New privacy laws for Western Australia’s public sector on the way

by | Jul 22, 2024 | Health Blog

The long-awaited Privacy and Responsible Information Sharing (PRIS) Bill 2024 is now before Parliament and is expected to become law in the near future. The Bill is aimed at bolstering data privacy, ensuring responsible information sharing, and setting governance frameworks for managing personal information within public entities in Western Australia, while promoting transparency and security.

Overview of the PRIS Bill

Privacy Framework

The PRIS Bill introduces a framework to protect the privacy of personal information managed by public entities, ministers, parliamentary secretaries, and contracted service providers[i]. The framework is grounded in the Information Privacy Principles (IPPs), which outline guidelines for data collection, usage, disclosure, quality, security, and access. The IPPs appear to have been drafted with consideration given to likely changes to be made to the Commonwealth Privacy Principles.

Key features of the IPPs include:

  • limiting the collection of personal information to necessary instances
  • requiring consent for collecting sensitive information
  • communicating handling details during the collection process
  • limiting the use and disclosure of personal information to the primary purpose, related secondary purposes, legally required purposes, or with the individual’s consent
  • providing means for individuals to access and correct their personal information
  • taking reasonable steps to secure personal information
  • publishing a privacy policy.

Responsible Information Sharing

A key aspect of the PRIS Bill is the authorisation of responsible information sharing among public entities and specific external entities, such as higher education providers, Aboriginal community-controlled organisations, and health-related research bodies. The Bill outlines procedures for “information sharing requests” and the formation of “information sharing agreements,” all assessed against a set of Responsible Sharing Principles (RSPs). This structured approach is aimed at ensuring data is shared ethically and efficiently, whilst supporting government policies, programs, and services.

Establishment of New Regulatory Bodies

The PRIS laws will be overseen by two new regulatory bodies:

  1. the Office of the Information Commissioner; and
  2. the Chief Data Officer (CDO).

The Information Commissioner, supported by a Privacy Deputy Commissioner and an Information Access Deputy Commissioner, will oversee the privacy aspects. The CDO will manage the responsible information sharing components, ensuring compliance and best practices across public entities.

Mandatory Notifiable Information Breaches Scheme

A mandatory notifiable information breach scheme, like the notifiable data breach scheme under the Privacy Act 1988 (Cth), will also be introduced. This scheme requires entities to notify affected individuals and the Information Commissioner of data breaches likely to result in serious harm.

Compliance Requirements

Entities governed by the new laws will need to:

  1. Appoint a privacy officer and an information sharing officer.
  2. Adopt and publish compliant privacy and data breach response policies.
  3. Establish a data breach register.

Entities will also be required to assess existing information handling practises, formulate privacy impact assessments, undertake staff training, draft contractual provisions for service providers, and assess approaches to information sharing requests.

Action Required

The primary focus for public entities and businesses who contract services to public entities will be to develop policies relating to those matters addressed by the Bill. This will likely include the collection of personal information, including consent documentation, the use and disclosure of personal information and information sharing agreements. A data breach incident response plan and notification requirements, and privacy impact assessments should also be considered.

If you or your business require assistance with preparing for the implementation of the new legislation, please reach out to the Panetta McGrath team.

[i] Contracted service providers will be covered when their contracts include clauses obligating them to comply with the PRIS laws’ privacy aspects. Failure to include such clauses could result in public service entities being liable for breaches of the IPPs by their service providers.

Gemma McGrath

Gemma McGrath