Privacy Legislation in Western Australia

On commencement of the relevant provisions, the PRIS Act will:

• Provide a framework to protect the privacy of personal information of individuals handled by IPP entities. IPP entities are Western Australian government agencies, departments, statutory authorities, Local Governments, Ministers, Parliamentary Secretaries, government trading enterprises, and some contracted service providers to government. These provisions have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Introduce 11 Information Privacy Principles (IPPs), that guide the collection, use, disclosure, security, and disposal of personal information handled by IPP entities. The IPPs have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Provide that if an IPP entity contravenes an IPP, this will constitute an interference with privacy, for which a complaint may be made to the IPP entity, and if not resolved to the Information Commissioner. These provisions have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Establish a framework for the making of privacy complaints to the Information Commissioner in relation to an alleged interference with the privacy of an individual. Under the PRIS Act a privacy complaint must usually be made to the relevant IPP entity first before a complaint can be made to the Information Commissioner. The provisions relating to privacy complaints have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Confer functions and powers on the Information Commissioner and Privacy Deputy Commissioner to investigate and enforce compliance of the PRIS Act by IPP entities. These provisions have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Introduce a notifiable information breach scheme that requires an IPP entity to notify affected individuals, and the Information Commissioner, if there is unauthorised access to, or unauthorised disclosure of, or loss of personal information held by the entity and the access, disclosure of loss is likely to result in serious harm to any of the individuals to whom the information relates. These provisions have not yet commenced. The Government has stated that they will commence on 1 January 2027.

You can read the Government Media Statement regarding the commencement of the privacy protections in the PRIS Act.

The PRIS Act provides that different provisions may commence on different dates (section 2(c) of the PRIS Act). Some provisions of the PRIS Act commenced on 1 July 2025. The Government has stated that most of the provisions of the PRIS Act regulating the handling of personal information by the Western Australian public sector will commence on 1 July 2026 and the notifiable information breach provisions will commence on 1 January 2027.

• On 1 July 2025, the Office of the Information Commissioner (the OIC), the Information Commissioner and Deputy Commissioner roles were established.
   
• On 1 July 2025, the provisions of the PRIS Act that establish the administration and functions of the Information Commissioner and the Privacy Deputy Commissioner commenced (Part 2 Division 12 of the PRIS Act).
  
  The Government has stated that on 1 July 2026, most of the privacy provisions of the PRIS Act will commence (other than the notifiable information breach scheme).  The privacy provisions commencing on 1 July 2026 include:
  • Key concepts and preliminary matters (Part 2 Division 1 of the PRIS Act)
  • Information privacy principles (Part 2 Division 2 and Schedule 1 of the PRIS Act)
  • Privacy codes of practice (Part 2 Division 3 of the PRIS Act)
  • Requests for access to and correction of personal information (Part 2 Division 4 of the PRIS Act)
  • Public interest determinations and temporary public interest determinations (Part 2 Division 5 of the PRIS Act)
  • Personal information in public registers (Part 2 Division 7 of the PRIS Act)
  • Privacy impact assessments (Part 2 Division 8 of the PRIS Act)
  • Privacy complaints (Part 2 Division 9 of the PRIS Act)
  • Contracted service providers (Part 2 Division 11 of the PRIS Act)
  • General (Part 2 Division 13 of the PRIS Act)
     
• The Government has stated that on 1 January 2027, the provisions relating to the notifiable information breach scheme (Part 2 Division 6 of the PRIS Act) will commence.

You can read the Government Media Statement about the commencement of the PRIS Act provisions.

When the relevant provisions commence, the PRIS Act will require IPP entities to:

• Comply with the IPPs set out in Schedule 1 to the PRIS Act (section 20 and Schedule 1 of the PRIS Act). These provisions have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Designate a privacy officer for the entity who has responsibilities under the PRIS Act (section 151 of the PRIS Act). The privacy officer must be either the principal officer or another senior officer of the entity. This provision has not yet commenced. The Government has stated it will commence on 1 July 2026.
   
• Publish a Privacy Policy outlining the entity’s practices for handling personal information (IPP 5). This IPP has not yet commenced. The Government has stated it will commence on 1 July 2026.
   
