Western Australia’s Privacy Reforms commenced on 1 July 2026

by | Jul 13, 2026 | Health Blog

On 22 July 2024, we published an article introducing Western Australia's proposed privacy reforms and explaining how the then Privacy and Responsible Information Sharing Bill would establish the State's first comprehensive privacy framework.

On 22 July 2024, we published an article introducing Western Australia’s proposed privacy reforms and explaining how the then Privacy and Responsible Information Sharing Bill would establish the State’s first comprehensive privacy framework.

Those reforms became operational on 1 July 2026

The majority of the operative provisions of the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act) commence on 1 July 2026, representing one of the most significant changes to the regulation of personal information in Western Australia’s public sector. A further key obligation—the mandatory reporting of serious data breaches—will commence on 1 January 2027.

The PRIS Act introduces two significant reforms:

  • a statutory privacy regime governing the collection, use, storage and disclosure of personal information by Western Australian public sector agencies and their contracted service providers; and
  • a framework that enables responsible information sharing between government agencies while maintaining appropriate privacy safeguards.

The legislation brings Western Australia into line with every other Australian jurisdiction and will apply to a wide range of WA public entities, including WA Government departments, local governments, government trading enterprises, the Police Force of WA, courts and tribunals, SES organisations under the Public Sector Management Act 1994 (WA), universities and any other body established for a public purpose under a written law (with limited exceptions).

Information Privacy Principles

The Act introduces 11 Information Privacy Principles (IPPs) which regulate how personal information is handled.

In practical terms, public entities will be required to ensure that personal information is:

  • collected only where authorised and necessary;
  • collected fairly and transparently;
  • used and disclosed only for authorised purposes;
  • kept accurate, complete and up to date;
  • protected through appropriate security measures; and
  • retained and destroyed in accordance with legislative requirements.

Of note, IPP 6 allows an individual a right of access to their personal information held by an IPP entity and also to seek to correct any personal information held which is said to be incorrect or out of date. An IPP entity must make a decision about the request for access or correction as soon as practicable, but no later than 45 days after the request was made. If the IPP entity refuses to give access or correct the personal information, it must give an individual valid reasons.

Privacy governance obligations

The new regime also requires agencies to adopt a far more structured approach to privacy management, including:

  • implementing privacy governance frameworks;
  • maintaining appropriate internal policies and procedures;
  • providing clear privacy collection notices;
  • considering privacy impacts when introducing new programs or technologies;
  • ensuring appropriate handling of personal information held in public registers; and
  • responding to privacy complaints and access requests under the new framework.

Responsible information sharing

The PRIS Act also establishes a framework allowing government agencies to share information where doing so delivers a public benefit and legislative requirements are satisfied.

Rather than preventing information sharing, the Act seeks to facilitate responsible sharing by establishing consistent decision-making processes, accountability measures and safeguards around the use of personal information.

Contracted service providers

Where a government services contract provides for the application of the PRIS Act, contracted service providers may become directly subject to the IPPs when handling personal information on behalf of a public entity.

This means organisations delivering services to government should review both their contractual obligations and their privacy compliance frameworks before 1 July 2026.

Mandatory Data Breach Notification Scheme

While most obligations commence on 1 July 2026, one significant component has been deferred.

From 1 January 2027, the PRIS Act introduces a mandatory serious data breach notification scheme.

Where a serious data breach occurs, affected agencies or contractors will generally be required to:

  • assess the breach;
  • notify the Information Commissioner; and
  • notify affected individuals where required.

The introduction of mandatory breach notification reflects the increasing expectation that organisations respond promptly and transparently when personal information has been compromised.

What should organisations be doing now?

Although the commencement date has arrived, many organisations are still working towards full compliance.

Key priorities include:

  • reviewing existing privacy policies and procedures;
  • mapping the personal information your organisation collects and uses;
  • updating collection notices and consent processes where necessary;
  • reviewing contracts with service providers;
  • implementing or updating privacy impact assessment processes;
  • training staff on the new legislative requirements; and
  • developing or testing data breach response plans ahead of the commencement of the mandatory notification scheme in January 2027.

How Panetta McGrath can assist

Whether your organisation is a government agency, local government authority, statutory body or contracted service provider, ensuring compliance will require more than simply updating a privacy policy.

Our team regularly advises clients on privacy compliance, governance, information sharing arrangements, policy development, contractual obligations and responding to privacy incidents. If you would like assistance preparing for the new regime or reviewing your existing privacy framework, please contact the team at Panetta McGrath Lawyers.

 

Gemma McGrath

Gemma McGrath