Chief Data Officer Guideline: Requesting data under the PRIS Act

Guidance
Read and download the Guideline below.
Last updated:

About information sharing requests under the PRIS Act

The Privacy and Responsible Information Sharing Act 2024 (PRIS Act) enables government agencies and specified external entities to responsibly share government information where they may otherwise not be able to do so. The Chief Data Officer issues guidelines under section 201 of the PRIS Act to support responsible information sharing. Parties to an information sharing agreement must have regard for these guidelines. As information sharing commonly involves the exchange of data, references to data in this document should be read as meaning government information.

An information sharing request is the first step for sharing data. The guideline explains how to prepare and submit an information sharing request and is supplemented by an optional template.

If the request is supported, the entities determine appropriate safeguards and then enter into an information sharing agreement, which sets out how data will be disclosed and handled for a permitted purpose. Once the parties have signed this agreement, data can be shared and used according to the terms of the agreement. 

Who can make or receive an information sharing request?

The PRIS Act enables public entities to share data with each other or with specified external entities. The entity making the request is known as the requesting entity, and the entity which holds the data that is being requested is the holding entity.

Public entitiesExternal entities
Can request or provide data under the PRIS Act and be a requesting or a holding entity.Can request data from public entities under the PRIS Act and can only be a requesting entity.
  • WA Government departments
  • Statutory authorities
  • Local governments and regional local governments
  • Government trading enterprises
  • WA public universities
  • Commonwealth, State or Territory government agencies
  • Contracted service providers
  • Aboriginal Community Controlled Organisations
  • Australian universities (includes interstate and private universities) 
  • Health-related research bodies
  • Social service providers

What kind of information can be requested?

Only government information can be requested under the PRIS Act. This is defined as any information held by a public entity. Government information may include personal information, operational information, program data or other records used to deliver services, but excludes any exempt information held by a public entity. 

The PRIS Act includes a list of exempt information in section 158. Regulations made under the PRIS Act may include additional classes of exempt information so it is important to consider those as well. Examples of exempt information include certain child protection and public interest disclosure records, information that could identify complainants or protected sources, national security information and information linked to law enforcement investigations. 

When would I make a request under the PRIS Act?

There are different ways government information can be disclosed. These include:

  • under the Freedom of Information Act 1992, or in response to subpoenas and court orders,
  • agency legislation that authorises information sharing in specific circumstances, or
  • established arrangements through other types of agreements, such as a routine internal information sharing as part of normal business operations.

Where data is able to be shared through any of these pathways, it can be shared without the need to make a request or an agreement under the PRIS Act. 

You would make a request under the PRIS Act where other sharing pathways are not suitable, and the proposed sharing is for one of the purposes permitted under the PRIS Act, which are described within this Guideline. You could also make a request under the PRIS Act where this provides stakeholders with greater confidence to share data.

What are the steps to request data under the PRIS Act?

Step 1: Draft an information sharing request

An information sharing request is the first step towards sharing data under the PRIS Act. 
Key elements of an information sharing request are outlined in section 160 of the PRIS Act, with further detail provided in this Guideline and the associated template.
Although not a requirement, early engagement with the holding entity can help produce a clearer, more effective request.

Step 2: Send the request to the right people

An information sharing request must include certain people within the requesting entity and the holding entity.

  • Your request must be sent to the head of the holding entity: The PRIS Act refers to the head of an entity as the principal officer. This could be a CEO or Director General, Commissioner, or Vice Chancellor. The request must be in writing and can be sent by letter or email. You may choose to attach supporting documents, such as summaries, diagrams or internal approvals, to help the holding entity understand the context and scope of your request.
  • Include data.sharing@dpc.wa.gov.au in the request email: This notifies the Chief Data Officer, who has oversight of information sharing activities under the PRIS Act. 
  • The head of your organisation must authorise the request:  The head of your organisation can authorise a staff member to prepare, sign and submit the request on behalf of your organisation. Similarly, the holding entity may assign a staff member to manage their response. This enables efficient progress with an appropriate level of oversight as required under the PRIS Act. Regardless of who in your organisation sends the request, the holding entity’s response must be sent to the head of your organisation. 

Step 3: Wait for a response

Once the request has been submitted, the holding entity must provide a written response within 45 calendar days, unless a longer timeframe is agreed between the parties. The 45 day period starts on the day the request is made.

The holding entity can choose to:

  1. Share data under the PRIS Act: The holding entity may be willing to share some or all of the requested information under the PRIS Act. Before any data is disclosed, the parties must complete the required assessments and enter into an information sharing agreement. 
  2. Share data another way: The holding entity may decide that the data can be shared through an existing pathway, such as other legislation, operational processes or contracts, instead of using the PRIS process.
  3. Refuse the request:  The holding entity may refuse to share the requested data. If so, it must provide reasons for the refusal in accordance with the PRIS Act. 

