Privacy and Responsible Information Sharing: Frequently asked questions

This page provides answers to frequently asked questions about how to share data under the Privacy and Responsible Information Sharing Act 2024 (PRIS Act).
Last updated:

The PRIS Act is overseen by both the Information Commissioner and Chief Data Officer in Western Australia.

Please see below for frequently asked questions (FAQs) about responsible information sharing under the PRIS Act, published by the Chief Data Officer. 

See here for FAQs about privacy under the PRIS Act, published by the Office of the Information Commissioner.

These FAQs are a resource for entities that are covered by the PRIS Act, and for the community.

FAQs: Sharing data under the PRIS Act

Can an individual request information under the PRIS Act?

No. An individual can make a request under the Freedom of Information Act 1992.

The PRIS Act is used for sharing data between WA government agencies, and with specified organisations that deliver public services or conduct research with a community benefit. Refer to the RIS Toolkit for more information. 

Does the PRIS Act affect existing data sharing arrangements for public entities?

No. Any existing arrangement for information sharing under other legislation will continue to operate as established and will not be affected by the responsible information sharing provisions of the PRIS Act.

Public entities may choose to review their current arrangements to ensure they include adequate protections for personal information.

Will existing data sharing arrangements or Memoranda of Understanding (MOUs) have to be transferred to a PRIS agreement?

No. There is no requirement for public entities to update or change existing arrangements to align with the information sharing provisions of the PRIS Act.

What does the PRIS Act say about confidential information or secrecy provisions?

The PRIS Act authorises agencies to share data despite any secrecy provisions in other legislation, provided they have met the requirements of the responsible information sharing framework.

This does not apply to any secrecy provisions that are expressly preserved, such as those prescribed in regulations. 

Where data is shared in accordance with the PRIS Act, it is not a breach of any legal obligations, duty of confidentiality, professional ethics or standards.

If a request for data is received under the PRIS Act, can an agreement be made right away?

No. Before establishing an information sharing agreement under the PRIS Act, the parties must complete three assessments. This enables the parties to agree how to appropriately handle and protect the data, throughout the project. Once an agreement is established, it must be registered with the Chief Data Officer for it to come into effect. Refer to the RIS Toolkit for more information. 

Do we have to conduct the PRIS assessments for all data sharing projects?

No. There are three assessments required when data is shared under the PRIS Act. Agencies are not obligated to conduct assessments when sharing data under other arrangements.

Do I need an agreement to share data with other business areas in my organisation?

No. An information sharing agreement is used to share data between WA government agencies, or with specified external entities that deliver public services or conduct research with a community benefit. Routine internal data sharing should occur as part of normal business operations, according to agency policies and access protocols.

Does my organisation have to appoint an Information Sharing Officer?

Yes. Each public entity must designate an Information Sharing Officer under the PRIS Act. Refer to the Chief Data Officer Guideline: The role of information sharing officers for more information. 

When can we start sharing data under the PRIS Act?

From 1 July 2026, you can send or receive an information sharing request, register an information sharing agreement and begin sharing data under the PRIS Act. Planning for a data sharing project or commencing the required assessments, can begin before this time.

How should we prepare for data sharing under the PRIS Act?

Key steps include:

Refer to the RIS Toolkit for more information.

For specific advice or complex queries, please email data.sharing@dpc.wa.gov.au.

What happens if there is a breach involving shared data?

For the public

The Office of the Information Commissioner has published transitional guidance for members of the public: Understanding my privacy rights – when do they commence? 

For public entities and external entities now

As a matter of best practice, a recipient of shared data should notify the provider of a suspected or actual breach, as soon as practicable.

Public entities and external entities are not yet required to report a breach to the Chief Data Officer.

For public entities and external entities from 1 January 2027

The recipient of any data shared under the PRIS Act must notify the data provider as soon as practicable if a breach is suspected.

If a breach is confirmed, the recipient must notify the provider and the Chief Data Officer as soon as practicable. This requirement is in addition to any requirement to notify the Information Commissioner of a breach involving personal information.

Refer to the RIS Toolkit for more information.

Where can I get more information about privacy and handling personal information?

The Office of the Information Commissioner provides guidance for privacy management and handling personal information according to the information privacy principles (IPPs) set out in the PRIS Act. 

When will the Chief Data Officer release guidelines on the PRIS Act?

Guidelines, templates and other resources to support data sharing are published on these webpages by the Office of Digital Government. Refer to the RIS Toolkit for more information.

For specific advice or complex queries, please email data.sharing@dpc.wa.gov.au.

Have a question or want to report a problem?

Fill in the form to get assistance or tell us about a problem with this information or service.

Send feedback