New privacy laws passed in Western Australia: What do they mean for you? 

06 December 2024

Not to be outdone by very recent changes to Commonwealth privacy laws, the WA Parliament has passed entirely new privacy legislation. For the first time, WA Ministers, Parliamentary Secretaries and public entities will be subject to privacy obligations, as will contracted service providers to those public entities.

This new regime has been introduced by way of the Privacy and Responsible Information Sharing Bill 2024 (PRIS Bill), and has been foreshadowed by the WA Government for several years.

On 6 May 2024, the PRIS Bill, as well as the accompanying Information Commissioner Bill 2024 (IC Bill), were introduced into the Legislative Assembly. We have previously published a summary of the PRIS Bill as it was introduced, which can be accessed here.

On 28 November 2024, the Bill was passed by both Houses and is currently awaiting assent. Only very minor amendments were made to the Bill since its introduction into Parliament, mostly being formatting amendments and amendments concerning the time period for which the privacy provisions and information sharing provisions are to be reviewed by the Privacy Minister.

As mentioned in our previous article, the PRIS Bill and IC Bill will:

  • provide a framework to protect the privacy of personal information handled by public entities, Ministers, Parliamentary Secretaries and contracted service providers to public entities, centred around a set of Information Privacy Principles (IPPs);
  • provide a framework to authorise the responsible sharing of information held by public entities; and
  • establish the offices of Information Commissioner and Chief Data Officer.

As stated by the Honourable Sue Ellery in the Legislative Council:

“This bill is the first of its kind in Australia … Western Australia is taking a unique approach in combining essential privacy protections and a robust information sharing framework into a single act.”

Who does the PRIS Bill apply to?

The PRIS Bill applies to ‘IPP Entities’ which includes Ministers, Parliamentary Secretaries, a range of ‘public entities’, plus ‘contracted service providers’.

A ‘public entity’ includes:

  • a Department of the public service;
  • a body, or the holder of an office, that is established for a public purpose under statute, or is established by the Governor or a Minister;
  • the Police Force of Western Australia;
  • local government entities;
  • a judicial body;
  • a range of entities specified in the Public Sector Management Act 1994 (WA), such as Infrastructure WA, the Lotteries Commission, the Public Transport Authority of Western Australia, and the Western Australian Tourism Commission; and
  • any other body prescribed by regulation.

The majority of the PRIS Bill will only apply to contracted service providers where contractually imposed by a public sector entity, however, once so imposed, the legislation will apply directly. Failure to comply with the IPPs would be not just a breach of contract, but also a direct breach of the legislation.

If it applies to me, what will I be required to do?

The PRIS Bill will, amongst other things, require IPP Entities to:

  • appoint a privacy officer and an information sharing officer;
  • adopt and publish a compliant privacy policy and information breach response policy;
  • undertake a Privacy Impact Assessment (PIA) prior to undertaking a ‘high privacy impact function or activity‘ which is ‘likely to have a significant impact on the privacy of individuals‘; and
  • establish an information breach register.

When will the new laws commence?

Part 1 of the PRIS Bill will come into force on the day of assent, but only contains basic definitions.

The rest of the Bill will come into operation “on a day fixed by proclamation”.

Although that date is yet to be set, there are pre-emptive steps which IPP Entities can take in order to prepare for the new incoming laws.

What should I do to prepare?

The first step is to consider whether your organisation would qualify as an ‘IPP Entity’ under the PRIS Bill. In many cases this will be straightforward, as most public entities are likely to be caught by the PRIS Bill, but there may be instances where more nuanced consideration is involved, such as where a non-government organisation is appointed to fulfil a legislative function.

Private business operators who provide services to WA agencies, local governments and other public sector organisations should also begin to assess whether they are likely to be caught by the PRIS Bill as ‘contracted service providers’.

If your organisation is an IPP Entity under the PRIS Bill, it will need to begin taking the steps prescribed by the PRIS Bill, including appointing officers and preparing policies, and assessing their operations against the IPPs more broadly.

The State Government has been encouraging organisations to take a series of steps toward compliance over multiple years, but this has been difficult to do without knowing the substance of the obligations under the PRIS Bill. With the legislative requirements now fixed, IPP Entities can now confidently prepare compliant processes and documentation.

Notably, the Federal privacy laws were passed by the Commonwealth Parliament within the same week as the PRIS Bill by the WA Parliament. With significant changes taking place with respect to both national and state-based laws, it is clear that privacy and data-related issues are being prioritised by both the Federal and State Governments. To that end, it is important to be aware of these changes, how these laws may apply, and consider what steps are needed in order to comply with any requirements.

If you have any concerns or questions about how the PRIS Bill may impact you, or regarding any other privacy or data-related issues, please reach out to us and we can assist.

This article was written by Daniel Kiley, Partner and Simone Basso, Associate.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

  • Hidden
    What type of content would you like to receive from us?

Contact us