The Western Australian Government has passed innovative Privacy and Responsible Information Sharing laws. Public sector entities and their contracted service providers should prepare now for the regime, which is likely to take full effect in 2026.
On 6 December 2024, the highly anticipated Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), and the related Information Commissioner Act 2024 (WA) received Royal Assent.
Western Australian Minister for Innovation and the Digital Economy, the Hon Stephen Dawson, has described the PRIS Act as an enabler for modern digital government, introducing contemporary privacy protections and innovative responsible information sharing practices that are the first of their kind in Australia.
With key features of the PRIS Act likely to take effect in 2026, WA public entities (and certain service providers to public entities) should have delivery of their PRIS Act compliance strategy well underway.
Key components of the PRIS regime
- WA public entities are now 'IPP entities' subject to
the information privacy principles (IPPs) and
responsible information sharing principles (RSPs),
required to ensure the strong protection and safe handling of
personal information.
- Private entities that provide services to WA public entities
(and their subcontractors) may be required to comply with the PRIS
Act as 'contracted service providers'
(CSPs).
- The PRIS Act consists of two complementary but separate
components. First, the privacy provisions that govern the
collection, storage, and use of personal information through the
IPPs. Second, the responsible information sharing provisions that,
together with the RSPs, guide the sharing of information, including
personal information, for permitted purposes related to public
interest.
- In addition to the establishment of the IPPs and RSPs, key
features of the PRIS Act include the creation of a mandatory breach
notification scheme, the introduction of a penalty regime that
includes imprisonment as well as compensation and fines, and a
novel mechanism that supports Aboriginal data governance in
WA.
- Unlike the Commonwealth privacy regime, there is no
'employee records exemption' or exemption for 'small
businesses'.
- The PRIS Act is likely to take effect in 2026.
- A new Chief Data Officer and the Office of the Information Commissioner will oversee the PRIS regime.
Which entities does the PRIS Act impact?
The PRIS Act applies to:
- public entities, including government departments, government
trading entities, local and regional government authorities, the WA
police force, universities, and some judicial bodies;
- certain contracted service providers; and
- 'external entities' in the context of the RSPs.
Contracted service providers (CSPs)
A CSP is a party to a 'State services contract' that:
- provides services to or on behalf of a public entity under the
State services contract; or
- subcontracts (directly or indirectly) for the purposes of the State services contract.
A CSP is not automatically required to comply with the IPPs under the PRIS Act. A CSP is only bound by the IPPs (including the notifiable information breach obligations) if a relevant state services contract explicitly includes a clause that obliges it to comply.
Separately, a CSP may be subject to the RSPs of the PRIS Act if it is also an 'external entity' eligible to receive personal information under an information sharing agreement with a public entity.
Summary of the key features of the PRIS Act
Broad interpretation of 'personal information'
The definition of 'personal information' under the PRIS Act is somewhat aligned to the Privacy Act 1988 (Cth) (Privacy Act), but also includes information about deceased individuals, location data and information from which predictions of behaviour or preferences can be inferred.
IPP entities must only collect 'necessary' information
The PRIS Act requires that information collected must be 'necessary' (not 'reasonably necessary' as required under the Privacy Act) for the activities or functions of IPP entities.
Mandatory data breach notification scheme
The PRIS Act introduces mandatory reporting of 'notifiable information breaches' to a new WA Information Commissioner and requires notification to any affected individuals as soon as practicable. Broadly, a 'notifiable information breach' occurs if there is unauthorised access, disclosure, or loss of personal information by an IPP entity, and a reasonable person would conclude that it is likely to result in serious harm to any individual to whom the information relates.
Privacy impact assessments – public entities
Where the IPP entities involved in a proposed information sharing agreement are all public entities, each will be required to carry out a privacy impact assessment (PIA) before engaging in any 'high privacy impact' activity. This means an activity that involves the handling of personal information and which is likely to have a significant impact on the privacy of individuals. The PIA will identify privacy risks, and measures to mitigate those risks.
Based on the explanatory memorandum, functions or activities having a significant impact on the privacy of individuals may involve:
- the collection, use or disclosure of sensitive information on a
large scale;
- ongoing or real-time tracking of an individual's
geolocation; or
- the use of biometric templates or biometric information for the purpose of verification or identification.
Privacy impact assessments – CSPs
Where the proposed recipient in any information sharing agreement is a CSP, each entity must conduct a PIA, regardless of the anticipated level of impact on individual privacy.
De-identified information
The PRIS Act includes protections for de-identified information and a prohibition on re-identification of de-identified information (subject to exceptions).
Automated decision-making
The PRIS Act introduces obligations on IPP entities that use an 'automated decision-making process' involving personal information in making a 'significant decision' about an individual. Guidance is expected on what constitutes a 'significant decision', but such decisions could include recruitment decisions, detection fraudulent activity on online platforms or decisions about an individual's healthcare.
Penalties for non-compliance
The risks of noncompliance are significant, both in terms of reputation and penalties. The PRIS Act creates a system by which affected individuals may make privacy complaints to the WA Information Commissioner (a new body) for breach of the IPPs. The Commissioner may order the entity to take specific actions, provide redress, and pay compensation up to $75,000. The Commissioner may also issue an IPP compliance notice; failure to comply attracts a fine of $60,000. In addition, individuals who breach PRIS obligations risk imprisonment of up to three years.
Next steps
We recommend IPP entities consider the following:
- Designating senior officers as Privacy Officers tasked with the
responsibility to promote compliance with the PRIS Act and the
IPPs.
- Auditing and maintaining up to date and accurate records of all
information assets held, including asset details (such as the type,
location and person responsible for the information asset),
applicable retention periods and security measures in place to
protect each asset.
- Understanding current state collection, use and disclosure of
'personal information'.
- Developing IPP-compliant policies and procedures, including
policies on responding to privacy breaches under the mandatory
breach notification scheme.
- Understanding current information protection measures to
safeguard personal information (both organisational and technical
measures) and enhance to meet IPP 4 (Information security).
- Preparing standard form privacy clauses for inclusion in
relevant third-party contracts.
- Reviewing 'State services contracts' with CSPs to
identify CSPs that should be allocated PRIS Act compliance
obligations and amend contracts accordingly.
- Establishing procedures for information sharing, including
clear procedures for requesting, accessing and executing
information sharing with other entities.
- Ensuring that staff are trained in the IPPs and responsible
information sharing practices.
- Regularly monitoring and auditing compliance with IPPs and RSPs
to identify and address gaps in compliance early.
- Monitoring proclamation dates and looking out for further
guidance (particularly in relation to what constitutes a
'significant impact' in the context of PIAs).
- Developing Privacy Impact Assessment templates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
![]() |
![]() |
Lawyers Weekly Law firm of the year
2021 |
Employer of Choice for Gender Equality
(WGEA) |