A united front – Western Australia proposes to introduce data privacy laws

Following an initial consultation period in late 2019, the WA Government announced last week that it is drafting new laws to create a robust data privacy regime to manage the personal information of Western Australians within Government and improve the delivery of Government services. These new laws are timely considering the recent high-profile data privacy breaches in the private sector and recent Commonwealth cybersecurity reform, such as the commencement of the Data Availability and Transparency Act 2022 (Cth).

A number of other States and Territories already have specific data privacy legislation. The proposed new WA specific data privacy legislation is intended to fill the legislative gap so that WA public sector organisations which are not covered by the Privacy Act 1988 (Cth) will have data privacy obligations going forward.

The key elements of the proposed new laws include:

• Introduction of “Information Privacy Principles” (IPPs) – It is envisaged that the IPPs will deal with the collection, use, disclosure and handling of personal information by the WA public sector. The IPPs may extend, where required, to contracted service providers. We expect that WA's IPPs will be similar to the Commonwealth Privacy Act's Australian Privacy Principles.
• The sharing of WA public sector information and the introduction of 'Responsible Sharing Principles (RSPs) – In order to improve the delivery of WA public services, it is proposed that the new laws will include a statutory mechanism for WA public sector organisations to responsibly share personal information. This will be managed by the RSPs which will provide a framework to assist WA public sector organisations to weigh up the benefits and risks of a data sharing arrangement. By allowing WA public sector organisations to share personal information, it will unlock opportunities for those organisations to improve the delivery of services and to undertake research to meet the needs of the WA public. One example of the benefits to individuals identified by the Government is the use of ServiceWA as a portal to deal with the various WA public sector organisations.
• Appointment of a Privacy Commissioner and a Chief Data Officer – These new positions will be responsible for managing data privacy within the WA public sector. The Privacy Commissioner will monitor compliance with the IPPs and deal with privacy complaints to protect the rights of the WA public. The Chief Data Officer will be responsible for promoting and supporting the sharing and use of WA public sector personal information.
• A mandatory data breach notification scheme – This will require a WA public sector organisation to notify the Privacy Commissioner of a serious data privacy breach involving personal information. It seems likely that this scheme will reflect the current mandatory data breach notification scheme under the Commonwealth Privacy Act, which requires the Commonwealth Privacy Commissioner and affected individuals to be notified of a serious data privacy breach. A breach may be serious on account of the financial, psychological, emotion, physical or reputational harm to the individual.
• Supporting Aboriginal personal information sovereignty and governance – The new laws will include a mechanism that will ensure that Aboriginal people and communities are involved or consulted when their personal information is shared.

WA public sector organisations, as well as any company or individual contractor that deals with those organisations, should look to the steps they can take now to prepare for the introduction of the new laws.