ARTICLE
4 August 2025

Privacy And Responsible Information Sharing Act: Implications For The Public Sector In Western Australia

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
It is the season for privacy reform! At the federal level, Tranche 1 of reforms to the Commonwealth Privacy Act 1988 (Cth) (Privacy Act) were passed in November 2024...
Australia Privacy

Introduction

It is the season for privacy reform! At the federal level, Tranche 1 of reforms to the Commonwealth Privacy Act 1988 (Cth) (Privacy Act) were passed in November 2024 – read more about the Commonwealth Privacy Reforms here: Australian Privacy Reform Bill Tranche 1 passed Parliament: Key impacts for your business.

And in Western Australia, the Privacy and Responsible Information Sharing Act 2024 (PRIS Act), and related Information Commissioner Act 2024 (IC Act) were passed by WA Parliament on 28 November, receiving Royal Assent on 6 December 2024 (with the operative provisions of the PRIS Act to come into force on a date to be proclaimed). However, this month, we got Christmas in July – with the WA State Government announcing that operative privacy and responsible information sharing provisions of the PRIS Act will come into operation on 1 July 2026.

In a nutshell: the story so far

Once in full effect, the PRIS Act will introduce the first dedicated privacy legislation applicable to WA public sector entities, as well as a responsible information sharing framework.

The PRIS Act establishes privacy obligations that apply to the handling of personal information by WA public entities, and in some cases, their service providers. The Act also provides a framework for the sharing of information between WA public entities and with other authorised external entities – putting in place processes by which information sharing can be requested, assessed and executed. New offences and penalties are also introduced, including in relation to certain non-compliance and unauthorised disclosures.

On 1 July 2025, the IC Act came into operation, as did related provisions of the PRIS Act, which together establish and set out the functions and powers of the Information Commissioner, Privacy Deputy Commissioner, Chief Data Officer and the Privacy and Responsible Information Sharing Advisory Committee. However, the majority of the substantive obligations under the PRIS Act were only to come into force on a date to be proclaimed.

The WA Government has now indicated that most of the operative privacy and responsible information sharing provisions of the PRIS Act will come into operation on 1 July 2026, with the requirement to report serious data breaches to the Information Commissioner and the people affected will come into operation on 1 January 2027.

Which entities will the PRIS Act apply to?

The PRIS Act applies to a wide range of WA public entities, including WA Government departments, local and regional governments, government trading enterprises, the Police Force of WA, courts and tribunals, SES organisations under the Public Sector Management Act 1994 (WA), universities and colleges and any other body established for a public purpose under a written law (with limited exceptions).

In addition, the PRIS Act introduces Information Privacy Principles (IPPs) that IPP entities must comply with. IPP entities include the WA public entities discussed above and any contracted service providers that handle personal information on behalf of those entities if the relevant services contract specifies that the PRIS Act will apply to the service provider. This allows public entities to enforce strong external privacy compliance by requiring that their service providers comply with the PRIS Act not only contractually, but that they accept the direct statutory force of the PRIS Act.

Due to a State contracts exemption in the Privacy Act, those contracted service providers who are required to comply with the IPPs will often be exempt from complying with the Privacy Act equivalent, the Australian Privacy Principles (APPs). That exemption applies where a private sector contracted service provider for a contract with a State government agency engages in conduct for the purpose of directly or indirectly meeting an obligation under that contract. Unlike the Privacy Act, there is no exemption for 'small business' entities.

Privacy

The PRIS Act introduces a statutory privacy framework that applies to the handling of personal information by IPP entities. The PRIS Act introduces obligations on IPP entities, creates rights for affected individuals and establishes the functions and powers of the new Information Commissioner and Privacy Deputy Commissioner.

Key privacy provisions

Key privacy provisions under the PRIS Act introduce:

  • 11 IPPs relating to the handling of personal information that IPP entities must comply with;
  • requirements for IPP entities to undertake privacy impact assessments for high privacy impact activities;
  • a process for contracted service providers to accept privacy obligations, making them IPP entities;
  • functions and powers of the Information Commissioner, including to:
    • investigate any act that may be an interference with privacy;
    • monitor and assess compliance with the privacy obligations and the IPPs under the PRIS Act; and
    • issue compliance notices to IPP entities, which may attract a $60,000 fine if the IPP entity does not take all reasonable steps to comply with the compliance notice;
  • a mandatory notifiable information breach regime, which requires notification to the Information Commissioner and affected individuals as soon as practicable after a notifiable information breach is assessed; and
  • a privacy complaints regime, which allows for individuals to make a privacy complaint to the Information Commissioner.

