WA’s inaugural privacy legislation is in the final stages of parliamentary review. There will be a major impact on WA agencies, local governments and other public sector organisations, as well as private business operators who provide services to public sector entities.
The draft Privacy and Responsible Information Sharing Act (PRIS Act) promises to establish a robust framework to safeguard personal information handled by public entities, prioritising citizens’ privacy in information handling practices. The legislation also facilitates secure and responsible sharing of information among public entities. By enabling trusted data exchange, it enhances collaboration and efficiency across government agencies.
Who does the PRIS Act apply to?
The PRIS Act imposes obligations and regulates Western Australia’s public service, which includes:
PLUS: Public entities may contractually require that any contractor or subcontractor it engages provide services to the public entity or to provide services to others on behalf of the public entity must also comply with the privacy related obligations under the PRIS Act.
What does the PRIS Act do?
The PRIS Act aims to modernise privacy protections, enhance government services and foster local research and development opportunities.
Set out in schedules, the PRIS Act introduces two sets of guiding principles:
Noting the IPPs and RSPs are largely unrelated – primarily linked by the application to public entities – the reason for bringing together two “incongruous subjects” under the PRIS, is to create a system to ensure public trust in the way the government handles information.
Further marrying the two set of principles, the WA Government proposes to implement the PRIS Act simultaneously with a sister act which establishes an independent regulator – the Office of the Information Commissioner: Information Commissioner Act 2024 WA (IC Act).
The IC Act revolves around a ‘holy trinity’ of officeholders, each empowered to govern the public sector on matters across both the privacy and information sharing frameworks.
Other key aspects of the PRIS Act include:
1. A process for information-sharing including how requests can be made between relevant entities and the required content and operation of a compliant information-sharing agreement.
2. A “no wrong door” approach for access to, or correction of, personal information by ensuring general consistency between the IPPs and the Freedom of Information Act 1992 (WA).
3. A mandatory information breach notification scheme, broadly consistent with other state jurisdictions, requiring IPP entities to develop a publicly available information breach policy.
4. Privacy impact assessment requirement if the performance of a function or activity involving personal information is likely to have a significant impact on the privacy of individuals.
5. A privacy complaints framework and the power for the Information Commissioner to investigate and enforce compliance. IPP entities will face penalties for failures to comply.
6. Penalties for unauthorised information sharing, including both a simple an indictable offence.
Why now?
As the federal privacy legislation (the Privacy Act 1988 (Cth) (Privacy Act)) generally only applies to big businesses and commonwealth agencies, Australian States and Territories have been entrusted to regulate their own public services. Accordingly, the majority of State and Territory governments have implemented specific privacy legislation for their public sector. The WA government (and, to some extent, its South Australian neighbour) have been slow to follow suit.
This means, until now, WA’s public sector has managed its information handling practices in absence of any comprehensive or consistent set of guidelines. Each public sector agency has been required to pick through a patchwork of legislation to determine if and how it might apply to its record keeping and disclosure responsibilities. WA Attorney General John Quigley has said that this approach has resulted in “inconsistent protections and cultural practices”.
The PRIS Act was conceived by the WA Government as a result of a report which showed WA’s lack of privacy legislation had concerned the Commonwealth Government when it came to intergovernmental information sharing with WA. This report, plus the insurgence of cybersecurity incidents, appears to have been the driving force behind the PRIS Act.
As mentioned above, the PRIS Act integrates two discrete and loosely related legal structures being a set of privacy principles as well as rules for information sharing arrangements. The latter is possibly the driving force behind the WA Government’s push for the new law, as the Attorney General has acknowledged the significantly underutilised value of data held by the public sector. With the proposed framework for safe and effective disclosure practices, the WA Government sees great opportunity in using the information it holds to bring about strong socio-economic outcomes for the Western Australian people.
Noting the Commonwealth Government recently agreed to a number of significant reforms to ensure the Privacy Act is fit-for-purpose of the digital age, some have questioned why the WA Government is pushing ahead with the PRIS Act rather than awaiting the outcome of the Commonwealth’s learned experiences. However, the Attorney General appears to pre-empt this concern by promising the PRIS Act “will be an enabler for modern digital government”.
The Attorney General has emphasised that the privacy principles under the PRIS Act broadly align with the Commonwealth Government’s privacy principles under the Privacy Act, but have been drafted to address concerns on which the Privacy Act falls short, such as:
- due process, transparency and procedural fairness in the use of personal information in automated decision-making; and
- privacy exceptions in relation to law enforcement functions, emergency response functions, child protection functions and family violence.
What do you need to do to prepare?
As the PRIS Act will apply to the majority of the WA public sector and potentially any businesses who contract with WA public entities (if the contract requires compliance with the regime), the ramifications are significant.
At present the draft legislation has passed through the Legislative Assembly and is due for further consideration by the Legislative Council as early as mid-August 2024.
We encourage WA agencies, local governments and other public sector organisations to commence the process of reviewing their existing internal governance and operations to identify any gaps in compliance with the requirements under the PRIS Act. Additionally, any business involved in the WA public sector should be considering whether the PRIS Act will apply to them.
We consider the primary areas of focus for public entities and businesses will be updating or developing policies relating to:
Public entities will also have the additional task of developing policies and systems relating to:
- requests for access to information
- managing information sharing agreements
Our team are well known for our expert experience with privacy legislation, government contracts and information sharing agreements.
Contact us for more information as to how the PRIS Act may impact you: Elizabeth Tylich, Ariel Bastian, Anna Kosterich
All direct quotes in this article are from Attorney General John Quigley’s Second Reading Speech to the Legislative Assembly (and Hon Sue Ellery’s corresponding Second Reading speech to the Legislative Council).