WA PRIS laws: Is your business a contracted service provider? If so, what now?

Western Australia's privacy and responsible information sharing (PRIS) laws come into force on 1 July 2026 and will be overseen by the State's new Information Commissioner, Annelies Moens. The commencement of WA's mandatory data breach notification scheme will follow shortly thereafter on 1 January 2027.

We've already explored our first impressions, the responsible information sharing framework, obligations under the Information Privacy Principles (IPPs), and the notifiable information breaches scheme. In this instalment, we take a closer look at how the PRIS laws may impact private sector entities, and what additional obligations they may face when the PRIS laws take effect in 2026.

Is your organisation a "contracted service provider"?

The PRIS laws apply to 'contracted service providers'. A contracted service provider is a party to a State services contract that provide services to or on behalf of a public entity, or a subcontractor under such an arrangement. Contracted service providers are required to comply with the Act if the State services contract contains a clause to the effect that Part 2 of the PRIS Act, the IPPs and any applicable approved privacy code of practice apply to the handling of information by the contracted service provider for the purposes of the State services contract.

There is no small business exemption under the PRIS laws, meaning small businesses or individuals who enter into State services contracts with such a clause are required to comply.

Contracted service providers may have already noticed such clauses being incorporated into contracts with WA public entities. Such clauses will automatically come into force once the substantive provisions of the PRIS laws take effect in mid-2026.

Where a contract lacks a compliance clause, the public entity will be held liable for a service provider's conduct as if it were its own. For this reason, contracted service providers can expect compliance clauses to be standard inclusions in future State services contracts.

Contractor obligations

The core obligations of contracted service providers who must comply with the PRIS laws fall within five principal categories:

1. IPP compliance

The IPPs will apply to the contracted service provider to the same extent as they apply to the public entity. In essence, the IPPs cover each element of the information lifecycle, from collection and storage through to security, accuracy, access, use, disclosure and deletion.

While many of these concepts will be familiar to organisations that currently comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), there are nuances and differences between the two regimes that contracted service providers should be factored into a review of current privacy policies and practices. In practice, this will often involve identifying the more stringent obligation between the two regimes and setting that as the bar for compliance, in much the same way that Australian organisations have done where they also need to comply with the GDPR.

2. Codes of practice

If so required by the compliance clause in the relevant State services contract, the contracted service provider must comply with any applicable privacy code of practice.

The PRIS laws provide for IPP entities (including contracted service providers) to submit privacy codes of practice for approval by the Information Commissioner. These codes typically outline specific requirements beyond (or in limited circumstances, in place of) the requirements of other IPPs that will apply to those bound by the code. The benefit of establishing a code is that compliance with the code will be deemed compliance with the IPPs. As such, it will be useful where public entities are undertaking potentially high risk privacy activities and want to be more prescriptive about the manner in which its operations, and those of its contracted service providers, are conducted.

Given the potential compliance burden, contracted service providers should be alive to the requirements of any code or proposed code. Any contracted service provider potentially affected by the relevant code will be afforded an opportunity to provide submissions, which, if they are accepted by the Information Commissioner, may have the effect of modifying the code prior to its approval. Contracted service providers also retain the option to submit amendments either independently or upon the Information Commissioner's request.

3. Notifiable information breaches

From 1 January 2027, contracted service providers will also be required to comply with the notifiable information breaches scheme where a breach or suspected breach involves personal information held in connection with services provided under its State services contract.

We've already discussed the operation of the scheme for public entities. In summary, if a contracted service provider reasonably suspects a notifiable information breach, it must:

• notify the public entity with which it contracts as soon as practicable;

• take all reasonable steps to contain the breach;

• conduct an assessment and prepare a report on whether the breach has occurred;

• provide any assessment outcome to the public entity; and

• take all reasonable steps to mitigate any harm caused by the breach.

Once the breach is deemed to be an "assessed notifiable information breach", the contracted service provider must provide the assessment report to the relevant public entity. Contracted service providers are not required to notify the Information Commissioner or affected individuals, as this onus lies with the relevant public entity.

Public entities will expect contracted service providers to provide all information and assistance reasonably necessary for the public entity to meet its notification obligations. This may be a considerable burden for a contracted service provider, particularly if it is battling to contain a broader breach of its system and competing obligations owed to numerous public and/or private clients. The contracted service provider will also need to be conscious that the details of its assessment of the breach, steps taken, costs and process improvements will be recorded in the public entity's data breach register and in its annual report.

4. Privacy impact assessments

Where a contracted service provider is engaging in "high privacy impact functions or activities" (ie, those likely to have a considerable impact on the privacy of individuals), it will need to undertake a privacy impact assessment. A copy of the report resulting from the privacy impact assessment must, on request, be provided to the Information Commissioner and the relevant public entity.

5. Communications

The PRIS laws stress the importance of the need for structured communications between a contracted service provider, the relevant public entity and the Information Commissioner. For example, the contracted service provider may designate in the State service contract a "principal officer" to be primarily responsible for providing any required notice, report, or application to the relevant public entity and the Information Commissioner. Contracted service providers should give serious consideration to doing so, with the default obligation otherwise falling on "the person responsible for managing the affairs" of the provider. With many organisations now having a dedicated privacy resource within risk and compliance or legal teams, it would be prudent for the principal officer to be one of those specialists who can best take on the responsibility for engaging with the public entity and Information Commissioner on matters associated with privacy impact assessments, suspected information breaches, and requests for access or correction of personal information held by the contractor.

Consequences for non-compliance

Non-compliance by a contracted service provider with PRIS laws may constitute a breach of both the State services contract and the PRIS laws, exposing the contracted service provider to potential litigation by the public entity and possible enforcement action by the Information Commissioner. With the Information Commissioner able to award compensation to individual complainants of up to $75,000, liability under the PRIS laws has the potential to be significant if the complained about practice impacts numerous individuals. And that’s before contractual liability is factored in. Taking the example of a significant data breach, a contracted service provider might well have to face significant penalties at the same time as paying for the significant remediation costs of the public entity.

If the contracted service provider is insolvent at the time of the relevant privacy complaint, investigation or enforcement action, the relevant public entity may be required to assume conduct, or liability, as the case may be. It remains to be seen whether this will impact the position adopted by public entities on seeking parent company or bank guarantees from contracted service providers.

Exemption from compliance with the Privacy Act

Contracted service providers can draw some comfort from the fact that acts done, or practices engaged in, for the purposes of meeting (directly or indirectly) an obligation under a State services contract will be exempt from the Privacy Act 1988 (Cth).

Given the similarities in the legislative schemes, and the likelihood that organisations will adopt common information handling policies and practices which satisfy both, the practical benefit of this exemption may be limited. But it may be the case that particular practices required under particular State services contracts might at times bring a contracted service provider's actions into conflict with the Commonwealth scheme, in which case the exemption will be of some value.

Responsible information-sharing

Provided it is in pursuit of a permitted purpose, contracted service providers are able to participate in the responsible information sharing processes under the PRIS laws. The specifics of these processes is outlined in our earlier article on the responsible information-sharing framework. Depending on the nature of a contracted service provider's services, the ability to participate in this framework might present opportunities for further work with public entities – if the contracted service provider is in a position to comply with the information handling requirements.