Incoming privacy law reform for WA's public sector

6 minute read  17.10.2024 Lucy Leckey, Paul Kallenbach, Kathy Reid and Danica Lamb

The new WA privacy and responsible information sharing (PRIS) laws are in its final stages of the Parliamentary process, requiring public sector organisations to be prepared for reform.

As alluded to in our previous article 'New privacy laws for WA's public sector,' the Privacy and Responsible Information Sharing Bill 2024 (PRIS Act) passed through the Legislative Assembly in June this year and is now being considered by the Legislative Council. We anticipate the Act will be passed prior to State Parliament entering into caretaker period, which will soon come into effect ahead of the State Election on 8 March 2025.

The draft legislation introduces several areas of reform, aimed at protecting the privacy of Western Australians and promoting responsible and transparent sharing and use of personal information by public entities.

There are two sets of guiding principles introduced under the PRIS Act:

1. Information Privacy Principles (IPPs).

These guiding rules will provide a robust framework to govern the collection, use, disclosure and handling of personal information across the WA public sector (and contracted service providers where required).

2. Responsible Sharing Principles (RSPs).

These guiding rules will provide a consistent framework for the assessment of risks and benefits associated with a data sharing arrangement.

Who will it apply to?

The new laws will apply to the majority of the WA public sector, including:

  • WA Government trading enterprises and departments,
  • local and regional governments,
  • the WA Police Force,
  • SES organisations under the Public Sector Management Act 1994 (WA), including the Arts and Culture Trust, Rottnest Island Authority, the Insurance Commission of Western Australia, the Metropolitan Redevelopment Authority, the Public Transport Authority, the Housing Authority, Lotteries Commission and the Western Australian Tourism Commission,
  • a body, or the holder of an office, established under a written law or by the Governor or a Minister, including Government Trading Enterprises, and
  • judicial bodies (i.e., Supreme Court of Western Australia).

Businesses that contract with a State public entity to provide services, and their subcontractors, are also included as 'IPP entities' to which the Information Privacy Principles apply.

Areas of reform

The PRIS laws will be overseen by two new public bodies:

  • Office of the Information Commissioner (established under the Information Commissioner Act 2024 WA, to be simultaneously implemented with the PRIS Act) (OIC), and
  • Chief Data Officer.

The OIC consists of a newly appointed Information Commissioner, a Privacy Deputy Commissioner, and an Information Access Deputy Commissioner. These independent statutory officers will report directly to Parliament and will have a focus on monitoring agency compliance with the IPPs and handling complaints of alleged breaches of privacy through investigative and enforcement powers.

The Chief Data Officer will oversee, and assist with, the application of the responsible information sharing aspects of the PRIS laws to foster and cultivate a culture of responsible information sharing and use in the public sector.

Other key areas of reform are:

  • a mandatory data breach notification scheme, requiring public agencies to notify the Privacy Deputy Commissioner and any affected individuals of serious data breaches involving personal information as soon as practicable,
  • a statutory mechanism for WA public sector agencies to share information only when adhering to new stringent standards for risk assessment, decision making (particularly when employing automated decision-making processes), governance and transparency,
  • a requirement for each public entity to designate a privacy officer and information sharing officer, who will be responsible for coordinating the entity's dealings with the Information Commissioner and Chief Data Officer, and
  • the introduction of a mechanism that supports Aboriginal data governance in WA, by requiring that Aboriginal people and communities are involved or consulted when data that primarily affects Aboriginal people is shared.

What is the impact?

The effect of these reforms is that public sector agencies will need to have a privacy-by-design approach when collecting, using and handling personal information.

Personal information must only be collected when it is ‘necessary’ for one or more of the IPP entity's functions or activities, and the collection must be ‘fair and reasonable’. Sensitive information (such as health information) will be subject to further protections under the PRIS Act, with a list of criteria outlining circumstances when collection is permitted. Once collected, personal information must only be used for the particular purpose for which it was collected, and is subject to robust rules regarding disclosure. Individuals will be able to lodge complaints about potential interferences with privacy.
It is hoped that this greater level of transparency and accountability will allow for a trusted data exchange across government agencies, enhancing collaboration and efficiency in the WA public sector.

