Due to a global Microsoft outage, we are experiencing technical difficulties that may make it hard to reach us.

Data segregation

Justin Fung, Avant Law - Partner, Head of Commercial & Corporate | General Manager

Monday, 5 December 2022

data segregation

Key takeaways

  • If you’re thinking about selling or buying a medical practice, identify as early as you can what data needs to be segregated and transferred as part of the transaction
  • Know your privacy obligations and what these mean in the context of the sale or purchase
  • Ensure that you have processes in place to get the segregated data safely and securely transferred

Given the recent increased levels of activity we have observed in the buying /selling of medical practices and the current intensive spotlight of privacy regulation (including in the health industry), the process of proper data segregation is an important one.

What is data segregation?

Data segregation is a process that ensures that only data which is relevant to the acquisition of a target business is managed, segregated and transferred to the acquiring entity.

Consideration of data segregation in any acquisition activities is vital, particularly in circumstances where the data which is held may be commingled with other, non-related data (which may not need to be transferred to the acquiring entity).

Why is data segregation important?

The successful segregation of data is particularly important for medical practices, as the personal information which is collected in the rendering of health services (including an individual’s name, date of birth, and address) is considered to be sensitive information for the purposes of compliance under the Privacy Act 1988 (Cth) (Privacy Act).

This information is consequently subject to a higher level of compliance, and the scope of its collection, use, management and disclosure is more constrained than it may otherwise be in other contexts.

Medical practices that are conducting mergers and acquisitions (M&A) transactions in buying or selling their practices must therefore take the upmost level of care inensuring they have appropriate data segregation safeguards in place, to not only ensure they comply with data protection laws, but also to preserve the quality and value of their collected data. It should be noted that amendments in the recently passed Privacy Legislation Amendment (Enforcement and OtherMeasures) Bill 2022 (which is currently awaiting royal assent) will increase the repercussions organisations in breach of privacy laws may face.

Under this bill, a contravention of the Privacy Act may result in a penalty of up to $50 million. The penalty will be calculated, if possible, to be worth three times the benefit the offending entity obtained from the breach, or otherwise to be30% of the adjusted turnover the entity earned, during the breach period.

What does this mean for me ?

While data segregation is often an ‘after thought’ in M&A transactions, data segregation should be considered as soon as a medical practice begins contemplating the undertaking of M&A activities, to ensure information is sufficiently protected and that you have complied with your obligations under the Privacy Act. The early consideration of data segregationis vital to ensure you have appropriately managed any risks arising from the obligations set out under the Privacy Act

Practically, we suggest that in acquiring a medical practice, buyers should consider:

  • identifying what data is necessary and required to be transferred as part of the acquisition, and what data can be left with the target entity;
  • taking steps to ensure the data which is to be acquired can be segregated from the data which is not required as early as possible (including any steps which may be required to ensure that data which is not intended to be acquired has not been inappropriately transferred);
  • implementing processes to ensure that any acquired data is appropriately managed and securely stored (including processes to address any in advertently obtained data as part of the acquisition process);and
  • taking steps to ensure that the collection, use and disclosure of any data which may be acquired follows the requirements set out in the Privacy Act.

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

About the author

Justin Fung

Justin Fung is a lawyer and the Head of Commercial and Corporate in our Avant Law team. Justin has over 15 years’ experience advising in commercial, corporate, risk, compliance, governance, regulatory enforcement and dispute resolution and advises clients in the private and public sectors. He was previously General Counsel of a national allied health group of companies and held Group and Divisional Head of Legal roles in a major ASX-listed health company, whose operations covered medical and dental centres, allied health, pathology, diagnostic imaging, assisted reproductive technologies, day surgeries and hospitals. Prior to these in-house legal roles, Justin was an Executive Counsel with the global law firm Herbert Smith Freehills where he practiced for over 10 years.


The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of this content. The information in this article is current to
6 December 2022. Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme. © Avant Mutual Group Limited 2023

To Top