Are you "PRIS Ready"? 5 steps organisations can take now

For the first time, the PRIS laws will impose comprehensive privacy obligations on WA public entities and those that contract with them.

Given the extended lead time provided to those subject to the laws, WA's Information Commissioner has cautioned against expecting an overly generous 'educative period' which can sometimes be afforded by regulators following legislative change. Enforcement is a real possibility from 1 July 2026. But the reality is that competing priorities and scarce resources/budgets likely have left many organisations covered by the PRIS laws with work to do to achieve a sufficient level of compliance.

We have released articles previously outlining the PRIS laws and how they may impact on public and private organisations, which you can revisit via the links at the end of this article.

Here, with the commencement of the laws upon us, we wanted to outline five practical steps organisations can take now to help transition to the PRIS laws.

1. Review your privacy policy

Central to the "privacy by design" concept which underpins the PRIS laws is the requirement to have in place appropriate privacy practices and procedures. Information Privacy Principle (IPP) 5 requires IPP Entities to maintain a privacy policy that is "clear, concise and expressed in plain language" and that is kept up to date over time.

Privacy policies need to address how an organisation collects, uses, discloses and handles personal information in a manner consistent with the IPPs. While IPP 5 does not prescribe particular content in the same manner as its Commonwealth equivalent (Australian Privacy Principles (APP) 1), the content will necessarily need to address the manner of collection, disclosure and use.

When reviewing any existing privacy policy, or preparing a new policy, for PRIS compliance purposes, careful attention should be paid to:

• ensuring it extends not only to future collections of personal information, but to personal information already held by the organisation;

• covering the expanded definition of personal information adopted by the PRIS laws, which expressly covers deceased individuals, inferred information, and location data;

• taking account of the fact that the PRIS laws do not include the employee records exemption available under the Privacy Act 1988 (Cth), meaning the policy will need to extend to employee personal information (or a separate policy is needed to address the handling of such information); and

• incorporating specific reference to the use (if any) of automated decision-making technology.

While not a strict requirement of the PRIS laws, best practice is to make the organisation's privacy policy available on its website. Being public facing, and an easy target for compliance checks, ensuring that your organisation's privacy policy is compliant should be high on the list of priorities.

2. Plan for PRIS specific contract clauses

The PRIS laws will apply to "contracted service providers" (both contractors and subcontractors) where the relevant State services contract with a WA public entity contains a clause requiring compliance.

Where a State services contract entered into after 1 July 2026 lacks such a PRIS compliance clause, the WA public entity will be liable for any non-compliant acts or practices of the service provider as if it were its own.

For this reason, WA public entities should review contract templates and including a suitable PRIS compliance clause where the service provider will be providing a service to the public entity or on behalf of the public entity. Procurement guidelines and negotiation playbooks might also need to be updated to account for the changes.

Service providers can also be proactive in this space by preparing to discuss or demonstrate as part of upcoming tenders that they are PRIS compliant, and potentially proactively introducing PRIS compliance clauses into its contract templates where they are typically used for State services contracts. In the case of principal contractors, it is important to ensure any subcontract templates are similarly updated to include obligations on the subcontractor to comply with the PRIS laws.

3. Prepare and implement a process for privacy impact assessments

IPP Entities that plan to introduce or make material changes to "high privacy impact functions or activities" 1 July 2026 will first need to undertake a privacy impact assessment (PIA).

While PIAs have long been encouraged as best practice, they have not previously been mandated. The WA Office of the Information Commissioner (OIC) has the ability to request the PIA report, and if the PIA is conducted in the context of a responsible information sharing agreement, the report needs to be made public.

For this reason, both public and private organisations should be building PIA processes and practice into project planning and governance workflows now. Designed to foster a culture of transparency, these assessments and reports must be robust enough to withstand public scrutiny, particularly should something subsequently go awry.

4. Initiate training and ensure staff awareness

The breadth of the new PRIS obligations means that compliance will require awareness and engagement across the organisation.

Staff who collect, use, store or disclose personal information will need to understand their responsibilities and how they are designed to ensure the organisation complies with the IPPs, including the heightened collection threshold of "necessary" (as opposed to the arguably weaker Commonwealth standard of "reasonably necessary") and the requirement that collection be "fair and reasonable".

Efforts to increase awareness of the new laws and associated policies and procedures should be made across the organisation. Suitable training should be delivered to staff that will play a role in the organisation's PRIS compliance efforts. While initial 'general' training provides a platform, appropriately tailored training will be necessary for those in roles with increased responsibility for PRIS compliance.

Records of training delivered and attendance should be kept to assist in demonstrating adherence to the IPPs.

5. Stay across commentary and OIC guidance

Since the introduction of the PRIS laws, we have endeavoured to provide insights into the primary features of the PRIS laws. Our previous articles have explored:

• our first impressions of the PRIS Act;

• the responsible information sharing framework;

• obligations under the Information Privacy Principles (IPPs);

• the notifiable information breaches scheme; and

• requirements for contracted service providers.

The OIC's work also continues on the provision of further guidance materials. You should consider signing up to the OIC's monthly newsletter, which you can do here, to ensure you remain across any recent releases. These materials will be a valuable source of practical guidance as your organisation works through the detail of PRIS implementation.

Don't panic, but be proactive

If your organisation is not entirely "PRIS Ready" by 1 July 2026, you will undoubtedly not be alone. Privacy compliance is a journey that will continue even for organisations that are "PRIS Ready" at commencement.

What is important is that you and your organisation take steps now to at least ensure that a plan is in place to address any remaining areas of focus, targeting available resources to those elements of PRIS compliance that present the biggest risk to the organisation.