About the assessments under the PRIS Act
The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) enables government agencies and specified external entities to responsibly share government information where they may otherwise not be able to do so.
The Chief Data Officer issues guidelines under section 201 of the PRIS Act to support responsible information sharing. These guidelines must be considered when conducting and preparing a report assessing each of the responsible sharing principles and undertaking an Aboriginal Information Assessment. Privacy guidelines issued by the Information Commissioner must be considered if a privacy impact assessment (PIA) is required.
As information sharing commonly involves the exchange of data, references to data in this document should be read as meaning government information.
Two assessments must be conducted, before entering into an information sharing agreement to share data under the PRIS Act:
- an assessment applying each of the responsible sharing principles (the Principles) to the proposed agreement; and
- an Aboriginal Information Assessment (AIA).
In some circumstances, a PIA must also be conducted. This guideline includes a privacy threshold assessment to determine whether a PIA is required for your data project.
The guideline outlines how to complete the assessments, supplemented by an optional template to help you prepare a written report.
Parties should collaborate in conducting the assessments and preparing the written report.
Through this process, entities are encouraged to handle data responsibly, as a public resource for government policy, programs and services, and to remove barriers that unnecessarily impede the responsible sharing of government information.
Responsible Sharing Principles Assessment
What is this assessment for?
Before entering into an information sharing agreement under the PRIS Act, the data provider (the “holding entity”) must assess whether data will be handled according to the Responsible Sharing Principles (the Principles) and prepare a report on the outcomes of this assessment. In practice, this assessment is conducted collaboratively, with input from all parties.
The assessment requires parties to identify safeguards to manage risks, ensure that data is handled consistently with the Principles, and set out the actions to be taken if any safeguards are breached. Strong safeguards in one Principle may allow the controls on other Principles to be relaxed. For example, if data is highly aggregated, then it can be stored in an environment with fewer strict controls than person level, identified data. The information sharing officer must be satisfied that the data will be handled in a manner that is consistent with the Principles and identified safeguards must be included in the information sharing agreement.
The Principles are set out below, and in Schedule 2 of the PRIS Act.
Principle 1 (Activities): Why should this data sharing activity occur?
This step confirms that the project aligns with the permitted purposes in the PRIS Act and is in the public interest. This will have already been assessed during the information sharing request and response. Consider whether the details have been refined or changed since then and if not, you can use that earlier assessment here.
Outline any risks of undertaking this project and describe how they can be mitigated, as well as risks that could arise if the project does not proceed. You could copy or attach relevant details on benefits, risks and controls from your project plan or business case.
Examples of risks arising from not undertaking the project:
- failure to conduct research that enables eradication of an invasive species
- response to domestic violence incidents is uncoordinated and less effective
- road safety issues are not identified; serious injuries and insurance costs increase
- an Aboriginal community controlled organisation is unable to implement regional service improvements, health investments and research aligned with community priorities.
Examples of possible project risks to be considered and potential mitigation strategies:
| Possible risks | Mitigation strategies |
|---|---|
| Breach of holding entity’s requirements or ethics approval conditions. | Information sharing agreement sets conditions and consequences for a breach. |
| Project is not expected to deliver public benefits commensurate with risk. | Apply RSPs to manage and mitigate risks. Requesting entity to clearly articulate link between data sharing and public benefit. If public value is low, project may not proceed. |
| Project design does not meet permitted purposes. | Re-examine project design for alignment. Consider sharing data another way. |
Principle 2 (Recipients): Who can handle the data?
This step confirms that it is appropriate to share data with the proposed recipient and that they have the knowledge, skills, experience and capability to use the information effectively. It also examines if they have the systems, processes and governance arrangements to ensure the data is handled responsibly.
Examples of possible risks to be considered and potential mitigation strategies:
| Possible risks | Mitigation strategies |
|---|---|
| Data recipients have a conflict of interest. | Conflict of interest declaration. Information sharing agreement to restrict data access to people without a conflict of interest, or set out how a conflict will be managed. |
| Data recipients have insufficient subject matter expertise. | Support from the holding entity or another trusted party. Information sharing agreement to restrict data access to people with appropriate qualifications. |
| Data recipients have insufficient statistical skills to analyse the data effectively. | Support from the holding entity or another trusted party. Information sharing agreement to restrict data access to people with appropriate qualifications. |
| Requesting entity is unlikely to be able to effectively manage an information breach. | Support from the holding entity. Provide data access in a controlled environment. |
Principle 3 (Information): What data will be shared?
This step is about the data to be shared, and whether it is appropriate to disclose and use for the activity. This will have already been assessed during the information sharing request and response. Consider whether the details have been refined or changed since then. If not, you can use that earlier assessment here.
