Privacy Legislation in Western Australia

On commencement of the relevant provisions, the PRIS Act will:

• Provide a framework to protect the privacy of personal information of individuals handled by IPP entities. IPP entities are Western Australian government agencies, departments, statutory authorities, Local Governments, Ministers, Parliamentary Secretaries, government trading enterprises, and some contracted service providers to government. These provisions have not yet commenced.
   
• Introduce 11 Information Privacy Principles (IPPs), that guide the collection, use, disclosure, security, and disposal of personal information handled by IPP entities. The IPPs have not yet commenced.
   
• Provide that if an IPP entity contravenes an IPP, this will constitute an interference with privacy, for which a complaint may be made to the Information Commissioner. These provisions have not yet commenced.
   
• Establish a framework for the making of privacy complaints to the Information Commissioner in relation to an alleged interference with the privacy of an individual. Under the PRIS Act a privacy complaint must usually be made to the relevant IPP entity first before a complaint can be made to the Information Commissioner. The provisions relating to privacy complaints have not yet commenced.
   
• Confer functions and powers on the Information Commissioner and Privacy Deputy Commissioner to investigate and enforce compliance of the PRIS Act by IPP entities. These provisions have not yet commenced.
   
• Introduce a notifiable information breach scheme that requires an IPP entity to notify affected individuals, and the Information Commissioner, if there is unauthorised access to, or unauthorised disclosure of, or loss of personal information held by the entity and the access, disclosure of loss is likely to result in serious harm to any of the individuals to whom the information relates. These provisions have not yet commenced.

The PRIS Act provides that different provisions may commence on different dates.

• On 1 July 2025, the Office of the Information Commissioner (the OIC), the Information Commissioner and Deputy Commissioner roles were established.

• On 1 July 2025, the provisions of the PRIS Act that establish the administration and functions of the Information Commissioner and the Privacy Deputy Commissioner under the PRIS Act commenced.

• The Government has not yet announced the date or dates on which the remaining privacy provisions will commence.  It is anticipated that:

  • the substantive privacy provisions (other than the notifiable information breach scheme) are likely to commence in 2026; and

     

  • the provisions relating to the notifiable information breach scheme (Part 2, Division 6 of the PRIS Act) are likely to commence after the substantive privacy provisions.

When the relevant provisions commence, the PRIS Act will require IPP entities to:

• Comply with the IPPs set out in Schedule 1 to the PRIS Act (section 20 and Schedule 1 of the PRIS Act). These provisions have not yet commenced.
   
• Designate a privacy officer for the entity who has responsibilities under the PRIS Act (section 151 of the PRIS Act). This provision has not yet commenced.
   
• Publish a Privacy Policy outlining the entity’s practices for handling personal information (IPP 5). This IPP has not yet commenced.
   
• Issue Collection Notices to individuals when the entity collects personal information (or as soon as practicable after the information is collected) (IPP 1). This IPP has not yet commenced.
   
• Ensure that any personal information disclosed in a public register that the entity is responsible for administering is used for a purpose related to the purpose of the register or the written law under which the register is maintained (section 76 of the PRIS Act). This provision has not yet commenced.
   
• Publish an information breach policy which sets out the procedures to be followed in the event the public entity reasonably suspects that a notifiable information breach has occurred (section 73 of the PRIS Act). This provision has not yet commenced.
   
• Undertake a privacy impact assessment before performing a high privacy impact function or activity (section 79 of the PRIS Act). This provision has not yet commenced.
   
• Notify the Information Commissioner and any affected individuals of a notifiable information breach (Part 2 Division 6 of the PRIS Act). This division has not yet commenced.

The PRIS Act will give individuals the right to make a privacy complaint to the Information Commissioner.  Under the PRIS Act, the Information Commissioner may decline to deal with a privacy complaint if the individual has not first complained to the IPP entity (section 90(1) of the PRIS Act).  Therefore, agencies should also develop an internal procedure for handling and dealing with privacy complaints from individuals that aligns with the requirements of Part 2 Division 9 the PRIS Act. The provisions relating to privacy complaints have not yet commenced.

When the relevant provisions of the PRIS Act commence, they will establish a framework of privacy protections for individuals whose personal information is handled by IPP entities.

Under the PRIS Act, when the relevant provisions commence, the public will:

• Receive Collection Notices from IPP entities when their personal information is collected. This provision has not yet commenced.
   
• Be able to make a complaint to the Information Commissioner about an act or practice of an IPP entity that may be an interference with their privacy.  The PRIS Act requires that generally, individuals should first complain directly to the relevant IPP entity before complaining to the Information Commissioner. These provisions have not yet commenced.
   
• Be notified if their personal information was involved in a notifiable information breach. This provision has not yet commenced.

The Office of Digital Government developed a PRIS Readiness Plan prior to the establishment of the Office of the Information Commissioner on 1 July 2025. The PRIS Readiness Plan provided the WA public sector with an interim guide on how to prepare for the PRIS Act.

The Information Commissioner will develop and publish guidance for how IPP entities more broadly should prepare for the commencement of the PRIS Act.

For more information about the PRIS Readiness Plan for the WA public sector, contact the Office of Digital Government:

Address: Dumas House, 2 Havelock Street, WEST PERTH WA 6005
Telephone: 61 8 6552 5000
Fax: 61 8 6552 5001
Email: privacy@dpc.wa.gov.au 

Resources on the requirements of the PRIS Act will be developed by the Information Commissioner following the establishment of the Office on 1 July 2025.

The currently available resources about the PRIS legislation include:

• Privacy and Responsible Information Sharing Act 2024
• Information Commissioner Act 2024

The second reading speech and the explanatory memorandum for the Privacy and Responsible Information Sharing Bill 2024 and the Information Commissioner Bill 2024 can be accessed through the WA Parliament website at the following links:

• Privacy and Responsible Information Sharing Bill 2024
• Information Commissioner Bill 2024

The Commonwealth Privacy Act 1988 covers Australian Government agencies and organisations with an annual turnover of more than $3 million, and requires them to understand their obligations when handling personal information.

Information about your privacy rights under the Commonwealth Privacy Act is available from the Office of the Australian Information Commissioner (OAIC). For more information, visit the OAIC website at Privacy | OAIC.

Contact information for the OAIC is available at Contact us | OAIC.

Phone: 1300 363 992