Privacy in the West: Landmark privacy legislation hits WA Parliament

24 May 2024

While Western Australia has long been one of the last Australian jurisdictions without its own privacy legislation, its Government is now proposing to jump to the front of the pack, with two new Bills that have recently been introduced into Parliament. Attorney-General Quigley has touted this as an ‘opportunity‘ for WA to ‘establish contemporary privacy protections and innovative responsible information sharing practices fit for the digital age‘.

The Commonwealth Privacy Act (Commonwealth Act) applies to the handling of personal information by Commonwealth Government agencies and private organisations (other than small businesses), but not to State Government agencies.

The States are instead left to regulate their own public services, and most jurisdictions have adopted rules of some kind around how their agencies will deal with personal information. Currently, Western Australia and South Australia are the only two jurisdictions in Australia which do not have specific privacy legislation, though there are privacy-specific administrative instructions in South Australia.

After a consultation process in 2019, and an announcement in 2022 that legislation would be coming soon, 16 May 2024 saw the Privacy and Responsible Information Sharing Bill 2024 (PRIS Bill) and Information Commissioner Bill 2024 (IC Bill) introduced into the WA Legislative Assembly, providing our first look at the substance of the proposed laws.

While the PRIS Bill is primarily relevant to the public service, it can be relevant to contractors providing services to State Government entities, and of course to Western Australian individuals dealing with the Government.

The centrepiece of the PRIS Bill is its set of Information Privacy Principles (IPPs), which set out the manner in which personal information can be collected, held, used and disclosed, and are similar to the Commonwealth Act’s Australian Privacy Principles (APPs).

The Commonwealth Act is currently subject to review, and the PRIS Bill appears to have picked up a number of features being considered for a future version of the APPs, leaping ahead and potentially providing an example of what those national changes might look like.

While the privacy elements of the PRIS Bill obviously place limitations on the ways in which personal information can be used and disclosed by the WA public service, the PRIS Bill also introduces a new framework for responsible information sharing within Government. Attorney-General Quigley believes that the PRIS Bill balances ‘the public interest in protecting the privacy of personal information with the safe flow of government information to drive innovation and deliver seamless public services‘.

Compliance with the PRIS Bill will require ‘entities’ forming part of the WA public sector to:

  • appoint a privacy officer and an information sharing officer;
  • adopt and publish a compliant privacy policy and data breach response policy; and
  • establish a data breach register,

but is likely to also involve a range of other steps, including assessing existing information handling practices, formulating an approach to privacy impact assessments, undertaking staff training, drafting contractual provisions for service providers and other outsourcing arrangements, and assessing the entity’s approach to information sharing requests.

Who is covered by the PRIS Bill?

The obligations of the PRIS Bill apply to a very wide range of entities within the WA public sector, as well as some private sector entities who provide services to the public sector.

The PRIS Bill applies to what it terms ‘IPP Entities’. This includes Ministers, Parliamentary Secretaries, a range of ‘public entities’, plus ‘contracted service providers’.

A ‘public entity’ includes:

  • a Department of the public service;
  • a body, or the holder of an office, that is established for a public purpose under statute, or is established by the Governor or a Minister;
  • the Police Force of Western Australia;
  • local government entities;
  • a judicial body;
  • a range of entities specified in the Public Sector Management Act 1994 (WA), such as Infrastructure WA, the Lotteries Commission, the Public Transport Authority of Western Australia, and the Western Australian Tourism Commission; and
  • any other body prescribed by regulation.

The majority of the PRIS Bill will only apply to contracted service providers where contractually imposed by a public sector entity, however, once so imposed, the legislation will apply directly. Failure to comply with the IPPs would be not just a breach of contract, but also a direct breach of the legislation.

We note that, if the IPPs are not contractually imposed, then:

  • the relevant contracted service provider could potentially not be subject to any privacy legislation, because the Commonwealth Act does not apply to contracted service providers when performing their duties to a State Government; and
  • the relevant public service entity which provided personal information to the contracted service provider can itself be liable for breach of the IPPs by that service provider.

What information does the PRIS Bill cover?

Personal information

The PRIS Bill applies to the handling of ‘personal information’. This is defined in a very similar way to the Commonwealth Act, but is slightly broader in many respects.

Under the PRIS Bill, personal information means ‘information or an opinion, whether true or not… that relates to an individual, whether living or dead, whose identity is apparent or can be reasonably ascertained from the information or opinion‘.

The use of the term ‘relates to’ renders the term subtly broader than the Commonwealth Act definition, which refers to information ‘about’ an individual. This change has been agreed in-principle by the Federal Government, and could appear in a future version of the Commonwealth Act. It overcomes an issue from a case under a previous version of the Commonwealth Act, wherein journalist Ben Grubb was denied access to certain information held by Telstra on the basis that this information was about the technical operation of Telstra’s network, rather than being about Mr Grubb.

