The Privacy and Responsible Information Sharing Act 2024 (WA) (PRIS Act) received Royal Assent on 6 December 2024.
The following FAQs may refer to some provisions of the PRIS Act that have not yet come into force.
Subject to decisions of government, it is anticipated that the privacy provisions of the PRIS Act will commence in 2026. Until that time, government organisations should continue to follow the Interim Privacy Position.
The Interim Privacy Position requires organisations to ensure their handling of personal information is consistent with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Commonwealth). There is close alignment between the APPs and the Information Privacy Principles (IPPs) that will come into effect under the PRIS Act.
Please contact your in-house general counsel or the State Solicitor’s Office (sso@sso.wa.gov.au) if you require legal advice.
The SRO acknowledges the Department of Premier and Cabinet, the State Solicitor's Office, the Department of Justice, the Office of the Information Commissioner and the State Records Advisory Committee for contributing to the development of these FAQs.
How should my organisation manage records containing personal information?
Show moreThe IPPs guide the handling of personal information by ‘IPP entities’, including collection, use, disclosure and security.
Refer to Records Management Advice: Retention of Personal Information
Refer also to the WA Government’s Interim Privacy Position
Can my organisation keep State records which contain personal information?
Show moreIPP 4.2 of the PRIS Act requires that IPP entities must take reasonable steps to destroy or permanently de-identify personal information when it is no longer needed for any purpose authorised under the IPPs, unless its retention is expressly required or authorised by or under another law. This includes solicited or unsolicited personal information (e.g. an email sent to the organisation by mistake).
Most government organisations have record keeping obligations under the State Records Act 2000 (WA) (Act). State records may only be destroyed or permanently de-identified in accordance with an approved Retention and Disposal Authority (RDA) issued by the State Records Commission.
State records are retained for different periods of time depending on the government activity to which it relates. Some State records will be retained permanently as a State archive. The retention period of a State record is determined by the circumstances of its creation and use, not merely by the fact that it contains personal information.
A government organisation is not required to destroy or permanently de-identify personal information if it is authorised or required to retain that information by the Act.
When a State record containing personal information is no longer authorised or required to be retained, it should be destroyed or permanently de-identified in accordance with IPP 4.2, having regard to your organisation’s documented procedures.
Refer to SRO Guideline: Records Retention, Disposal and Destruction
Refer also to guidance (Chapter 11: APP 11 Security of personal information | OAIC ) issued by the Office of the Australian Information Commissioner regarding APP 11, which is the Commonwealth equivalent to IPP 4.
My organisation only does standard disposal once a year. If we receive unsolicited personal information, should we continue to store it until the standard disposal is signed off?
Show moreIf you have received personal information that was not requested by your organisation (i.e. unsolicited information), it may be redacted or destroyed upon receipt, as set out in item 71.3 of the General Retention and Disposal Authority for State Government Information (GRDASG 2023-004) and item 88.3 of the General Retention and Disposal Authority for Local Government Information (GRDALG 2023-005). This practice should be clearly documented in your relevant procedures.
Does my organisation have to retain copies of proof-of-identity documents?
Show moreIt is not necessary to make copies of or retain documents that are sighted as proof of an individual’s identity. An officer should create a record that the relevant documents were sighted to verify an individual’s identity. Once the verification and validation process is complete, such documents should be returned to the individual and any unsolicited copies immediately destroyed or de-identified.
This is authorised under GRDASG 71.2 or GRDALG 88.2 and the practice should be clearly documented in your relevant procedures.
Refer to Records Management Advice: Retention of Personal Information
A client has written to request that we delete their personal information. Can their personal information be redacted or can the records be removed from our record keeping systems?
Show moreA State record, or personal information contained in a State record, cannot be deleted upon request.
The State Records Act 2000 (the Act) sets out the requirements for record-keeping for all State and local government authorities in Western Australia. Under the Act, there are a number of retention and disposal authorities for categories of State records, which specify the minimum period of time for which different categories of State records must be retained, and authorise the destruction or archiving of records after this period has expired. When a State record containing personal information is no longer required to be retained, it should be destroyed or permanently de-identified in accordance with IPP 4.2, having regard to your organisation’s documented procedures.
Additionally, section 45 of the Freedom of Information Act 1992 (FOI Act) provides that individuals have a right to apply to an agency (as defined under the FOI Act) for amendment of personal information about them, if the information is inaccurate, incomplete, out of date or misleading. The amendment application must state the form of the amendment which includes whether the person wishes the amendment to be made by striking out or deleting the information. However, an agency cannot obliterate or remove information, or amend a document that results in its destruction, without written certification from the Information Commissioner.
For completeness, the PRIS Act will also provide that individuals may request an IPP entity to correct their personal information if it is not accurate, complete and up-to-date under IPP 6.5. However, IPP 6 will only apply to contracted service providers.
Refer to Records Management Advice: Retention of Personal Information
Refer also to guidance issued by the WA Office of the Information Commissioner (OIC WA)
A client has written to request that we correct their personal information. Can State records be altered?
Show moreSection 45 of the FOI Act provides that individuals have a right to apply to an agency for amendment of personal information about them, if the information is inaccurate, incomplete, out of date or misleading.
Section 48 of the FOI Act specifies the ways in which personal information may be amended in response to an amendment application. Among other things, it provides that an agency is not to obliterate or remove information or destroy a document without written certification from the Information Commissioner.
Government organisations should otherwise take reasonable steps to ensure that personal information they collect, use or disclose is accurate, complete and up-to-date, in accordance with IPP 3.
Refer to Records Management Advice: Retention of Personal Information
Refer also to the guidance issued by the WA Office of the Information Commissioner (OIC WA)
For completeness, the PRIS Act will also provide that individuals may request an IPP entity to correct their personal information if it is not accurate, complete and up-to-date under IPP 6.5. However, IPP 6 will only apply to contracted service providers.
Should personal information in State archives be redacted before release?
Show moreAccess to State archives is provided for under the State Records Act 2000 Part 6.
Section 22 of the PRIS Act provides that the IPPs do not apply to the handling of information contained in a document that is, among other things, a State archive to which a person has a right to be given access under the State Records Act 2000 Part 6.
Can State records containing personal information be published on websites?
Show moreSome laws may require an organisation to publish (or “make available”) particular government records that may contain personal information, such as names or contact details. For example, Local Government Council Minutes and Agendas and Gift Registers are required under legislation, to be posted on a Local Government’s website.
Section 22 of the PRIS Act provides that the IPPs do not apply to the handling of information contained in a document that is, among other things, published or available for inspection (whether for a fee or charge or not) under a written law.
However, if agencies maintain a public register, Part 2 Division 7 of the PRIS Act contains additional obligations regarding the handling of personal information in public registers that they will need to be mindful of.
It is anticipated that the new Information Commissioner will provide guidance on this.
Where organisations include internal publications such as Record Keeping Plans or policies and procedures on their websites, organisations should consider publishing an outward facing version without personal and security-based information.
Print this page