How do the PRIS laws differ to the Commonwealth Privacy Act, if at all?

We understand many WA public sector clients have sought to replicate or reflect the privacy obligations contained in the Privacy Act 1988 (Cth) as a matter of 'best practice' notwithstanding the Commonwealth legislation does not apply.

As a result, the effect of the PRIS reforms may require organisations to pivot from applying Privacy Act principles as a matter of practice to the PRIS laws as a matter of compliance.

Key changes/differences between the Privacy Act and the PRIS laws include:

  1. Application: the PRIS Bill will apply to WA public entities and businesses contracting or sub-contracting with public entities to provide services – even if contractors or sub-contractors are not WA public entities or are small businesses (less than $3 million turnover) to which the Privacy Act does not apply.
  2. Scope: the PRIS Bill 'Information Privacy Principles' (IPPs), like the Australian Privacy Principles (APPs) in the Privacy Act seek to protect personal information. However the IPPs balance privacy with the practical principle of 'responsible sharing' to facilitate the delivery of public services.
  3. Definition: the PRIS Bill has a broader interpretation of 'personal information' than the Privacy Act – and includes information about deceased persons, or information from which predictions of behaviour or preferences can be inferred.
  4. Collection of data (APP 3/IPP 1): the PRIS Bill requires that information collected must be 'necessary' – rather than 'reasonably necessary' as per the APPs.
  5. De-Identified information: IPP 4 and 11 require de-identified information to be subject to 'reasonable security measures' in the same way as identifiable personal information – which is different from APP 11 which allows de-identified information to be used and disclosed more liberally.
  6. Automated decision making: IPP 10 requires IPP entities to be transparent about their use of 'automated decision making processes' and ensure that appropriate safeguards are in place. The Privacy Act does not currently contemplate engagement with information through automated or non-automated means (although this will change after the first tranche of reforms to the Privacy Act are enacted).
  7. Responsible Information Sharing: the PRIS Bill encourages responsible sharing between government bodies for prescribed purposes. This is distinct from the Privacy Act with does not contemplate sharing personal information for the purpose of public service provision.
  8. Impact assessment: the PRIS Bill requires IPP entities to proactively conduct a Privacy Impact Assessment prior to 'high privacy impact' activities and produce a report to this effect. The Privacy Act does not contain a corresponding requirement.

What next?

With the WA Labor Government holding a strong majority in both houses, the PRIS Act is expected to pass. WA public sector entities, and those businesses who contract with them, should be prepared for these changes, including ensuring that their governance systems are fit for purpose to address these incoming requirements.


The team at MinterEllison is experienced in advising Commonwealth and State public sector organisations on their privacy, data and information sharing obligations, and we are well-placed to support your organisation in its program of work, to ensure it is in a position to meet its PRIS obligations. We can assist in undertaking privacy audits, developing policies and procedures, undertaking Privacy Impact Assessments, and preparing Data Breach Response Plans. If you are impacted by these reforms and you need more detailed advice, please contact us.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiJkZjMyNjRiNC0zNTYzLTQyZGEtYWZjMS1mZGI0ZWI1ZDNiNDMiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczOTg0MDA0MSwiZXhwIjoxNzM5ODQxMjQxLCJpYXQiOjE3Mzk4NDAwNDEsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2luY29taW5nLXByaXZhY3ktbGF3LXJlZm9ybS1mb3Itd2FzLXB1YmxpYy1zZWN0b3IiLCJhdWQiOiJodHRwczovL3d3dy5taW50ZXJlbGxpc29uLmNvbS9hcnRpY2xlcy9pbmNvbWluZy1wcml2YWN5LWxhdy1yZWZvcm0tZm9yLXdhcy1wdWJsaWMtc2VjdG9yIn0.OTYtxnUFW-dqvGc3tvraSY_JE0uG0sNSIsazRD4Qbvg
https://www.minterellison.com/articles/incoming-privacy-law-reform-for-was-public-sector