The Privacy Act 1988 (Cth) (Commonwealth Act) sets out the manner in which personal information may be handled by Commonwealth Government agencies and many private organisations, but specifically does not address these matters for State Government agencies.
The States are instead left to regulate use of their own public services, and most jurisdictions have adopted rules of some kind around how their agencies will deal with personal information. Currently, Western Australia and South Australia are the only two jurisdictions in Australia which do not have specific privacy legislation, though there are privacy-specific administrative instructions in South Australia.
A report conducted by the Western Australian Government found that the lack of privacy legislation resulted in other Governments, particularly the Commonwealth Government, being hesitant to share data with Western Australia.
On 5 August 2019, Western Australia took the first step to address this gap, with the Department of Premier and Cabinet commencing a three-month public consultation on the State’s proposed Privacy and Responsible Information Sharing legislation which will govern the protection and sharing of personal data in the public sector.
The proposed new legislation will introduce a comprehensive privacy framework to regulate the way the Western Australia public sector collects, holds, uses and discloses personal information.
The Western Australian Government proposes to use the Australian Privacy Principles from the Commonwealth Act as the starting point for its own legislation, which is similar to the approach in many other States, and should hopefully ensure that the end result is of the same spirit as other privacy laws in Australia.
A new WA Privacy Commissioner would also be established to administer these laws, with the ability to receive complaints from the public.
New legislation may also include provisions that specifically facilitate the sharing of information between different parts of the Western Australian public service, which the Government hopes will improve services, and make it easier for the public to interact with different agencies. Standalone public sector data sharing legislation has already been introduced in a number of other jurisdictions, including Victoria, New South Wales and South Australia.
How does this impact me?
While the proposed new laws are obviously going to be of most immediate impact to the WA public service and the individuals who interact with it, it is likely to also be relevant to businesses that contract with the Western Australian Government.
Such a business would ordinarily be subject to the Australian Privacy Principles set out in the Commonwealth Act, but these will not apply to its activities in the course of providing services under a contract with a State as a contracted service provider.
Under similar legislation in other States, such as the Privacy and Data Protection Act 2014 (Vic) and the Information Privacy Act 2009 (Qld), it is expected that the State’s contracted service providers will be contractually bound to follow the local privacy laws. Those service providers are then subject to the Commonwealth Act in their activities generally, and the local regime in their activities as a contractor of the State.
Businesses servicing the public sector in WA will accordingly need to follow these developments closely.
HWL Ebsworth has considerable experience assisting businesses their privacy obligations. Please contact a member of our team for further information on how we can assist you.
This article was written by Luke Dale, Partner, Daniel Kiley, Special Counsel and Maggie Wong, Senior Associate.