Examples of possible risks to be considered and potential mitigation strategies:
| Possible risks | Mitigation strategies |
|---|---|
| Data includes variables or records that are not required for the project. | Data is limited to only that which is relevant to the permitted purpose. Requesting entity has opportunity to articulate relevance of records or variables. |
| Data is generally of low quality. | Consider the characteristics of the data (relevance, timeliness, accuracy, coherence, interpretability, accessibility) to confirm it is fit for the specific use in this project. |
| Re-identification of de-identified information. | Physical and technical controls. Information sharing agreement establishes conditions and consequences for a breach of terms. |
Principle 4 (Settings): How will the data be stored and protected?
This step confirms the physical and digital environments of the recipient and ways in which the data will be transferred, stored, used and managed. It ensures there are practical controls in place for handling the data.
Examples of possible risks to be considered and potential mitigation strategies:
| Possible risks | Mitigation strategies |
|---|---|
| Data is lost, intercepted or disclosed during transmission to the recipient. | Information sharing agreement sets steps to follow in case of an information breach. |
| Data is subject to unauthorised access at the requesting entity. | Information sharing agreement sets steps to follow in case of an information breach. |
| Data is used for purposes beyond those approved. | Information sharing agreement establishes conditions and consequences for a breach. |
| Data is removed from the approved setting. | Physical and technical controls. Information sharing agreement establishes conditions and consequences for a breach of terms. |
| Data is not destroyed on completion of the project. | Physical and technical controls. Information sharing agreement includes retention and disposal requirements. |
Principle 5 (Outputs): Where else will the data be used?
This step confirms whether the results or outputs of the data project will be published or shared with another party who is not involved with the information sharing agreement. It sets the conditions in which publication or further sharing is allowed.
Examples of possible risks to be considered and potential mitigation strategies:
| Possible risks | Mitigation strategies |
|---|---|
| Outputs do not meet confidentiality requirements. | Information sharing agreement to specify applicable confidentiality requirements. |
| Outputs are released without holding entity’s approval (if required). | Information sharing agreement to specify whether an external audit or review is required prior to publication or sharing, if so, the role of the holding entity. |
| Output treatments are inconsistent with those of data already released. | Information sharing agreement to specify if output treatments must match those of the shared data, prior to approved further disclosure. |
Privacy Threshold Assessment
What is this assessment for?
A privacy threshold assessment can help you quickly work out whether you need to do a privacy impact assessment (PIA) for a data sharing project. A privacy threshold assessment should be conducted for every data sharing project. It allows projects with no or minimal privacy implications to be identified quickly and easily.
A PIA is a systematic examination of a project to identify potential privacy impacts and make recommendations to manage, minimise or eliminate them. Not every project will require a PIA.
Note: PIAs are also required to be conducted under Part 2 of the PRIS Act by an IPP entity before it performs a high impact function or activity. This Guideline deals only with privacy thresholds for PIAs that are required to be conducted under Part 3 of the Act under a proposed information sharing agreement.
Step 1: Check whether personal information is involved
Personal information is any information or an opinion relating to a person that identifies them or could reasonably be used to identify them. It doesn’t matter if the information is true or whether the person is living or has died.
Personal information includes name, date of birth, address, contact information, location information, unique identifiers (e.g. drivers licence number or IP address) and information that relates to someone’s features or behaviour. It can include inferences made about people.
If the data sharing project does not involve personal information, a PIA is not required.
Step 2: Check the statutory triggers
When sharing data under the PRIS Act, entities must conduct a PIA before entering into an information sharing agreement if:
- the proposed information recipient is an external entity; or
- the project involves data integration and/or data linkage; or
- the project is likely to have a significant impact on the privacy of individuals.
A full list of external entities is set out in section 156(2) of the PRIS Act. Section 12 of the PRIS Act sets out what data integration and data linkage mean.
The Office of the Information Commissioner may provide guidelines to determine whether a project is likely to have a significant impact on the privacy of individuals. Types of activities that could meet this definition include:
- handling sensitive personal information on a large scale
- handling children’s personal information on a large scale
- ongoing or real-time tracking of an individual’s geolocation
- profiling and scoring where outputs may expose individuals to discrimination
- using biometric templates or biometric information (including facial recognition technology) for identity verification or when collected in publicly accessible spaces
- handling personal information for automated decision-making with legal or major effects.
Step 3: Consider any other factors and make a decision
Even if the statutory triggers do not apply, it is good practice to conduct a PIA for any data sharing project that uses personal information.
If a PIA is not required, factors to help you decide whether a PIA is recommended include the legislative authority for handling personal information in relation to the data sharing project, the views of stakeholders and any steps you have taken to mitigate or eliminate the privacy impacts of the project.