The Commonwealth Act also ceases to protect the personal information of individuals after they are deceased. The PRIS Bill will accordingly join the Tasmanian Personal Information Protection Act 2004 in recognising the personal information of deceased persons, although in the Tasmanian legislation such protections only apply for 25 years after death.

Sensitive personal information

The PRIS Bill also provides more robust protections for ‘sensitive personal information’. This is defined in a similar way to ‘sensitive information’ under the Commonwealth Act, capturing personal information relating to matters such as race, sexuality, religion and health, but also adds a new category for information that relates to an individual’s ‘gender identity, in a case where the individual’s gender identity does not correspond with their designated sex at birth‘. The PRIS Bill also makes clearer that any other information from which sensitive personal information can be reasonably inferred is itself sensitive.

Publicly available information

Despite the term ‘privacy’ tending to connote a degree of confidentiality or secrecy, most privacy laws such as the Commonwealth Act apply to personal information whether or not it is confidential. Personal information does not cease to be about an individual merely because it is published, made available online, or accessible via a public register, and protections continue to apply.

Clause 22 of the PRIS Bill is therefore unusual in proposing that the IPPs ‘do not apply to the handling of information contained in a document that is… generally available to members of the public (whether for a fee or charge or not); or… published or available for inspection by members of the public (whether for a fee or charge or not) under a written law, other than as a result of [a request to access personal information under the IPPs] or an application for access under [FOI]’.

De-identified information

Under the Commonwealth Act, any suitably de-identified personal information ceases to be about an identifiable individual, and is outside the bounds of the legislation, and therefore able to be used and disclosed without regard to the APPs.

The PRIS Bill takes a slightly stricter approach, and would place some basic regulations around the storage of de-identified information, and limitations on how it may be re-identified.

Information Privacy Principles

The IPPs set out requirements for the collection, use, disclosure and storage of personal information by IPP Entities.

These requirements are broadly consistent with the APPs, with the Attorney-General claiming that the ‘IPPs are designed to be as harmonious as possible with the commonwealth government’s Australian Privacy Principles, but have been adapted to best meet the needs of Western Australians‘. Both regimes emphasise being transparent with individuals, and set the boundaries of how personal information can be used and disclosed by reference to the expectations of those individuals.

Key shared features of the APPs and IPPs include, in broad terms:

  • limiting collection of personal information to those instances where necessary for one or more of the entity’s functions or activities (IPP 1.1 and APP 3);
  • requiring consent prior to collection of sensitive information in most instances (IPP 1.2 and APP 3.3);
  • communicating certain details about the handling of personal information as part of the collection process
    (IPP 1.9 and APP 5);
  • limiting use and disclosure of personal information (IPP 2 and APP 6) to:
    • the primary purpose for which that information was collected;
    • a related secondary purpose, if reasonably expected by individuals involved;
    • instances where the use or disclosure is required or authorised by another law;
    • other purposes, if the individual has consented to that use or disclosure; or
    • certain other narrow circumstances defined in the legislation;
  • providing individuals with means to access and correct their personal information (IPP 6 and APPs 12 and 13);
  • taking reasonable steps to secure personal information held (IPP 4 and APP 11); and
  • publishing a privacy policy (IPP 5 and APP 1.3).

IPP Entities will need to ensure that their practices comply with these requirements, but given consistency with the APPs, organisations which have been following best practice from the private sector and Commonwealth public sector should be well placed to do so.

However, there are also a number of elements in the IPPs which vary from the national regime.

One conspicuous new element is an overriding requirement that any collection, use and disclosure of personal information is ‘fair and reasonable’.
This change has been mooted for the Commonwealth Act, and agreed in-principle by the Federal Government, which notes that a new requirement of this nature ‘will help protect individuals when their personal information is used in complex data processing activities which have emerged through technological advancement, such as screen scraping and AI’ and ‘will also help to protect individuals from the use of ‘dark patterns’ which may nudge users towards consenting to more privacy intrusive practices‘.

Also new, relative to the Commonwealth Act, are requirements around the use of personal information as part of automated decision-making processes, which are covered by IPP 10. These issues are addressed in foreign legislation such as the EU General Data Protection Regulation (GDPR), but are yet to be tackled by the Commonwealth Act, and the Attorney-General has described the PRIS Bill provisions as ‘an Australian-first‘. The Federal Government has agreed to a number of proposals to change the Commonwealth Act to address automated decision-making.

Notifiable data breaches

Much like the Commonwealth Act, the PRIS Bill also places obligations on IPP Entities in the event of a data breach.

These rules apply where personal information held by an IPP Entity is subject to unauthorised access, disclosure or loss, and ‘a reasonable person would conclude that’ this is ‘likely to result in serious harm to any individual to whom the individual relates‘.

In these instances, an IPP Entity will be required to notify the Commissioner and affected individuals of certain matters associated with the breach, some of which are more detailed than the requirements under the Commonwealth Act.
Those more detailed matters include:

  • descriptions of steps taken to contain the breach and minimise harm;
  • the period of time for which the breach persisted; and
  • in the case of the notice to the Commissioner, estimates of the number of persons impacted and the cost of the breach.

