Privacy and Responsible Information Sharing Act: Implications for the Public Sector in Western Australia

Introduction

It is the season for privacy reform! At the federal level, Tranche 1 of reforms to the Commonwealth Privacy Act 1988 (Cth) (Privacy Act) have recently passed – read more about the Commonwealth Privacy Reforms here: Australian Privacy Reform Bill Tranche 1 passed Parliament: Key impacts for your business.

And in Western Australia, the Privacy and Responsible Information Sharing Act 2024 (PRIS Act), and related Information Commissioner Act 2024 (IC Act) were passed by WA Parliament on 28 November, receiving Royal Assent on 6 December 2024.

Operative provisions of the PRIS Act will come into force on a date (or dates) that will be fixed by proclamation. It is anticipated the privacy provisions of the Act will commence in 2026, at which time the PRIS Act will introduce the first dedicated privacy legislation applicable to WA public sector entities, as well as a responsible information sharing framework.

The PRIS Act establishes privacy obligations that apply to the handling of personal information by WA public entities, and in some cases, their service providers. The Act also provides a framework for the sharing of information between WA public entities and with other authorised external entities – putting in place processes by which information sharing can be requested, assessed and executed. New offences and penalties are also introduced, including in relation to certain non-compliance and unauthorised disclosures.

The PRIS Act also establishes a new Chief Data Officer for Western Australia, as well as setting out the functions and powers of the Information Commissioner and Privacy Deputy Commissioner established under the IC Act.

Which entities will the PRIS Act apply to?

The PRIS Act applies to a wide range of WA public entities, including WA Government departments, local and regional governments, government trading enterprises, the Police Force of WA, courts and tribunals, SES organisations under the Public Sector Management Act 1994 (WA), universities and colleges and any other body established for a public purpose under a written law (with limited exceptions).

In addition, the PRIS Act introduces Information Privacy Principles (IPPs) that IPP entities must comply with. IPP entities include the WA public entities discussed above and any contracted service providers that handle personal information on behalf of those entities if the relevant services contract specifies that the PRIS Act will apply to the service provider. This allows public entities to enforce strong external privacy compliance by requiring that their service providers comply with the PRIS Act not only contractually, but that they accept the direct statutory force of the PRIS Act.

Due to a State contracts exemption in the Privacy Act, those contracted service providers who are required to comply with the IPPs will often be exempt from complying with the Privacy Act equivalent, the Australian Privacy Principles (APPs). That exemption applies where a private sector contracted service provider for a contract with a State government agency engages in conduct for the purpose of directly or indirectly meeting an obligation under that contract. Unlike the Privacy Act, there is no exemption for ‘small business’ entities.

Privacy

The PRIS Act introduces a statutory privacy framework that applies to the handling of personal information by IPP entities. The Act introduces obligations on IPP entities, creates rights for affected individuals and establishes the functions and powers of the new Information Commissioner and Privacy Deputy Commissioner.

Key privacy provisions Key privacy provisions under the PRIS Act introduce: 11 IPPs relating to the handling of personal information that IPP entities must comply with; requirements for IPP entities to undertake privacy impact assessments for high privacy impact activities; a process for contracted service providers to accept privacy obligations, making them IPP entities; functions and powers of the Information Commissioner, including to: investigate any act that may be an interference with privacy; monitor and assess compliance with the privacy obligations and the IPPs under the PRIS Act; and issue compliance notices to IPP entities, which may attract a $60,000 fine if the IPP entity does not take all reasonable steps to comply with the compliance notice; a mandatory notifiable information breach regime, which requires notification to the Information Commissioner and affected individuals as soon as practicable after a notifiable information breach is assessed; and a privacy complaints regime, which allows for individuals to make a privacy complaint to the Information Commissioner.

The privacy complaints regime also includes a procedure for dealing with complaints, a process for resolution or conciliation of complaints and powers for the Information Commissioner to deal with unresolved complaints – including by determining a privacy complaint with an order for compensation of up to $75,000 to be paid by the respondent IPP entity to the complainant for loss and damages suffered due to the interference with privacy.

Information Privacy Principles 

The IPPs relate to the handling of personal information, with requirements concerning the collection, use and disclosure of information, information security, restrictions on disclosures outside Australia of both identified and de-identified information and protection of de-identified information generally.