It is also good practice to conduct a PIA if a data sharing project uses de-identified information. Information Privacy Principle 11 requires parties to take reasonable steps to protect any de-identified information it holds from misuse and loss and from unauthorised re-identification, access, modification or disclosure.
Decide whether a PIA is required or recommended and record your reasons for that conclusion.
What if a PIA is required?
The Office of the Information Commissioner may provide guidance on how to conduct a PIA.
You must conduct the PIA before establishing an information sharing agreement.
You must also publish a written report on the PIA that sets out:
- how you have assessed the likelihood that the project will result in an interference with privacy
- the impact of the project on the privacy of individuals
- how you will manage, minimise or eliminate the privacy impacts
- any other information that the parties to the proposed information sharing agreement consider is relevant.
Note: the PIA report is not required to be made publicly available in certain circumstances, set out in section 176(6).
Aboriginal Information Assessment
The PRIS Act supports Aboriginal people to be involved when data sharing affects Aboriginal people or communities.
Before entering into an information sharing agreement, the parties must conduct, and prepare a written report on, an Aboriginal Information Assessment (AIA) under section 177 of the PRIS Act.
The AIA requires entities to determine whether a data sharing project includes specific sensitive Aboriginal information or will directly affect Aboriginal people in a significant way. Entities can then implement culturally safe stakeholder engagement and data handling practices.
Step 1: Check whether any sensitive Aboriginal information is involved
There are two types of sensitive Aboriginal information that must be considered:
- Sensitive Aboriginal family history information: This is information that relates to Aboriginal people and their ancestors and was collected between 1898 and 1972 through laws, government policies and practices that applied specifically to Aboriginal people. This information is often deeply personal and sensitive.
- Sensitive Aboriginal traditional information: This is information that, according to Aboriginal tradition, should only be shared with people who are recognised as the appropriate knowledge holders. It may include cultural practices, stories, ceremonies, beliefs, sites or other knowledge. This information may have been collected by government in research, surveys, maps, heritage assessments or administrative records.
Formal definitions are provided in section 4 of the PRIS Act.
If the project involves these types of sensitive Aboriginal information, the holding entity (data provider) must take reasonable steps to identify and consult with relevant Aboriginal stakeholders to obtain their consent to use the information and develop safeguards for handling it in a culturally appropriate way. The safeguards developed in consultation with Aboriginal people must be included in the information sharing agreement.
If you are not sure whether the project will involve the use of sensitive Aboriginal Information, you may seek advice from your entity’s Aboriginal advisory, governance or consultative committee, or email the Office of Digital Government (DGov) at data.sharing@dpc.wa.gov.au.
If your project will involve the use of sensitive Aboriginal Information, please email DGov at data.sharing@dpc.wa.gov.au for support to identify and consult with relevant Aboriginal stakeholders.
Exempt information
Any sensitive Aboriginal family history information, or sensitive Aboriginal traditional information, given in relation to an application or potential application under the Native Title Act 1993 (Commonwealth) section 61 (no matter who gives the information) is exempt information under section 158 of the PRIS Act and cannot be shared under the PRIS Act.
Step 2: Consider the project’s impact on Aboriginal people
Determine whether the data sharing project will primarily or especially affect Aboriginal people.
- A project may primarily affect Aboriginal people if Aboriginal people or communities are the specific target group for a policy, program, service or research focus.
- A project may especially affect Aboriginal people if it is likely to have a greater impact, a different kind of impact, or a culturally significant impact on Aboriginal people compared with others, even if other groups are also affected.
These are circumstances where Aboriginal people are the main group affected, regardless of whether the impact is positive or negative.
If the project will primarily or especially affect Aboriginal people, you must take reasonable steps to identify and consult with relevant Aboriginal stakeholders and develop an Aboriginal Information Use Plan (AIUP) before establishing an information sharing agreement.
What is an Aboriginal Information Use Plan?
An AIUP provides opportunities for relevant Aboriginal stakeholders to participate in and engage with the data sharing project, including decision-making activities.
An AIUP must:
- identify the Aboriginal stakeholders who have contributed to the development of the AIUP
- describe the processes already undertaken to engage with those stakeholders
- describe the level of initial support from those stakeholders for the data sharing project
- outline any benefits to Aboriginal people that are likely to result from the project
- set out processes for ongoing engagement with relevant Aboriginal stakeholders.
The AIUP must also be included in the information sharing agreement.
If you are required to prepare an AIUP, please email the Office of Digital Government at data.sharing@dpc.wa.gov.au for support.
Download a copy of the Guideline below. Optional template coming soon.