Overview and timeline
There are big changes coming to the management of information, privacy and data in Western Australia. These will affect the State public sector directly and are also likely to impact private businesses contracting to government.
The legislation will take effect from July 2026, except for the data breach provisions
which kick in from January 2027.
At long last, WA has a privacy and data sharing Act – leaving South Australia as the only jurisdiction without such legislation.
The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) draws on existing legislation but also has innovative elements.
- It will apply to government contractors – if this is specified in the contract – and in contrast to the Commonwealth Privacy Act 1988, there is no small business exemption, nor an employee records exemption.
- Comment: we can anticipate the government sector to include such provisions in contracts as standard practice as part of their risk management.
- There will be provisions to cover personal information affected by ‘automated decision making processes’ but it not yet clear how these will work.
- Comment: the Office of Digital Government has the responsibility for supporting agencies to get ready for the PRIS Act and presumably automated decision making processes will be part of this. The provision recognises that agencies remain responsible for system generated results in respect to privacy.
- As well as government departments the Act will apply to local government, public universities and government trading enterprises. Interestingly, it will also apply to Ministers and Parliamentary Secretaries.
- There are provisions specifically designed to protect privacy for Aboriginal family information.
- The definition of ‘personal information’ is more detailed and broader than the definition in the Commonwealth Privacy Act 1988 and includes, among other things:
- Information about deceased persons;
- ‘technical or behavioural information in relation to an individual’s activities, preferences or identity’;
- inferred information which may predict an individual’s behaviour, location or preferences;
- aggregated profile information.
Commentary
- The PRIS Act is up to date legislation in that it includes privacy protections but also seeks to support information sharing when this is in the public interest. In other words it goes beyond the intent of original privacy legislation by trying to balance the risks to personal information with opportunities to share information responsibly rather than just treating personal information as a source of risk to individuals.
- This is a positive step forward for data sharing. Speaking from experience as a former public servant it can be difficult to share information even within one department if this information has been collected under different pieces of legislation that the department administers; let alone between departments.
- It is wise to give the sector time to prepare. As well as the plethora of formal instruments and policies that will be needed, such as the designation of privacy officers, establishing formal policies etc, there will need to be a change in the mindset or culture of agencies around risk management of information if the vision to promote responsible data sharing is to be realised. The experience of the FOI regime is a case in point. Anecdotally, many agencies have taken a default position of not releasing information as a matter of course. Having a formal legislative framework to promote information sharing should help – but experience shows it is not so much the ‘black ink’ rules as the way these are interpreted by public servants that make the difference.
- At the same time – the privacy protections are innovative and seek to recognise the contemporary landscape, e.g. by including aggregated profile information and a range of information from which inferences and predictions about individuals can be drawn; and automated decision making. There will be considerable room for interpretation about what these principles mean and how to put them into action.
The WA public sector is going from having no privacy and data sharing legislation to some of the most sophisticated. The next 12 months will be critical in getting ready and this will need to include change management which addresses mindsets and cultures around the risks and benefits of information management, and not only the formal administrative apparatus.