IPPs also provide for access and correction of information, information quality, openness and transparency, a right to anonymity when dealing with an IPP entity, restrictions on assigning unique identifiers and a framework for the use of automated decision-making, discussed further below.

The IPPs place restrictions and conditions on the handling of personal information by IPP entities, for example only allowing the collection of personal information ‘necessary’ for the activities or functions of an IPP entity. There is also a requirement for an IPP entity to develop a document setting out its information handling policies and make it available to anyone that requests it. 

WA public entities will need to consider each of the IPPs and their current practices to ensure that their handling of personal information is compliant with all requirements and to identify any changes that they will need to implement by the time the privacy provisions of the PRIS Act come into effect.

Automated decision-making

The PRIS Act introduces automated decision-making obligations that apply to IPP entities using an automated decision-making process involving personal information in making a significant decision about an individual.

An automated decision-making process uses a computer information-processing system or artificial intelligence system to make, or materially assist in making, a decision.

A significant decision is broadly defined as a decision that affects an individual’s rights, entitlements, interests or liabilities or otherwise has a significant effect on their life circumstances, opportunities, behaviour or wellbeing.

Automated decision-making obligations The obligations that apply to IPP entities include: conducting an assessment on the impact of the automated decision-making process on individuals; periodically evaluating and reassessing the effectiveness of the automated decision-making process; notifying individuals when an automated decision-making process has been used in making a significant decision about them; on request, providing information on how the automated decision-making process was used in making the decision; and providing a process by which individuals can request human intervention in relation to the decision.

WA public entities will need to consider any automated decision-making processes used to make significant decisions relating to individuals and will need to ensure they are able to comply with the PRIS Act obligations in relation to automated decision-making, once they come into effect.

How does the PRIS Act differ from the Commonwealth Privacy Act? 

The IPPs under the PRIS Act are comparable to the APPs under the Privacy Act that apply to Commonwealth government entities and certain private sector entities.

However, there are some notable differences including in relation to the definition of personal information, exemptions for employee records, automated decision-making and responsible information sharing. The PRIS Act also provides a framework for the responsible sharing of information, which is not a process contemplated or addressed by the Privacy Act.

In addition, many of the Tranche 1 reforms recently passed in relation to the Privacy Act are not included in the PRIS Act – so the two regimes are unfortunately out of sync in several areas.

Personal information definition

The definition of ‘personal information’ under the PRIS Act, while closely aligned to the definition under the Privacy Act, extends to include the personal information of deceased, as well as living, individuals. The PRIS Act also provides a non-exclusive list of the kinds of information that may be personal information including examples that contemplate information generated by recent technological advances. These examples include information relating to an individual’s location and inferred information including predictions of an individual’s behaviours or preferences and profiles generated from aggregated information.

Employee records

Unlike the Privacy Act as it applies to private sector entities, the PRIS Act does not provide an employee records exemption. This means that the requirements of the PRIS Act will apply to personal information within employee records held by WA public entities, including when used for the administration of the relevant person’s employment.

Automated decision-making

The automated decision-making provisions under the PRIS Act go beyond those obligations that will be introduced under the Privacy Act Tranche 1 reforms, which require privacy policies to be updated in respect of automated decisions.

Direct marketing

There is no separate IPP for direct marketing, as opposed to other use and disclosure of personal information.

De-identified information

IPP 9 (Disclosures outside Australia) includes requirements to protect de-identified information – not only personal information – when disclosing it to an overseas recipient. And IPP 11 (De-identified information) includes requirements to protect the security of de-identified information and not re-identify it except in limited circumstances.

The Federal Government has indicated that it does not at this stage intend to make similar recommended changes to the Privacy Act.

Privacy Act reform – Tranche 2 items

While we are still waiting to see a draft bill on Tranche 2 of the Privacy Act reforms, some of the items expected (based on the Privacy Act Review Report) have made their way into the PRIS Act first:

• the definition of ‘personal information’ includes a list of examples;
• the definition of ‘collection’ specifically includes inferring and generating personal information;
• record-keeping requirements in relation to the purposes of collection, use and disclosure of personal information. These internal records may need to be more specific than what is typically recorded in a privacy policy under the Privacy Act, and it may be appropriate for IPP entities to maintain a register of the personal information they collect and the related purposes;
• where personal information is collected from someone other than the individual, IPP entities must take reasonable steps to satisfy themselves that it was collected consistently with IPP 1 (Collection); and
• collection, use and disclosure of personal information must be fair and reasonable.