• Issue Collection Notices to individuals when the entity collects personal information (or as soon as practicable after the information is collected) (IPP 1). This IPP has not yet commenced.  The Government has stated it will commence on 1 July 2026.
   
• Ensure that any personal information disclosed in a public register that the entity is responsible for administering is used for a purpose related to the purpose of the register or the written law under which the register is maintained (section 76 of the PRIS Act). This provision has not yet commenced.  The Government has stated it will commence on 1 July 2026.
   
• Publish an information breach policy which sets out the procedures to be followed in the event the public entity reasonably suspects that a notifiable information breach has occurred (section 73 of the PRIS Act). This provision has not yet commenced.  The Government has stated it will commence on 1 July 2026.
   
• Undertake a privacy impact assessment before performing a high privacy impact function or activity (section 79 of the PRIS Act). This provision has not yet commenced.  The Government has stated it will commence on 1 July 2026.
   
• Notify the Information Commissioner and any affected individuals of a notifiable information breach (Part 2 Division 6 of the PRIS Act). This division has not yet commenced.  The Government has stated it will commence on 1 January 2027.

The PRIS Act will give individuals the right to make a privacy complaint to the Information Commissioner.  Under the PRIS Act, the Information Commissioner may decline to deal with a privacy complaint if the individual has not first complained to the IPP entity (section 90(1) of the PRIS Act).  Therefore, agencies should also develop an internal procedure for handling and dealing with privacy complaints from individuals that aligns with the requirements of Part 2 Division 9 the PRIS Act. The provisions relating to privacy complaints have not yet commenced. The Government has stated they will commence on 1 July 2026.

When the relevant provisions of the PRIS Act commence, they will establish a framework of privacy protections for individuals whose personal information is handled by IPP entities.

Under the PRIS Act, when the relevant provisions commence, the public will:

• Receive Collection Notices from IPP entities when their personal information is collected. This provision has not yet commenced. The Government has stated that it will commence on 1 July 2026.
   
• Be able to make a complaint to the Information Commissioner about an act or practice of an IPP entity that may be an interference with their privacy.  The PRIS Act requires that generally, individuals should first complain directly to the relevant IPP entity before complaining to the Information Commissioner. These provisions have not yet commenced. The Government has stated that they will commence on 1 July 2026.
   
• Be notified if their personal information was involved in a notifiable information breach. This provision has not yet commenced. The Government has stated that it will commence on 1 January 2027.

The Office of Digital Government developed a PRIS Readiness Plan prior to the establishment of the Office of the Information Commissioner on 1 July 2025. The PRIS Readiness Plan provided the WA public sector with an interim guide on how to prepare for the PRIS Act.

The Information Commissioner will develop and publish guidance for how IPP entities more broadly should prepare for the commencement of the PRIS Act.

For more information about the PRIS Readiness Plan for the WA public sector, contact the Office of Digital Government:

Address: Dumas House, 2 Havelock Street, WEST PERTH WA 6005
Telephone: 61 8 6552 5000
Fax: 61 8 6552 5001
Email: privacy@dpc.wa.gov.au 

Resources on the requirements of the PRIS Act are being developed by the Information Commissioner following the establishment of the Office on 1 July 2025.

Published resources from the OIC about the PRIS legislation include:

• Information Privacy Principles Summary

Access the legislation through the WA Legislation website at the following links:

• Privacy and Responsible Information Sharing Act 2024
• Information Commissioner Act 2024

The second reading speech and the explanatory memorandum for the Privacy and Responsible Information Sharing Bill 2024 and the Information Commissioner Bill 2024 can be accessed through the WA Parliament website at the following links:

• Privacy and Responsible Information Sharing Bill 2024
• Information Commissioner Bill 2024

The Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act), outlines 11 Information Privacy Principles (IPPs) in Schedule 1 to the PRIS Act. These are reproduced in Information Privacy Principles (PDF, 418KB). The official version is found in Schedule 1 to the PRIS Act. Read the OIC's Information Privacy Principles Summary for more information.