The PRIS Bill also goes beyond the Commonwealth Act in other respects, including requiring IPP Entities to prepare and publish a data breach response policy, establish and maintain a data breach register, and include information about data breaches in annual reports under the Financial Management Act 2006 (WA).

Privacy impact assessments

The Commonwealth Office of the Information Commissioner (OAIC) recommends that entities undertaking potentially risky activities using personal information first undertake a privacy impact assessment (PIA), but this is not a strict requirement of the Commonwealth Act.

The PRIS Bill will require IPP Entities to undertake a PIA prior to undertaking a ‘high privacy impact activity‘ which is ‘likely to have a significant impact on the privacy of individuals‘.

This change has also been mooted for the Commonwealth Act, and the Federal Government has agreed in-principle that entities should be ‘required to conduct a PIA for activities with high privacy risks‘.

The Explanatory Memorandum for the PRIS Bill explains that:

Functions or activities that may have a significant impact on the privacy of individuals might involve the collection, use or disclosure of sensitive information on a large scale, ongoing or real-time tracking of an individual’s geolocation, and the use of biometric templates or biometric information for the purpose of verification or identification.

Responsible information sharing

The PRIS Bill also contains provisions which aim to encourage ‘responsible information sharing’ between government agencies or bodies. These provisions are designed to enable Government agencies or bodies to share information for the benefit of the community and remove any barriers which would otherwise inhibit the sharing of information within Government.

It is proposed that, in practical terms, this would occur through the entering into of information sharing agreements which would then authorise entities to disclose, collect and hold government information. The information may then be handled in accordance with the terms of those agreements, with the PRIS Bill authorisation removing liability that might otherwise apply under confidentiality or secrecy obligations.

Upon introduction of the PRIS Bill, Attorney-General Quigley summarised:

Currently, agencies are often unable or reluctant to fully participate in activities and projects that involve information sharing due to lack of clarity about when and for what purposes the information they hold can be disclosed. These provisions of the bill make clear that agencies are authorised to share information despite any secrecy provision that might apply, provided they have met the requirements of the responsible information sharing framework.

These protections only apply for use of shared information in a manner consistent with the agreement, and any use or disclosure of information obtained under an information sharing agreement for unauthorised purposes is subject to strict penalties, potentially including imprisonment.

The PRIS Bill also proposes to allow information sharing agreements to be made, and information shared with, certain organisations outside of the WA Government. These include agencies from other States and Territories and the Commonwealth, contracted service providers of WA agencies, Australian Universities, and other bodies carrying out health-related research.

Whether within WA Government, or with an external entity, information sharing agreements are only able to authorise the handling of information for certain permitted purposes, including:

  • ‘to inform or enable the making or implementation of government policy’;
  • ‘to inform or enable the design, management, delivery or evaluation of government programs and services’;
  • ‘to inform or enable research and development with clear and direct benefits to the public’; or
  • ‘to inform or enable emergency management’.

Although the objects of the PRIS Bill strongly encourage entities to enter into responsible information sharing arrangements, there is no obligation under the PRIS Bill to enter into such an arrangement or disclose information (subject to the Ministerial power of direction). The PRIS Bill also sets out certain categories of information which are to be excluded from the regime, such as information which could reasonably be expected to reveal the identity of whistleblowers or other protected persons, or to prejudice national security.

Prior to entering into a responsible information sharing agreement, the PRIS Bill requires that proposed parties to that agreement:

  • assess the risks and benefits to sharing information through the application of the Responsible Sharing Principles (RSPs). The RSPs are based on the internationally recognised ‘Five Safes’, a framework to help organisations make decisions about information sharing; and
  • undertake a PIA and an Aboriginal information assessment in certain circumstances.

The PRIS Bill will also establish a Chief Data Officer who will be responsible for building the capability of public entities to share information in accordance with the PRIS Bill, and maintain a public register of information sharing agreements. The Bill will also establish the Privacy and Responsible Information Sharing Advisory Committee, which has the function of advising the Chief Data Officer in relation to the performance of their functions.

What should I do to prepare?

The PRIS Bill (in its current form) will apply to a broad range of WA public sector organisations. Anyone involved in the WA public sector should start by confirming whether they will indeed qualify as an ‘IPP Entity’. If so, they will need to begin taking the steps prescribed by the PRIS Bill, including appointing officers and preparing policies, and assessing their operations against the IPPs more broadly.

Private business operators who provide services to WA agencies, local governments and other public sector organisations should also begin to assess whether they are likely to be caught by the PRIS Bill, and anticipate that, even if not covered now, they likely will be in future contracts. Those businesses should already have APP-compliant processes and policies in place, and should assess whether updates are needed to also accommodate these WA-specific requirements.

Our team have considerable experience dealing with the Commonwealth Act and other State and Territory privacy legislation. If you have any concerns or questions about how the PRIS Bill may impact you, please reach out to us.

This article was written by Daniel Kiley, Partner, and Simone Basso, Solicitor.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us