The privacy complaints regime also includes a procedure for dealing with complaints, a process for resolution or conciliation of complaints and powers for the Information Commissioner to deal with unresolved complaints – including by determining a privacy complaint with an order for compensation of up to $75,000 to be paid by the respondent IPP entity to the complainant for loss and damages suffered due to the interference with privacy.

Information Privacy Principles

The IPPs relate to the handling of personal information, with requirements concerning the collection, use and disclosure of information, information security, restrictions on disclosures outside Australia of both identified and de-identified information and protection of de-identified information generally.

IPPs also provide for access and correction of information, information quality, openness and transparency, a right to anonymity when dealing with an IPP entity, restrictions on assigning unique identifiers and a framework for the use of automated decision-making, discussed further below.

The IPPs place restrictions and conditions on the handling of personal information by IPP entities, for example only allowing the collection of personal information 'necessary' for the activities or functions of an IPP entity. There is also a requirement for an IPP entity to develop a document setting out its information handling policies and make it available to anyone that requests it.

WA public entities will need to consider each of the IPPs and their current practices to ensure that their handling of personal information is compliant with all requirements and to identify any changes that they will need to implement by the time the privacy provisions of the PRIS Act come into effect.

Automated decision-making

The PRIS Act introduces automated decision-making obligations that apply to IPP entities using an automated decision-making process involving personal information in making a significant decision about an individual.

An automated decision-making process uses a computer information-processing system or artificial intelligence system to make, or materially assist in making, a decision.

A significant decision is broadly defined as a decision that affects an individual's rights, entitlements, interests or liabilities or otherwise has a significant effect on their life circumstances, opportunities, behaviour or wellbeing.

Automated decision-making obligations

The obligations that apply to IPP entities include:

  • conducting an assessment on the impact of the automated decision-making process on individuals;
  • periodically evaluating and reassessing the effectiveness of the automated decision-making process;
  • notifying individuals when an automated decision-making process has been used in making a significant decision about them;
  • on request, providing information on how the automated decision-making process was used in making the decision; and
  • providing a process by which individuals can request human intervention in relation to the decision.

WA public entities will need to consider any automated decision-making processes used to make significant decisions relating to individuals and will need to ensure they are able to comply with the PRIS Act obligations in relation to automated decision-making, once they come into effect.

How does the PRIS Act differ from the Commonwealth Privacy Act?

The IPPs under the PRIS Act are comparable to the APPs under the Privacy Act that apply to Commonwealth government entities and certain private sector entities.

However, there are some notable differences including in relation to the definition of personal information, exemptions for employee records, automated decision-making and responsible information sharing. The PRIS Act also provides a framework for the responsible sharing of information, which is not a process contemplated or addressed by the Privacy Act.

In addition, many of the Tranche 1 reforms recently passed in relation to the Privacy Act are not included in the PRIS Act – so the two regimes are unfortunately out of sync in several areas.

Personal information definition

The definition of 'personal information' under the PRIS Act, while closely aligned to the definition under the Privacy Act, extends to include the personal information of deceased, as well as living, individuals. The PRIS Act also provides a non-exclusive list of the kinds of information that may be personal information including examples that contemplate information generated by recent technological advances. These examples include information relating to an individual's location and inferred information including predictions of an individual's behaviours or preferences and profiles generated from aggregated information.

Employee records

Unlike the Privacy Act as it applies to private sector entities, the PRIS Act does not provide an employee records exemption. This means that the requirements of the PRIS Act will apply to personal information within employee records held by WA public entities, including when used for the administration of the relevant person's employment.

Automated decision-making

The automated decision-making provisions under the PRIS Act go beyond those obligations that will be introduced under the Privacy Act Tranche 1 reforms, which require privacy policies to be updated in respect of automated decisions.

Direct marketing

There is no separate IPP for direct marketing, as opposed to other use and disclosure of personal information.

De-identified information

IPP 9 (Disclosures outside Australia) includes requirements to protect de-identified information – not only personal information – when disclosing it to an overseas recipient. And IPP 11 (De-identified information) includes requirements to protect the security of de-identified information and not re-identify it except in limited circumstances.

The Federal Government has indicated that it does not at this stage intend to make similar recommended changes to the Privacy Act.

Privacy Act reform – Tranche 2 items

While we are still waiting to see a draft bill on Tranche 2 of the Privacy Act reforms, some of the items expected (based on the Privacy Act Review Report) have made their way into the PRIS Act first:

  • the definition of 'personal information' includes a list of examples;
  • the definition of 'collection' specifically includes inferring and generating personal information;
  • record-keeping requirements in relation to the purposes of collection, use and disclosure of personal information. These internal records may need to be more specific than what is typically recorded in a privacy policy under the Privacy Act, and it may be appropriate for IPP entities to maintain a register of the personal information they collect and the related purposes;
  • where personal information is collected from someone other than the individual, IPP entities must take reasonable steps to satisfy themselves that it was collected consistently with IPP 1 (Collection); and
  • collection, use and disclosure of personal information must be fair and reasonable.

