ExPRIS Delivery – Timetable set for the commencement of WA’s new privacy laws

25 July 2025

The countdown is on! The Western Australian Government has confirmed details for commencement of substantive obligations under the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act).

In an announcement this week, the Attorney General and Science and Innovation Minister confirmed that the majority of the obligations under the PRIS Act would commence from 1 July 2026, with the notifiable information breach scheme in the PRIS Act commencing from 1 January 2027.

With these laws, the WA public sector will be subject to privacy obligations for the first time, including a set of Information Privacy Principles (IPPs). These privacy obligations are broadly similar to those under the national Privacy Act 1988 (Cth) (Privacy Act) and its Australian Privacy Principles (APPs), as well as equivalent regimes in other States and Territories, but do have some unique elements which jump ahead of other laws. Attorney General Dr Tony Buti has claimed as a result that ‘The new laws position our State as a privacy leader in Australia, introducing unique protections around automated decision-making and protecting de-identified information‘.

Although focussed on the public sector, private sector organisations providing services to the WA Government can also be subject to obligations under the PRIS Act in that capacity.

The PRIS Act also contains an information sharing framework to facilitate the responsible sharing of data within the WA Government.

With just under a year until commencement, there are a number of steps that WA public sector organisations will need to take to ensure that they are compliant once the laws come into force.

We have provided updates on the laws throughout their development, including the initial consultation process, the Bill before Parliament, and the passage of the PRIS Act late last year. Our discussion of the Bill contains our most detailed summary of what now forms the PRIS Act, but we set out below key considerations.

Who does the PRIS Act apply to?

The PRIS Act applies to ‘IPP Entities’ which includes Ministers, Parliamentary Secretaries, a range of ‘public entities’, plus ‘contracted service providers’.

A ‘public entity’ includes:

  • a Department of the public service;
  • a body, or the holder of an office, that is established for a public purpose under statute, or is established by the Governor or a Minister;
  • the Police Force of Western Australia;
  • local government entities;
  • a judicial body;
  • a range of entities specified in the Public Sector Management Act 1994 (WA), such as Infrastructure WA, the Lotteries Commission, the Public Transport Authority of Western Australia, and the Western Australian Tourism Commission; and
  • any other body prescribed by regulation.

The majority of the PRIS Act will only apply to contracted service providers where contractually imposed by a public sector entity, however, once so imposed, the legislation will apply directly. Failure to comply with the IPPs would be not just a breach of contract, but also a direct breach of the legislation.

How do the IPPs and APPs compare?

While the IPPs and notifiable information breach scheme in the PRIS Act are broadly similar to the corresponding provisions of the Privacy Act and other State and Territory laws, they do have some noteworthy local quirks.

Key shared features of the APPs and IPPs include, in broad terms:

  • limiting collection of personal information to those instances where necessary for one or more of the entity’s functions or activities (IPP 1.1 and APP 3);
  • requiring consent prior to collection of sensitive information in most instances (IPP 1.2 and APP 3.3);
  • communicating certain details about the handling of personal information as part of the collection process (IPP 1.9 and APP 5);
  • limiting use and disclosure of personal information (IPP 2 and APP 6) to:

– the primary purpose for which that information was collected;
– a related secondary purpose, if reasonably expected by individuals involved;
– instances where the use or disclosure is required or authorised by another law;
– other purposes, if the individual has consented to that use or disclosure; or
– certain other narrow circumstances defined in the legislation;

  • providing individuals with means to access and correct their personal information (IPP 6 and APPs 12 and 13);
  • taking reasonable steps to secure personal information held (IPP 4 and APP 11); and
  • publishing a privacy policy (IPP 5 and APP 1.3).

However, one conspicuous new element is an overriding requirement that any collection, use and disclosure of personal information is ‘fair and reasonable’. This change has been mooted for the national Privacy Act, and strongly pushed by the Commonwealth Privacy Commissioner Carly Kind, who believes that an overarching ‘fair and reasonable’ test ‘circumvents the reliance on consent that we’ve seen in many different parts of the digital economy whereby individuals just kind of click consent or agree to terms and conditions they don’t really understand and which actually lead to harmful privacy practices‘.

Also new, relative to the APPs, are requirements around the use of personal information as part of automated decision making processes, which are covered by IPP 10. While recent changes to the Privacy Act have introduced some basic transparency obligations when using computer programs to make decisions, the PRIS Act goes further. Under IPP 10, an IPP Entity using automated decision making processes to make significant decisions about an individual must:

  • conduct an assessment of the impact of the automated decision making process on those individuals, taking into account factors listed in IPP 10.1(a);
  • re-assess those matters when changes are made to the automated decision making process;
  • periodically evaluate the operation and effectiveness of the automated decision making process;
  • notify individuals when an automated decision-making process has been employed in making a decision about them;
  • on request, give individuals information about how the automated decision making process is employed in making decisions; and
  • provide a process by which the individual can request human intervention in relation to automated decisions.

Unusually, IPP 11 also contains a number of obligations on IPP Entities when handling de-identified information. These include a requirement to take reasonable steps to protect that de-identified information, and also limitations on re-identifying that information.

What should I do to prepare?

The first step is to consider whether your organisation would qualify as an ‘IPP Entity’ under the PRIS Act. In many cases this will be straightforward, as most public entities are likely to be caught by the PRIS Act, but there may be instances where more nuanced consideration is involved, such as where a non-government organisation is appointed to fulfil a legislative function.

Private business operators who provide services to WA agencies, local governments and other public sector organisations should also begin to assess whether they are likely to be caught by the PRIS Act as ‘contracted service providers’.

IPP Entities will then need to be in place to comply with the PRIS Act from 1 July 2026. The State Government has been encouraging organisations to take a series of steps toward compliance over multiple years, but with a deadline in sight, IPP Entities now definitively need to move forward with these steps.

The PRIS Act will, amongst other things, require IPP Entities to:

  • appoint a privacy officer and an information sharing officer;
  • adopt and publish a compliant privacy policy and information breach response policy;
  • undertake a Privacy Impact Assessment (PIA) prior to undertaking a ‘high privacy impact function or activity‘ which is ‘likely to have a significant impact on the privacy of individuals‘; and
  • establish an information breach register.

Beyond these mandated steps though, IPP Entities should also be considering their practices against the PRIS Act more broadly, including identifying and reviewing:

  • key collections, uses and disclosures of personal information, to ensure they are permissible under the IPPs;
  • documentation, forms and notices used in collecting personal information from the public to ensure that notification requirements are met;
  • contracts with service providers to bind them to the IPPs; and
  • any automated decision making processes used by the organisation, against the requirements of IPP 10.

Our team have considerable experience dealing with the Commonwealth Privacy Act and other State and Territory privacy legislation, and have been assisting IPP Entities in WA with their PRIS Act compliance ahead of the commencement of the legislation. If you have any concerns or questions about how the PRIS Act may impact you, please reach out to us.

This article was written by Daniel Kiley, Partner and Simone Basso, Associate.

Important Disclaimer: The material contained in this publication is of general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

  • This field is hidden when viewing the form
    What type of content would you like to receive from us?

Contact us

GET IN TOUCH