Initially foreshadowed in late 2022, and following community consultation which commenced in 2019, the WA Government has this month introduced Bills to implement its proposed new privacy and responsible information sharing (PRIS) laws.
With the Bills certain to pass given the WA Labor Government's strong majority in both houses, WA Government entities and those that contract with them should start preparing for their introduction now.
Designed to ensure the strong protection and safe handling of personal information held by the WA Government, the new WA specific data privacy legislation will fill a legislative gap in WA, while the inclusion of responsible information sharing laws is described by the WA Government as an "Australian-first".
Our first impressions of the PRIS laws and how they might impact the way you deliver Government services or do business are set out below.
Over coming weeks, we will explore in greater detail the main features of the PRIS laws, the new mandatory notifiable information breach scheme, and the opportunities presented by the responsible information sharing system.
Do the PRIS laws apply to you?
The PRIS laws impose obligations on IPP entities, which include WA Ministers and parliamentary secretaries, WA public entities and contracted service providers.
WA public entities include:
- WA Government trading enterprises and departments;
- local and regional governments;
- the WA Police Force;
- SES organisations under the Public Sector Management Act 1994 (WA), including (to name a few) the Arts and Culture Trust, the Insurance Commission of Western Australia, the Metropolitan Redevelopment Authority, the Public Transport Authority, the Housing Authority, and the Western Australian Tourism Commission;
- a body, or the holder of an office, established under a written law or by the Governor or a Minister, including Government Trading Enterprises; and
- judicial bodies, such as the Supreme Court of Western Australia (although not judicial officers themselves).
A contracted service provider is a person or entity that provides services to or on behalf of a public entity under a State services contract that contains a clause obliging them to comply with the privacy aspects of the PRIS laws. The reach of the PRIS laws extends not just to the primary contractor under a State services contract, but also to any subcontractors. While the application of the PRIS laws to contracted service providers is contingent on the terms of the relevant State services contract, we expect that such a clause will quickly become a staple of such contracts given the expectations of the public and in circumstances in which the public body may be held responsible for the acts of its contracted service providers should such a clause not be included.
There are some nuisances as to how the PRIS laws apply to WA public entities as opposed to contracted service providers, which we will explore in greater detail in subsequent parts of this series.
Structure of the PRIS laws – familiar, but not
The PRIS laws contain a set of Information Privacy Principles (IPPs) with which IPP entities must comply. The IPPs most closely resemble the information privacy principles in the Victorian privacy legislation (rather than the Australian Privacy Principles under the Privacy Act 1988 (Cth)), but with some notable differences in scope and content.
The PRIS laws also introduce a mandatory notifiable information breaches scheme which will be immediately familiar to those versed in the notifiable data breaches scheme under the Privacy Act 1988 (Cth). But, again, there are some notable differences which we will explore in this series.
The responsible information sharing component of the PRIS laws sets out the process by which public entities will be able to share "government information" (but not "exempt information") with other public entities and certain "external entities" (including contracted service providers, certain higher education providers, Aboriginal community-controlled organisations and bodies that carry out health-related research). Provision is made for "information sharing requests", the entry into "information sharing agreements", and the assessment of requests against a set of "responsible sharing principles" (RSPs). Each of these concepts will be explored later in this series.
New regulatory bodies
The PRIS laws will be overseen by two new public bodies:
- the Office of the Information Commissioner, which will be led by a new Information Commissioner with the assistance of a Privacy Deputy Commissioner (responsible for the privacy aspects of the PRIS laws) and an Information Access Deputy Commissioner (responsible for the current Freedom of Information Commissioner's function); and
- the Chief Data Officer, whose function it will be to oversee, and assist with, the application of the responsible information sharing aspects of the PRIS laws.
Oversight of the PRIS laws will be assisted by the mandatory designation of a privacy officer and information sharing officer at each public entity, whose functions will include coordinating the public entity's dealings with the Information Commissioner and Chief Data Officer, respectively.
New features
The Second Reading Speech for the new PRIS laws proudly proclaims that "[r]ather than following the legacy models established in other Australian jurisdictions, Western Australia has the opportunity to establish contemporary privacy protections and innovative responsible information sharing practices fit for the digital age".
The introduction of the PRIS laws shortly prior to the introduction of sweeping changes to the Privacy Act 1988 (Cth) is an interesting development, given a delay in the PRIS laws would have provided the opportunity to maintain a greater degree of uniformity with equivalent Commonwealth laws. However, the PRIS laws do appear to have been prepared with one eye on the likely changes at the Commonwealth level.
For example, IPP entities will be required to undertake privacy impact assessments (long encouraged, but not previously required) before engaging in high privacy impact functions or activities. The definition of "personal information" to which the PRIS laws apply includes a non-exhaustive list containing more contemporary types of information, such as technical or behavioural information. The definition of "sensitive information" expressly includes biometric information. Personal information must not be collected unless it is "necessary" (cf "reasonably necessary") and the collection is "fair and reasonable" having regard to a list of prescribed factors. Perhaps most strikingly, IPP 10 sets out an Australian-first requirement for IPP entities to consider due process, transparency and procedural fairness in the use of personal information in automated decision-making.
The range of documents, policies and procedures that IPP entities will need to have or prepare is also expanded, with notable new entrants including information breach policies (which must be publicly available), information breach registers, information sharing agreements, and reports on the outcome of information breach assessments, privacy impact assessments, and Aboriginal information assessments.