Download the printable brochure for the public: What are my privacy rights?
Does WA have a privacy law?
Yes, the Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act) introduces a new privacy regulatory framework which requires the Western Australian public sector to uphold responsible and transparent practices for handling personal information.
What is personal information?
Personal information is any information or an opinion relating to a person that identifies them or could reasonably be used to identify them. It doesn’t matter if the information is true or whether the person is living or has died.
Personal information includes name, date of birth, address, contact information, location information, unique identifiers (eg. drivers licence number or IP address) and information that relates to someone’s features or behaviour. It can include inferences made about people.
Who must comply with the PRIS Act?
The entities required to comply with the PRIS Act are known as “IPP entities”. They include Western Australian government departments, statutory authorities, the Police Force of Western Australia, Local Governments, Ministers, Parliamentary Secretaries, government trading enterprises and some contracted service providers to government.
Information Privacy Principles
The PRIS Act sets out 11 Information Privacy Principles that govern how an IPP entity must handle your personal information, they are:
Principle 1 – Collection
Principle 2 – Use and disclosure
Principle 3 – Information quality
Principle 4 – Information security
Principle 5 – Openness and transparency
Principle 6 – Access and correction
Principle 7 – Unique identifiers
Principle 8 – Anonymity
Principle 9 – Disclosures outside Australia
Principle 10 – Automated decision-making
Principle 11 – De-identified information
What are my rights when I am asked for my personal information?
You do not have to provide your personal information to an IPP entity in all circumstances.
You have the option of remaining anonymous when you deal with an IPP entity, unless the law or circumstances require you to identify yourself.
You have the right to be notified about what personal information an IPP entity is seeking, why they need it, who they might share it with, whether it is optional and what the consequences are if you choose not to provide the information.
An IPP entity must be fair and reasonable when they collect your personal information. In general, this means the collection should be necessary, not excessive and appropriately balances any impact on your privacy.
What are my rights about how my personal information is used?
Your personal information can generally only be used or disclosed for the purpose for which it was collected.
There are limited situations where an IPP entity is permitted to use or disclose your personal information for a different purpose. This includes where the law allows it, you have consented or the proposed use is something you would reasonably expect.
Even if you consent, an IPP entity’s use or disclosure of your personal information must also be fair and reasonable.
An IPP entity must inform you when an automated decision-making process is used to make a significant decision about you and provide you with the option to request human intervention.
What can I expect when an IPP entity handles my personal information?
IPP entities must protect your personal information, including preventing it from being lost, used in the wrong way or accessed by people who do not require access.
An IPP entity must keep your personal information accurate, complete and up-to-date. This is to ensure public sector decisions, services and records are reliable and do not result in unintended harms.
You have the right to view an IPP entity’s policy about how they handle personal information. This will usually be available on the entity’s website.
What are my rights to access or amend my personal information?
Where a public entity holds your personal information, you have existing rights to access or correct it under the Freedom of Information Act 1992 (WA) (FOI Act).
The PRIS Act provides you with additional rights to access or correct your personal information that a contracted service provider to government holds.
There is no wrong door. If you make an application to access and/or correct your personal information under the FOI Act or the PRIS Act but use the wrong legislation, we will treat your application as having been made under the correct law.
Right to make a privacy complaint
You have the right to make a complaint if you think an IPP entity has breached your privacy.
The Office of the Information Commissioner (OIC) can only investigate privacy complaints about acts or practices by an IPP entity that took place on or after 1 July 2026.
You should make a complaint directly to the IPP entity in the first instance. If you are dissatisfied with their response or you do not receive a response within a reasonable timeframe (usually 30 days) then you can make your complaint to the OIC.
Right to be notified when my personal information is breached
From 1 January 2027, you have the right to be notified if your personal information was involved in a breach that is likely to cause you serious harm.
A notifiable information breach might occur when there has been unauthorised access to, or disclosure of, your personal information, or where your personal information was lost in circumstances where unauthorised access or disclosure is likely.
Print this page
