Free HR Services from our Employee Relations Experts. Find out more.

You have one free articles for this month. Sign up for a CCIWA Membership for unlimited access.

New privacy rules are here: is your business ready?

By Cassandra Wright

Privacy compliance is no longer something businesses can put in the “later” pile.

Many Australian businesses are already required to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) and maintain a privacy policy explaining how they collect, use and protect personal information. But recent changes in Western Australia, and further reforms coming later this year, mean now is the time to review whether your privacy documents and data practices are up to date.

The core privacy provisions of WA's Privacy and Responsible Information Sharing Act 2024 (PRIS Act) came into effect on July 1, 2026, introducing new requirements for government agencies and some private businesses that provide services to government.

Further changes are also on the horizon. From December 10, 2026, new federal privacy requirements relating to automated decision-making will require organisations to be more transparent about how personal information is used in technology and AI-driven systems that help make decisions about individuals.

For businesses, the message is simple: if you haven't reviewed your privacy policy, collection notices or data handling practices recently, now is the time.

Person using a smartphone to complete two-factor authentication while logging into a laptop, illustrating privacy laws, business cybersecurity, data protection and secure digital access.

Does this apply to your business?

The changes will affect different businesses in different ways.

Businesses covered by the Privacy Act must maintain a clear and up-to-date privacy policy explaining how they collect, use, store and disclose personal information. This includes businesses with annual turnover above $3 million, as well as certain other businesses regardless of turnover.

Businesses that provide services to Government should also pay close attention to the PRIS Act.

This may include contractors and subcontractors delivering government services. Depending on the arrangement, these businesses may need to meet additional privacy obligations beyond those that apply under the federal Privacy Act.

What the new WA privacy laws mean for businesses

The PRIS Act introduces a new State-based privacy framework governing how personal information is collected, used, disclosed, stored and managed.

For businesses working with Government, this may affect:

  • contract compliance requirements
  • tender readiness
  • subcontractor arrangements
  • data handling and security practices
  • privacy governance processes
  • how customers and stakeholders are informed about the use of their information

Privacy compliance is no longer simply about having a policy on your website. Businesses need to ensure their day-to-day practices align with what their privacy documents say.

Your privacy policy matters more than ever

A privacy policy should clearly explain:

  • what personal information is collected
  • why it is collected
  • how it is used and disclosed
  • who it may be shared with
  • whether information is disclosed overseas
  • how it is stored and protected
  • how individuals can access or correct their information
  • how privacy complaints are handled

Collection notices are equally important. These notices explain how personal information will be used when it is collected and help businesses meet transparency requirements.

If your privacy policy says one thing but your business does another, that can create significant compliance risks.

Business Law WA's Commercial Legal team is offering a free Red Flag Review of existing privacy policies to help identify potential gaps and compliance risks.

Get in touch today. Email [email protected] or call 08 9365 7560.

AI and automated decision-making are next

Many businesses are increasingly relying on AI and automated tools to help make decisions about customers, employees and service delivery.

From December 10, 2026, new privacy requirements relating to automated decision-making will come into effect.

These changes could apply to tools used for customer onboarding, recruitment screening, fraud detection, risk scoring, credit assessments and service prioritisation.

Businesses should start asking:

  • Where are we using personal information in automated systems?
  • Are those systems helping make decisions about people?
  • Could those decisions significantly affect individuals?
  • Have we explained these processes in our privacy policy?
  • Can our team answer questions about how these systems work?

Automated decision-making is no longer just an IT issue. It is increasingly becoming a privacy and governance issue.

What businesses should do now

With privacy obligations continuing to evolve, businesses should:

  • Confirm whether they are covered by the Privacy Act, the PRIS Act or both.
  • Review and update privacy policies and collection notices.
  • Map how personal information moves through the organisation and to third parties.
  • Review government contracts for privacy-related obligations
  • Identify any AI or automated decision-making tools that may be affected by the December reforms.
  • Update procedures for privacy complaints, access requests and data breaches.
  • Ensure suppliers and subcontractors are subject to appropriate privacy and security obligations.

Practical tools to help you comply

Business Law WA has prepared practical privacy templates to help businesses review and update their privacy documentation, including Privacy Act and PRIS Act privacy policies and collection notices.

The templates are written in plain English, customisable and designed to help businesses meet their privacy obligations with confidence.

Free Red Flag Review

Not sure if your current privacy policy is fit for purpose?

Business Law WA is offering a free Red Flag Review of existing privacy policies to help identify potential gaps and compliance risks.

To arrange a review, contact [email protected] or call 08 9365 7560.

Cass Wright – Legal Director, Business Law WA

Cass has practiced as a lawyer for more than 20 years. She has assisted a large number of SMEs and businesses to put in place protections against cyber attacks and make sure businesses better protect their data assets.

Cass is well known for her easy-to-talk-to nature, proactive advice and clarity.

Make a time to chat to her and discuss your needs: [email protected] or call 08 9365 7746.

This article is authorised by Business Law WA, an incorporated legal practice and wholly owned subsidiary of CCIWA. The content of this article is general in nature and is not legal or professional advice and should not be relied upon as such.

Privacy compliance is no longer something businesses can put in the “later” pile.
Tagged under: