WA Government passes innovative Privacy and Responsible Information Sharing regime

The Western Australian Government has passed innovative Privacy and Responsible Information Sharing laws. Public sector entities and their contracted service providers should prepare now for the regime, which is likely to take full effect in 2026.

On 6 December 2024, the highly anticipated Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), and the related Information Commissioner Act 2024 (WA) received Royal Assent.

Western Australian Minister for Innovation and the Digital Economy, the Hon Stephen Dawson, has described the PRIS Act as an enabler for modern digital government, introducing contemporary privacy protections and innovative responsible information sharing practices that are the first of their kind in Australia.

With key features of the PRIS Act likely to take effect in 2026, WA public entities (and certain service providers to public entities) should have delivery of their PRIS Act compliance strategy well underway.

Key components of the PRIS regime

• WA public entities are now ‘IPP entities’ subject to the information privacy principles (IPPs) and responsible information sharing principles (RSPs), required to ensure the strong protection and safe handling of personal information.
  
  
• Private entities that provide services to WA public entities (and their subcontractors) may be required to comply with the PRIS Act as ‘contracted service providers’ (CSPs).
  
  
• The PRIS Act consists of two complementary but separate components. First, the privacy provisions that govern the collection, storage, and use of personal information through the IPPs. Second, the responsible information sharing provisions that, together with the RSPs, guide the sharing of information, including personal information, for permitted purposes related to public interest.
  
  
• In addition to the establishment of the IPPs and RSPs, key features of the PRIS Act include the creation of a mandatory breach notification scheme, the introduction of a penalty regime that includes imprisonment as well as compensation and fines, and a novel mechanism that supports Aboriginal data governance in WA.
  
  
• Unlike the Commonwealth privacy regime, there is no ‘employee records exemption’ or exemption for ‘small businesses’.
  
  
• The PRIS Act is likely to take effect in 2026.
  
  
• A new Chief Data Officer and the Office of the Information Commissioner will oversee the PRIS regime.

Which entities does the PRIS Act impact?

The PRIS Act applies to:

• public entities, including government departments, government trading entities, local and regional government authorities, the WA police force, universities, and some judicial bodies;
  
  
• certain contracted service providers; and
  
  
• ‘external entities’ in the context of the RSPs.

Contracted service providers (CSPs)

A CSP is a party to a ‘State services contract’ that:

• provides services to or on behalf of a public entity under the State services contract; or
  
  
• subcontracts (directly or indirectly) for the purposes of the State services contract.

A CSP is not automatically required to comply with the IPPs under the PRIS Act. A CSP is only bound by the IPPs (including the notifiable information breach obligations) if a relevant state services contract explicitly includes a clause that obliges it to comply.

Separately, a CSP may be subject to the RSPs of the PRIS Act if it is also an ‘external entity’ eligible to receive personal information under an information sharing agreement with a public entity.

Summary of the key features of the PRIS Act

Broad interpretation of ‘personal information’

The definition of ‘personal information’ under the PRIS Act is somewhat aligned to the Privacy Act 1988 (Cth) (Privacy Act), but also includes information about deceased individuals, location data and information from which predictions of behaviour or preferences can be inferred.

IPP entities must only collect ‘necessary’ information

The PRIS Act requires that information collected must be ‘necessary’ (not ‘reasonably necessary’ as required under the Privacy Act) for the activities or functions of IPP entities.

Mandatory data breach notification scheme

The PRIS Act introduces mandatory reporting of ‘notifiable information breaches’ to a new WA Information Commissioner and requires notification to any affected individuals as soon as practicable. Broadly, a ‘notifiable information breach’ occurs if there is unauthorised access, disclosure, or loss of personal information by an IPP entity, and a reasonable person would conclude that it is likely to result in serious harm to any individual to whom the information relates.

Privacy impact assessments – public entities

Where the IPP entities involved in a proposed information sharing agreement are all public entities, each will be required to carry out a privacy impact assessment (PIA) before engaging in any ‘high privacy impact’ activity. This means an activity that involves the handling of personal information and which is likely to have a significant impact on the privacy of individuals. The PIA will identify privacy risks, and measures to mitigate those risks.

Based on the explanatory memorandum, functions or activities having a significant impact on the privacy of individuals may involve:

• the collection, use or disclosure of sensitive information on a large scale;
  
  
• ongoing or real-time tracking of an individual's geolocation; or
  
  
• the use of biometric templates or biometric information for the purpose of verification or identification.

Privacy impact assessments – CSPs

Where the proposed recipient in any information sharing agreement is a CSP, each entity must conduct a PIA, regardless of the anticipated level of impact on individual privacy.

De-identified information

The PRIS Act includes protections for de-identified information and a prohibition on re-identification of de-identified information (subject to exceptions).

Automated decision-making

The PRIS Act introduces obligations on IPP entities that use an ‘automated decision-making process’ involving personal information in making a ‘significant decision’ about an individual. Guidance is expected on what constitutes a ‘significant decision’, but such decisions could include recruitment decisions, detection fraudulent activity on online platforms or decisions about an individual’s healthcare.

Penalties for non-compliance

The risks of noncompliance are significant, both in terms of reputation and penalties. The PRIS Act creates a system by which affected individuals may make privacy complaints to the WA Information Commissioner (a new body) for breach of the IPPs. The Commissioner may order the entity to take specific actions, provide redress, and pay compensation up to $75,000. The Commissioner may also issue an IPP compliance notice; failure to comply attracts a fine of $60,000. In addition, individuals who breach PRIS obligations risk imprisonment of up to three years.

Next steps

We recommend IPP entities consider the following:

• Designating senior officers as Privacy Officers tasked with the responsibility to promote compliance with the PRIS Act and the IPPs.
  
  
• Auditing and maintaining up to date and accurate records of all information assets held, including asset details (such as the type, location and person responsible for the information asset), applicable retention periods and security measures in place to protect each asset.
  
  
• Understanding current state collection, use and disclosure of ‘personal information’.
  
  
• Developing IPP-compliant policies and procedures, including policies on responding to privacy breaches under the mandatory breach notification scheme.
  
  
• Understanding current information protection measures to safeguard personal information (both organisational and technical measures) and enhance to meet IPP 4 (Information security).
  
  
• Preparing standard form privacy clauses for inclusion in relevant third-party contracts.
  
  
• Reviewing ‘State services contracts’ with CSPs to identify CSPs that should be allocated PRIS Act compliance obligations and amend contracts accordingly.
  
  
• Establishing procedures for information sharing, including clear procedures for requesting, accessing and executing information sharing with other entities.
  
  
• Ensuring that staff are trained in the IPPs and responsible information sharing practices.
  
  
• Regularly monitoring and auditing compliance with IPPs and RSPs to identify and address gaps in compliance early.
  
  
• Monitoring proclamation dates and looking out for further guidance (particularly in relation to what constitutes a ‘significant impact’ in the context of PIAs).
  
  
• Developing Privacy Impact Assessment templates.