Please note that public entities are not obligated to respond to external entities. 

If your request has been refused, or if you have not received a response within 45 days, please contact the Office of Digital Government by email at data.sharing@dpc.wa.gov.au for advice and assistance.

What happens if someone changes their mind?

Your request or the response of the holding entity can change.

  • You can withdraw your request: To withdraw an information sharing request, please notify the principal officer of the holding entity in writing, providing details of the request and the date it was submitted to the holding entity.
  • A holding entity can change their response: A holding entity may change its position later in the process. For example, it may initially indicate willingness to share data but choose not to proceed after completing the assessments required under the PRIS Act. This allows agencies to respond to new information, risks or risk mitigations, and circumstances as the process unfolds.

What must I include in an information sharing request? 

It is important to briefly and clearly define the scope of your request so that the holding entity can evaluate it to determine if the data sought is necessary and proportionate, and risks are considered and managed. This supports responsible information sharing and help entities meet legal and privacy obligations. An optional information sharing request template is available to help ensure you include all the necessary details.

1. Declare that the request is being made under the PRIS Act

An information sharing request must clearly state that it is made under section 160 of the PRIS Act. Including this declaration ensures the holding entity responds appropriately, according to the PRIS Act.

This also distinguishes an information sharing request under the PRIS Act from other forms of information exchange, such as informal communication and data shared under other legislation.

2. Identify the permitted purpose

Your request must clearly identify the permitted purpose for which you are requesting the data. Data can be shared for one or more of the following four permitted purposes:

  • Making or implementing government policy: This includes analysing issues, developing new policy approaches, informing Cabinet or Ministerial decisions, or evaluating the impact of policy settings.
  • Designing, managing, delivering or evaluating government programs and services: This includes improving service access, identifying gaps, managing performance or assessing service effectiveness.
  • Research and development that delivers clear and direct benefits to the public: This includes academic or medical research, or evaluation studies.
  • Emergency management activities, including prevention, preparedness, response and recovery: This enables coordinated action during emergencies and assists agencies to access information quickly and safely when needed.

Additional permitted purposes may also be set out in the PRIS Regulations.

Data cannot be requested under the PRIS Act for law enforcement, monitoring compliance with a law, national security or obtaining commercial gain.

3. Explain the activity that will be carried out

It is important to clearly define the activity that will be undertaken and how it aligns with the permitted purpose (described in the previous section). This includes the decisions that will be made, the project aims and objectives, key research questions, the significance of the research or anticipated community benefits of the project. 

Once an information sharing agreement is made, you will only be authorised to undertake work related to this activity, so it is important to define it accurately.

Describing the activity can involve outlining some the following: 

  • What work the data will support: for example, outline the project, program design, policy decision or service improvement.
  • How the data will be applied in practice: such as identifying gaps, modelling trends, informing recommendations or assessing service demand.
  • Whether insights or outputs will be shared with others: such as with project partners, senior leadership or in published reports. 
  • The expected outcomes or benefits of the activity.

4. Briefly describe the data you are requesting

The request must include a high-level description of the data you would like to obtain. Requests are clearer if they address the following:

  • Describe the data in as much detail as you can: This could include variable names, or a description of the entities or events you would like data about, or the time period the data should cover.
  • Specify the level of detail you are seeking: For example, whether you’re seeking unit level or aggregated data, and whether it relates to a particular geographic location or Statistical Area.
  • Outline any de-sensitising treatments: Indicate whether you are requesting de‑identified or obfuscated data, or whether any sensitive details should be excluded. 

5. Detail how the data will be used

The request must describe, at a high level, how the requested data will be used to support the activity. This requires a brief outline of the technical work you propose to do. 

Examples include:

  • Linking or integrating data, or comparing it with other datasets
  • Creating a dashboard or map
  • Analysis, such as building a model, or analysing descriptive statistics
  • Training a model
  • Developing a data asset or register

6. Outline how you will handle the data

Outline any arrangements your organisation already has in place for secure information handling that will apply to the data you are requesting. This demonstrates that your entity has appropriate governance practices in place and understands its responsibilities. It helps the holding entity to understand how risks will be managed and whether additional safeguards or support may be needed. 

Some examples of what to include are:

  • How the information will be stored: for example, on secure agency systems, protected drives or approved platforms.
  • Who will be able to access it: for example, only staff working on the project or within a restricted team.
  • How the information will be protected: such as passwords, role based access, encryption or other standard controls.
  • How the information will be managed when not in use: including retention processes or any internal sharing within the agency.
  • If known, how the information will be archived or disposed of.

If you need help…

For advice or assistance in preparing an information sharing request, please contact the Office of Digital Government by email at data.sharing@dpc.wa.gov.au.

Download a copy of the Guideline below.

Documents

Have a question or want to report a problem?

Fill in the form to get assistance or tell us about a problem with this information or service.

Send feedback