Amid ongoing changes to safety, industrial and employment laws, from 1 July 2026 new WA privacy obligations commence which will impact how your organisation handles all personal information, including employee information.

The Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act) introduces a comprehensive privacy framework for Western Australian public entities, including local governments, regional local governments, regional subsidiaries, universities and Government Trading Entities (GTEs).

This update examines the impact of the PRIS Act on collection, use and disclosure of employee information. For a recap on the PRIS Act more broadly, our previous summary of the Act is here.

The Information Privacy Principles (IPPs) set out in Schedule 1 to the PRIS Act commence operation on 1 July 2026. Notifiable data breach obligations commence on 1 January 2027.

Importantly, while the collection rules (IPP 1) apply only to information collected on or after 1 July 2026, the use and disclosure rules (IPP 2) apply to information collected at any time, including information your organisation already holds. This means existing personal information will be subject to the new use and disclosure requirements from 1 July 2026. In this insight we consider the key impacts to consider for your handling of employee records.

1. Who is covered?

The PRIS Act primarily applies to Western Australian public entities, including government departments, local governments, public universities, regional local governments, regional subsidiaries and Government Trading Entities (GTEs).

2. What information is covered?

Under the PRIS Act, 'personal information' includes, for example, names, dates of birth, addresses, contact details, identification photographs, bank details, superannuation details, staff numbers, and IP addresses or GPS data assigned to employee resources. The full definition of 'personal information' is outlined at section 4 of the PRIS Act.

'Sensitive personal information' includes, for example, health information, union membership and criminal record information, and is subject to stricter requirements when compared to those which apply to 'personal information'. The full definition of 'sensitive personal information' and 'health information' is outlined at section 4 of the PRIS Act.

3. Collection of employee information (IPP 1)

From 1 July 2026, your organisation may only collect personal information where it is necessary for one or more of your functions or activities. Collection of sensitive personal information is subject to additional requirements, including that either the individual consents or another exception applies, including that the collection is required or authorised by law, or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

Before collecting personal information, your organisation must make a written record of the purposes for which the information will be collected, used or disclosed. Your organisation must also take steps to advise the individual, at or before the time of collection, of specified matters including the identity of the collecting entity, the purpose of collection, and any law requiring the information to be collected.

4. Use and disclosure of employee information (IPP 2)

Where your organisation holds personal information collected for a particular purpose (primary purpose), it must not use or disclose that information for another purpose (secondary purpose) unless a specific exception applies.

The exceptions include, but are not limited to:

• where the individual would reasonably expect the secondary use or disclosure and the secondary purpose is related to the primary purpose (or, for sensitive personal information, directly related); or
• where the individual consents.

Any such use or disclosure must also be 'fair and reasonable' in the circumstances.

Separately, disclosure can be authorised by law or be necessary for court or tribunal proceedings.

In any event, before using or disclosing personal information for a secondary purpose, your organisation must make a written record of that secondary purpose and, if the information is disclosed, a written record of the disclosure.

5. Disclosure of employee records to obtain legal advice

The PRIS Act does not define 'employee record' as a distinct term, nor does it create a blanket exemption for employee records (unlike the Privacy Act).

The Act permits disclosure where the entity reasonably believes it is necessary for 'proceedings before a court or tribunal'. In our view, this exception is likely to apply where proceedings are ongoing or active but may not extend to the preparation for proceedings that have not yet been commenced.

However, there is a broader basis on which disclosure of personal information to obtain legal advice may be permitted. Where the disclosure is for a purpose related to the primary purpose of collection - such as managing litigation, disputes, complaints and grievances, or ensuring compliance with industrial instruments and workplace legislation - and the individual would reasonably expect such disclosure, the IPP 2 exceptions are likely to authorise the disclosure.

6. Disclosure of employee records to Worksafe WA, insurers or to other entities

Disclosures made in compliance with statutory obligations will fall within the IPP 2 exception for disclosure 'required or authorised by or under law' provided the disclosure is confined to information reasonably necessary to discharge your statutory obligations. No additional employee consent is required for such disclosures.

This includes, for example:

1. notifying WorkSafe of notifiable incidents, responding to notices to produce, or cooperating with inspections under the Work Health and Safety Act 2020 (WA);
2. providing claim forms and certificates of capacity to your insurer or providing information to WorkCover WA under the Workers Compensation and Injury Management Act 2023 (WA); and
3. sharing of employment records between local government employers for the purpose of recognising prior service and calculating long service leave entitlements on transfer under Local Government (Long Service Leave) Regulations 2024 (WA).

7. Enforcement and penalties

A contravention of the IPPs constitutes an 'interference with the privacy' of an individual. Affected individuals (which include employees) may complain to the WA Information Commissioner, who will first attempt resolution through conciliation. Conciliation outcomes may include orders requiring the entity to take corrective action, redress loss or damage, or pay compensation of up to $75,000.

The Commissioner may also monitor compliance, issue notices to produce, and investigate interferences. Failure to comply with a compliance notice may attract a penalty of up to $60,000.

8. Recommended actions before 1 July 2026

In anticipation of the IPPs and the substantive privacy provisions of the PRIS Act coming into force, we recommend our impacted clients:

1. Audit the records kept by their organisation to:
   1. understand what personal information or data is collected, where, by whom, for what purpose and whether this data contains sensitive personal information, to form the basis for an Information Asset Register;
   2. assess the organisation's compliance with privacy policies and procedures and documentation obligations which give effect to IPP 1.7, 2.4 and 5;
   3. determine whether appropriate technical and organisational security measures are in place to protect personal and sensitive information and ensure that it is only being used and disclosed where permitted under the PRIS Act;
2. Prepare privacy collection notices that can be given to individual employee and/or job candidates which, among other things, set out the types of personal information the IPP entity will collect from the individual, and the purpose for which it collects that information to comply with IPP 1.9;
3. Consider whether current data retention practices and policies are compliant with new obligations;
4. Prepare for the notifiable data breach scheme by preparing and testing data breach response plans; and
5. Training staff on the new obligations they will have under the PRIS Act.

We would be pleased to assist with the above steps, including the preparation of privacy policies, collection notices and record-keeping templates tailored to your organisation's operations. We have a range of service offerings that can suit your budget and needs.

Please do not hesitate to contact us if you wish to discuss any aspect of this summary or to arrange a time to commence preparation for the new requirements.