruptcy trustee and that information is also an asset that must be protected. The Inspector-General’s expectations cover security and storage of information and administration records. Awareness of and adherence to the principles of Cyber Resilience, as promoted by the Australian Cyber Security Centre (ACSC)[xi], is strongly recommended.

Conclusion

The privacy obligations for an insolvency practitioner are substantially different from those of an ordinary business seller, though both may be subject to the Privacy Act. Part 2 of this article, to follow, is designed to help insolvency practitioners and their advisers to navigate the privacy obligations to which they may be subject, to promote the protection of individuals’ personal information while practitioners fulfill their responsibilities during the insolvency process.

[i] ‘Insolvencies surge by 17pc over a year’, Australian, 4 July 2023 p.15: ‘According to indicative Australian Securities & Investments data, there were 5520 administrations and liquidations nationally for the financial year ended June 30, 2023, a 17.2 per cent increase from 4710 the year before.’ ‘The worrying rise in corporate busts’, Financial Review, 17 October 2023.

[ii] Deliveroo collapse: What happens to customer, rider data and can it be deleted? | SBS News, 24 November 2022

[iii] Whilst insolvency appointments are made as personal appointments, the appointee’s firm and the firm over which it is appointed may be subject to the Privacy Act. Further, we note the provision at s 6C(2) whereby ‘A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation [as defined in s 6C(1)].

[iv] Australian Restructuring Insolvency and Turnaround Association.

[v] APP entities are agencies or organisations.

[vi] OAIC guidance states that ‘the sale of a whole business is not trading in personal information’ whereas, for example, ‘buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain’, would be trading in personal information: see https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/organisations/trading-in-personal-information

[vii] See Corinne Attard, https://www.keypointlaw.com.au/keynotes/franchise-disclosure-register-what-franchise-buyers-need-to-know/

[viii]  The objective of liquidation is to identify and get in a company’s assets including debts owed to it and, where there is likely to be a dividend, identify its creditors and then distribute the company’s realised funds to those creditors in accordance with the priorities set out in the CA. Each step could potentially involve the collection and use of personal information although in many instances both creditors and debtors will be companies, not individuals. In the case of partly paid shares, the liquidator may be required to settle a list of contributories and where there is a surplus, make payment to the contributories in accordance with their interests.

[ix] Harman v Secretary of State for the Home Department [1983] 1 AC 280.

[x] https://www.afsa.gov.au/resource-hub/practices/practice-guidance/security-information-personal-insolvency-practitioners

[xi] See https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-principles   The ACSC is part of the Australian Signals Directorate.