‘This bill will address the current privacy gap in Western Australia, bringing it into line with most other Australian jurisdictions and enableing the safe sharing of government information to better deliver public benefits.’
With these words, the Western Australian Attorney-General commended the Privacy and Responsible Information Sharing (PRIS) Bill (Bill) to the WA Assembly on 16 May 2024,[i] following which debate was adjourned. But if the Bill is now paused pending introduction of the Federal privacy law reforms expected to commence this month, that pause may end soon.
Introduction
The PRIS Bill’s new privacy regime protects personal information defined as ‘information or an opinion, whether true or not…that relates to an individual, whether living or dead, whose identity is apparent or can be reasonably ascertained from the information or opinion.’
In many ways the Bill resembles the Victorian Privacy and Data Protection Act 2014[ii] and its Information Privacy Principles (IPPs), but it sensibly adds a general framework to authorise the responsible sharing of information held by WA public entities, together with Responsible Sharing Principles (RSPs). And as the definition of personal information flagged,[iii] the Bill’s privacy components also draw on proposals already agreed or agreed in principle by the federal government in connection with its review of the Privacy Act 1988 (Cth) (Privacy Act).
Most WA public entities, such as departments of the public service and local and regional governments, will already have undertaken a program of PRIS preparation following extensive public consultations. However, private entities that have not participated in that program, although they provide services to or on behalf of the state, may still be unprepared. These entities have no time to lose in getting ready.
How should these service providers prepare?
Assuming that businesses providing government services are already familiar with existing Privacy Act and Australian Privacy Principle (APP) concepts and requirements, here is our suggested approach to PRIS preparation.
Step 1: Assess whether your business may be caught by the PRIS Bill and to what extent, now or in the future.
Existing providers should first ascertain whether their agreement with a public entity constitutes a State services contract. This is a contract between a public entity (called the outsourcing entity) and another entity that is not a public entity (including subcontractors) to provide services on behalf of the outsourcing entity. (cl.8.1) Such Contracted service providers (CSPs) are among the entities termed IPP entities that are caught by the PRIS Bill (cl.14(1)). IPP entities must comply with the Bill’s IPPs (cl.20 and Schedule 1), subject to exceptions.
Next, if your firm as CSP has entered into a State services contract, check whether the contract explicitly provides for privacy obligations to apply to the CSP: under cl.129 a State services contract may include a provision that, for the purposes of the contract, the CSP’s privacy obligations apply in the same manner as for the outsourcing entity.
If the contract does contain such a contractual clause, a CSP that handles personal information contrary to the IPPs’ requirements may be liable for both breach of the legislation and breach of contract.
If your current contract does not contain such a provision, be aware that this might change when the contract is renewed or replaced by the outsourcing agency. In the absence of such a contractual clause, an outsourcing agency that has provided personal information to a CSP may find itself directly liable for any breach of the IPPs by that CSP.
Note that the requirements set out in the IPPs should be broadly familiar. However, in a nod to Privacy Act reform proposals:
- IPP 10 introduces innovative requirements for IPP entities employing an automated decision-making process involving personal information in making significant decisions about individuals; and
- IPP 11 introduces more stringent requirements to protect de-identified information.
Be aware that under the Bill’s transitional provisions, some of the IPPs apply in relation to personal information that was collected before specified sections of the legislation come into operation.
Step 2: Make sure you also understand other clauses that are specific to the application of the privacy provisions to IPP entities that are CSPs and that cover CSPs in relation to information sharing.
If you must comply, your next step is to look at what is required under other clauses directly relating to CSPs. In Part 2, division 11 for example, the Bill:
- prescribes how requests for access or correction under IPP 6 must be handled;
- specifies the notifiable data breach obligations of the Bill that apply to CSPs; and
- indicates what the Information Commissioner is required to do if the CSP makes an application for a public interest determination.
Part 3 of the Bill also contains provisions regarding the sharing of government information: CSPs can both make information sharing requests to, and enter into information sharing agreements with, public entities.
Step 3: Be aware of changes in the WA public sector agency you contract with.
Entities forming part of the WA public sector will be coming to terms with the prospect of oversight by a new Information Commissioner’s office but also the new Chief Data Officer provided for in the Bill.
The Bill also mandates new appointments and practices within these entities that are likely to impact CSPs. To comply with the Bill these entities will need to take various actions including to:
- appoint senior officers of the entity as privacy officer (s 151) and information sharing officer (s 210), each with specified duties;
- develop and publish compliant policies on their handling of personal information (IPP 5.1) and an information breach response policy (s 73);
- conduct privacy impact assessments before undertaking functions or activities likely to have a significant impact on individuals’ privacy (s 79).
In light of this new regime, they can be expected to review and/or redraft contractual provisions for service providers and other outsourcing arrangements.
Step 4: Evaluate your existing processes and policies.
Your privacy processes and policies should already be compliant with the Privacy Act’s APPs in their current form, but they may need adjustment to meet both the specific requirements of the new WA legislation and updating when the Privacy Act is reformed.
Clearly time and budget will be needed to adequately prepare for the looming wave of privacy law reform, but this should come as no surprise: both specific privacy legislation in Western Australia and reform of the Privacy Act are long overdue.
Need further help?
If you require assistance with your PRIS or Privacy Act reform preparation, please contact Deidre Missingham.
Keypoint recently expanded into its sixth Australian city of Perth, WA. This means we are even better equipped to assist clients in state or territory specific services including privacy and data protection. Please contact Deidre for further information.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances.
___________________________
[i] The Information Commissioner Bill 2024 (IC Bill) was also introduced. The new Information Commissioner will be responsible for overseeing privacy and freedom of information matters in WA under the Freedom of Information Act 1992 and the Privacy and Responsible Information Sharing Bill 2024, supported by the Information Access Deputy Commissioner and the Privacy Deputy Commissioner. The IC Bill sits with the Legislative Council at the time of writing.
[ii] The author was the Principal Instructing Solicitor in the drafting of the Privacy and Data Protection Act 2014 (Vic.).
[iii] In substituting ‘relates to’ for ‘about’.
___________________________
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please also note that the law may have changed since the date of this article.