Western Australia is late to the (privacy) party, but it might just become the belle of the ball.
Late last year, the Western Australian Government introduced the Privacy and Responsible Information Sharing Act 2024 (PRIS Act).
The implementation of this new privacy law will offer valuable insights – and potential impacts – for organisations across Australia.
What is the PRIS Act?
Up until now, Western Australia did not have comprehensive privacy legislation to regulate how the public sector handles personal information. The PRIS Act will now address this gap. While the new Act has been proclaimed, only the preliminary components are operative so far, with the key provisions expected to commence in 2026.
Within the Act, 11 Information Privacy Principles (IPPs) will form the backbone of responsible personal information management. The Second Reading Speech emphasised that the Act doesn’t intend to follow “legacy models established in other Australian jurisdictions” in respect to its legislative approach, and we see that in how the PRIS Act has been drafted.
First, the PRIS Act has cherry-picked elements from other jurisdictions: the IPPs most closely resemble those in the Victorian Privacy and Data Protection Act 2014, while the mandatory notifiable data breach scheme (called notifiable information breaches in the PRIS Act) is most similar to what we see in the NSW Privacy and Personal Information Protection Act 1998. Meanwhile, PIAs for high privacy impact functions or activities will be mandatory, as found in the federal Privacy (Australian Government Agencies – Governance) APP Code 2017.
Second, the PRIS Act also introduces new obligations not seen anywhere else in Australia. Some of these reflect long-awaited proposals which arose during the federal Privacy Act review process (in train since 2019 but currently awaiting the ‘Tranche 2’ Bill), while others are entirely novel.
Who will the PRIS Act apply to?
Similar to other state-based privacy legislation, the PRIS Act will apply to Ministers, Parliamentary Secretaries, public entities and some contracted service providers. Public entities include the WA public sector, the WA Police Force, local government and judicial bodies. State-owned public schools, TAFEs, and Universities established for a ‘public purpose’ under an Act are also regarded as ‘public entities’. Collectively, these are known as ‘IPP entities’.
Modern definition of ‘personal information’ sets a new benchmark
The PRIS Act introduces a stronger definition of personal information than any other jurisdiction in Australia. The Act does away with the outdated notion of information needing to be ‘about’ an individual, instead defining personal information as information or an opinion that ‘relates to’ an individual.
The PRIS Act also includes a non-exhaustive list of what personal information can be, which includes online identifiers and pseudonyms, location data, technical or behavioural information in relation to an individual’s activities, and ‘inferred information that relates to an individual, including predictions in relation to an individual’s behaviour or preferences and profiles generated from aggregated information’.
The definition of personal information is not the only significant modernisation we see in the PRIS Act: ‘collection’ expressly includes inferred and generated information; biometric information is recognised as sensitive personal information (and thus subject to tougher rules) without the qualifier of being collected for automated biometric verification or biometric identification; and ‘gender identity’ has been recognised as a new category of sensitive personal information where this does not correspond with designated sex at birth.
While the PRIS Act goes some way to modernise these key threshold definitions, we see a missed opportunity in the definition of ‘consent’. Rather than take on recommendations from the federal reforms process, the PRIS Act has retained the ‘express or implied’ definition we see in other jurisdictions.
A ‘fair and reasonable’ test
Perth has also stolen the thunder from the key Privacy Act reforms, with the PRIS Act introducing a ‘fair and reasonable’ test into its Collection, Use and Disclosure IPPs.
IPP entities must not collect, use, or disclose personal information unless doing so is fair and reasonable in the circumstances. This requirement is supported by a list of matters that IPP entities will need to take into account, including the reasonable expectations of the individual and the kind and amount of personal information involved.
New requirements for indirect collection
Adopting another proposed reform from the federal review process, the PRIS Act will require IPP entities which collect personal information about an individual from a third party (i.e. indirect collection) to take reasonable steps to satisfy themselves that the original collection by the third party or other originator did not contravene the requirements of IPP 1. This can be expected to have ramifications well beyond the WA public sector, as explained further below.
Mandatory PIAs
Under the PRIS Act, conducting a Privacy Impact Assessment (PIA) will be mandatory where the performance of a function or activity involves the handling of personal information that is likely to have a significant impact on the privacy of individuals, or when directed by the Information Commissioner.
PIAs must be conducted before the IPP entity first performs the high privacy impact function or activity, and the resulting report must, at a minimum:
- assess the likelihood that the performance of the function or activity will result in an interference with the privacy of any individual
- identify the impact that the performance of the function or activity might have on the privacy of individuals, and
- set out recommendations for managing, minimising or eliminating that impact.