Responsible information sharing

The PRIS Act introduces responsible sharing principles (RSPs) and a statutory mechanism to allow IPP entities to share information, including personal information, for specified purposes including informing or enabling:

  • the making and implementation of government policy, programs and services;
  • research and development with clear and direct public benefits; and
  • emergency management, including prevention, preparation, response and recovery.

Key responsible information sharing provisions

Responsible information sharing provisions detail:

  • the kinds of information that may, and may not, be shared;
  • the entities that may make an information sharing request;
  • the purposes for which the information may be shared and used;
  • the process for making and responding to information sharing requests;
  • how information sharing agreements are entered into, operate and can be enforced; and
  • assessments that entities need to undertake prior to sharing information.

One of the assessments that entities will need to undertake prior to entering into an information sharing agreement is to identify whether any information to be disclosed is 'sensitive Aboriginal family history information' or 'sensitive Aboriginal traditional information'. If such information is identified, relevant Aboriginal stakeholders must be consulted, and their consent must be obtained for the sharing of the information.

The Act also provides the circumstances in which information sharing will be authorised and includes a penalty of imprisonment for 12 months and a $12,000 fine for a person who discloses or uses information obtained under an information sharing agreement other than as authorised, without a reasonable excuse. Further, if the person should reasonably know that information may be used by another person to endanger an individual's welfare, commit an indictable offence or interfere with the administration of justice, that person commits a crime with a penalty of 3 years imprisonment.

The proposed handling of shared information under the PRIS Act must be consistent with the RSPs, which require WA public entities to consider and assess, in the circumstances, the appropriateness of:

  • the activities to be carried out using the shared information;
  • the recipient entities to whom information is being disclosed;
  • the information that is being disclosed;
  • the settings, being the environment and manner in which the information will be collected, held, managed and used; and
  • the output of the relevant activity to be carried out using the information and the disclosure of any derived information.

New roles and functions

Part 2 (Division 12) and Part 3 (Division 8) of the PRIS Act, which came into operation on 1 July 2025, allocate functions and powers to the new roles of Chief Data Officer (in respect of information sharing) and Information Commissioner and Privacy Deputy Commissioner (in respect of privacy).

Under the remaining operative provisions of the PRIS Act, which will come into effect on 1 July 2026, WA public entities are required to designate senior officers to the roles of privacy officer and information sharing officer. These roles are responsible, respectively, for promoting and assisting with their entity's compliance with the privacy and information sharing requirements of the Act.

When does the PRIS Act come into effect?

To date, the PRIS Act has come into effect in several tranches:

  • The Preliminary (Part 1) and Amending (Part 7) provisions came into effect on 6 December 2024. These Parts established the key framework provisions for the PRIS Act, but did not impose any substantive obligations.
  • On 1 July 2025, Part 2 (Division 12 only) and Part 3 (Division 8 only) of the PRIS Act came into operation. As described above, together with the IC Act, these provisions establish and set out the functions and powers of the Information Commissioner, Privacy Deputy Commissioner, Chief Data Officer and the Privacy and Responsible Information Sharing Advisory Committee.
  • Lastly, Miscellaneous (Part 4) and Transitional provisions (Part 5) of the PRIS Act also came into operation on 1 July 2025. The Transitional provisions include considerations for the collection of personal information prior to the commencement of the operative privacy provisions.

The WA Government has now indicated that the remaining operative privacy and responsible information sharing provisions will come into operation on 1 July 2026, while the requirement to report serious data breaches to the Information Commissioner and the people affected will come into operation on 1 January 2027.

The WA Government has also provided an interim privacy position for the WA public sector, that agencies should ensure their actions are consistent with applicable APPs under the Commonwealth Privacy Act, with primary emphasis upon APP 6 – "use or disclosure of personal information". The slightly wider 'personal information' definition provided under the PRIS Act is to be used, rather than the definition under the Privacy Act. However, agencies operating under statutes that contain specific provisions about the use or sharing of data, should continue to comply with those specific provisions.

Are you PRIS Act ready?

Now is the time for WA public entities and contracted service providers to get familiar with the PRIS Act and start preparing to comply. Please reach out to us if you would like to discuss.

This article was originally published on 9 December 2024 and updated on 10 December 2024 and 29 July 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More