New WA privacy laws covering the collection and storage of government data will come into effect on July 1 next year, potentially impacting any organisation party to a government contract.
The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) includes:
- Legally enforceable Information Privacy Principles (IPPs) (11 of them, modelled on the Commonwealth’s Privacy Act – Australian Privacy Principles (APPs) 13 of them).
- A mandatory data breach notification scheme commencing January 1, 2027.
- A framework for responsible public sector information sharing.
The laws also include a new independent Information Commissioner, with privacy and technology expert Annelies Moens in the role since July 28.
Business Law WA Legal Director, Commercial Law, Cass Wright, says public entities and contracted services providers who contract with the government, and their subcontractors, may be impacted.
The Act applies to:
- Public entities, including government departments and agencies and judicial bodies; and
- Contracted Service Providers (CSPs) handling personal information on behalf of public entities.
A CSP is a private entity (or its subcontractors) that provides services to a WA public entity under a State services contract.
Wright says a CSP is not automatically subject to the IPPs under the PRIS Act, but rather is only required to comply - including with notifiable information breach obligations - if a relevant state services contract expressly includes a clause mandating compliance.
Wright encourages businesses to look closely at the wording of their contracts and reach out for assistance.
Timeline
July 1, 2025 – WA’s new Office of the Information Commissioner opens
2026 – Major compliance obligations begin, including:
- Appointing a Privacy Officer
- Publishing a privacy policy and collection notices
- Running Privacy Impact Assessments on risky projects
- Logging and reporting eligible data breaches
More resources
How does this line up with national laws?
WA’s new laws are designed to complement the Federal Privacy Act 1988, which already applies to most Australian businesses turning over more than $3 million annually.
The new WA regime:
- Uses similar Information Privacy Principles to the Commonwealth’s APPs;
- Introduces mandatory breach reporting, like the federal Notifiable Data Breaches (NDB) scheme; and
- Promotes responsible data sharing - similar to federal initiatives like the Data Availability and Transparency Act.
“If you’re already complying with the federal Privacy Act, you’re in a good starting position, but you’ll still need to tailor your policies and breach plans to meet WA’s specific requirements,” says Wright.
What WA businesses need to do now
- Review your data handling processes – map where personal information is stored, used, and shared and consider its necessity and safeguarding processes.
- Prepare a breach response plan – you’ll need this in the event of a breach.
- Check government contracts – you may need to update you privacy policies and processes to reflect the new privacy obligations.
- Train your team – frontline staff need to understand what’s changing.
- Start evaluating using Privacy Impact Assessment (PIAs) – they’ll be required for high-risk data projects and are otherwise recommended by the Office of the Australian Information Commissioner – see link to helpful guide.
Want help auditing your privacy setup or preparing for the WA reforms? Get in touch on 08 9365 7746 or via [email protected].
This article is authorised by Business Law WA, an incorporated legal practice and wholly owned subsidiary of CCIWA. The content of this article is general in nature and is not legal or professional advice and should not be relied upon as such.