Automated Decision Making requires assessment
Going significantly further than the federal Privacy Act’s Automated Decision Making (ADM) reforms (which to date have only resulted in a minor change to what must be included in a Privacy Policy), the PRIS Act introduces new requirements for IPP entities that employ automated decision-making processes involving the use of personal information in making significant decisions about individuals.
IPP entities will be required to conduct impact assessments (which include a requirement to have regard to the elimination or minimisation of harm, bias and discrimination), notify and inform individuals of the ADM process, and provide a process by which the individual can request human intervention in relation to the decision.
Other obligations set new standards
The PRIS Act will also introduce other requirements which go beyond the obligations we see in other Australian jurisdictions:
- the requirement to make a written record of the purposes for which information will be collected and used or disclosed, before collecting personal information, as well as before using or disclosing personal information for a secondary purpose
- ensuring collection notices are up-to-date, clear, concise and expressed in plain language, and
- the requirement to take reasonable steps to protect de-identified information from misuse and loss and from unauthorised re-identification, access, modification or disclosure.
What does this mean for me?
WA has leap frogged all Australian jurisdictions in crafting a more modern set of obligations when handling data about people.
For the WA public sector:
For State and local government agencies in WA, WA public universities, and contracted service providers to the WA public sector, the changes in the PRIS Act are significant. Our free Seven steps to prepare for the PRIS Act cheat sheet provides practical steps that agencies can take, to adopt a risk-based approach to preparing for the new law.
WA public sector agencies will need to ensure that key external-facing documents and communications meet the requirements of IPP 1.9 (collection notices) and IPP 5 (the requirement for a transparency document, such as a Privacy Policy). Other building blocks needed as soon as possible will include an Information Breach Policy, an Information Breach Response Procedure, and tools to help agencies quickly review their exposure to privacy risks. Luckily, we have developed a suite of resources to help get WA public sector agencies off to the best start. (See our new Foundations for WA Compliance Kit, and Privacy awareness training for the WA public sector online module.)
For everyone else:
If you’re working in another jurisdiction with an eye on the federal Tranche 2 reforms, the implementation of the PRIS Act will offer useful observations as to how a new definition of personal information, a fair and reasonable test, and mandatory PIAs, work in practice.
Furthermore, the PRIS Act may well herald in reforms – or uplifts – in other jurisdictions.
Optimistically, we hope that Perth’s burst of activity will encourage Canberra to follow suit and introduce the Tranche 2 reforms to the federal Privacy Act, both for the benefit of all Australians, and to give businesses some much needed clarity as to what investment they need to make in their privacy programs.
However, even ahead of any Tranche 2 reforms, we anticipate that we will see a ‘rising tide lifts all boats’ effect stemming from the PRIS Act, particularly in light of the obligation on WA’s IPP entities to look at the collection practices of entities from which they receive personal information. Multi-jurisdictional public sector data linkage projects, and multi-party research projects, often require all participating parties to meet the ‘highest’ standard within the group – which is now the PRIS Act.
For example, any entities sharing personal information with or supplying data to WA agencies should take serious note of the new requirements around ‘indirect collection’, because what constitutes a lawful collection for an entity regulated under a different privacy law may not meet the higher tests set by WA.
In particular, IPP 1 in the PRIS Act requires collection to be ‘necessary’ (as opposed to the lower ‘reasonably necessary’ test seen in other jurisdictions) (IPP 1.1), includes a ‘fair and reasonable’ test (IPP 1.4), and requires more explicit data governance measures (IPP 1.7), on top of transparency measures like a collection notice (IPP 1.9) – which must be concise and plain language. Plus of course, IPP 1 is subject to the PRIS Act’s more modern definition of ‘personal information’, which explicitly includes unique identifiers and pseudonyms, like hashed email addresses or coded research data.
We would therefore expect to see due diligence from Western Australian public sector agencies on third party collection practices. Entities supplying personal information to WA agencies should consider conducting a gap analysis on their processes, in respect of meeting the standards set by IPP 1 in the PRIS Act.
So, while Western Australia may have been late to the privacy party, it may yet become the belle of the ball.
Need support in navigating the upcoming changes to the PRIS Act?
Grab key templates, pragmatic tools and checklists, to build your privacy compliance program with our Foundations for WA Compliance Kit; uplift understanding across your agency with our Privacy awareness training for the WA public sector online module; or reach out to Anna Johnston for tailored support.