We were at a meeting recently when some surprise was expressed that there were privacy issues associated with the purchase of another business’s data base of customers.

Every business has a data base whether it is individual computer files, a software program or even filing cabinets full of folders.

And every data base which contains personal information about customers is potentially regulated by the Privacy Act, regardless of whether you got the information from the customer or another source.

The Privacy Act sets out how information you collect from customers can be used, stored and provided to others.

There are special rules if the information is “sensitive” (eg health information”).

The Privacy Principles (which will change from 12 March 2014) set out how you can use your data base for direct marketing (whether by you or someone else).

And if any of your customers’ information is stored or processed overseas (“big data” in “the cloud”) then you are accountable for ensuring that the data is handled overseas in accordance with the provisions of the Privacy Act. Normally this would involve you entering into a contractual relationship with an overseas recipient.

If you use a third party service and you don’t know where they store or process your information you must find out and tell your customers in a privacy notice.

Your customers are entitled to know what information you have about them.

If your business processes have changed in the last 5-10 years then it is time to think about the privacy implications.