Privacy and Responsible Information Sharing Act 2024 (WA)
Western Australia
Western Australia
Western Australia
Privacy and Responsible Information Sharing Act 2024This is the
This Act comes into operation as follows —
(a) Part 1 — on the day on which this Act receives the Royal Assent;
(b) Part 7 —
(i) if the
Criminal Law (Mental Impairment) Act 2023 section 156 comes into operation on or before the day on which Part 1 of this Act comes into operation under paragraph (a) — immediately after Part 1 of this Act comes into operation; or(ii) otherwise — on the day on which the
Criminal Law (Mental Impairment) Act 2023 section 156 comes into operation;
(c) the rest of the Act — on a day fixed by proclamation, and different days may be fixed for different provisions.
The objects of this Act are as follows —
(a) to promote responsible and transparent practices for handling personal information by IPP entities;
(b) to balance the public interest in protecting the privacy of personal information handled by IPP entities with the public interest in the free flow of information;
(c) to provide a means for individuals to complain about alleged interferences with their privacy;
(d) to promote responsible information security practices by IPP entities;
(e) to promote the responsible handling of information held by public entities as a public resource that supports government policy, programs and services;
(f) to facilitate the responsible collection, use and disclosure for permitted purposes of information held by public entities;
(g) to remove barriers that unnecessarily impede the responsible sharing of information held by public entities;
(h) to provide protections in connection with the sharing of information under this Act, including by —
(i) specifying the purposes for which, and the circumstances in which, information sharing is permitted or required; and
(ii) ensuring that information shared under this Act is protected from unauthorised use or disclosure.
4. Terms used
In this Act —
(a) in relation to a notifiable information breach, has the meaning given in section 58; or
(b) in relation to a determination by the Information Commissioner under section 107, has the meaning given in section 107(1);
(a) has reached 18 years of age; and
(b) qualifies for assistance under the
Children and Community Services Act 2004 section 96 for the purposes of Part 4 Division 6 of that Act;
(a) the protection and care of children, unborn children and care leavers; or
(b) promoting the wellbeing of children, unborn children and care leavers, including their —
(i) care; and
(ii) physical, emotional, psychological and educational development; and
(iii) physical, emotional and psychological health; and
(iv) safety;
(a) means to obtain the information from any source or by any means; and
(b) includes to infer the information from, or generate the information by the use or interpretation of, other information;
(a) undertaking missing persons investigations;
(b) transferring individuals into the care or custody of another entity;
(c) supporting victims of crime;
(d) locating next of kin;
(e) employing diversionary strategies;
(f) coordinating operational response and dispatch;
(g) other functions prescribed by the regulations;
(a) information that is required to be kept confidential because of a contractual or equitable obligation; or
(b) any other information the disclosure of which would prejudice any person’s legitimate business, professional, commercial or financial interests;
(a) an electronic database or document system; and
(b) any other means by which a document can be given or accessed electronically;
(a) personal information that relates to —
(i) the health (at any time) of an individual; or
(ii) the disability (at any time) of an individual; or
(iii) an individual’s expressed wishes about the future provision of health services to the individual; or
(iv) a health service provided, or to be provided, to an individual;
or
(b) other personal information collected to provide, or in providing, a health service;
(a) a health service as defined in the
Health Services Act 2016 section 7;(b) the supply or prescription of a medicine by a person registered under the
Health Practitioner Regulation National Law (Western Australia) ;(c) the prescription, supply or administration of a voluntary assisted dying substance under the
Voluntary Assisted Dying Act 2019 ;(d) a service or activity, provided in conjunction with a service or activity referred to in paragraph (a), (b) or (c), of a class prescribed by the regulations;
(a) unauthorised access to, or unauthorised disclosure of, information; or
(b) loss of information;
(a) the Police Force of Western Australia; or
(b) the Corruption and Crime Commission established under the
Corruption, Crime and Misconduct Act 2003 section 8; or(c) the Parliamentary Inspector of the Corruption and Crime Commission appointed under the
Corruption, Crime and Misconduct Act 2003 section 189; or(d) a commission established under a written law or a law of the Commonwealth, another State or a Territory that has the function of investigating criminal activity or a class of criminal activity; or
(e) the Mental Impairment Review Tribunal established under the
Criminal Law (Mental Impairment) Act 2023 section 156; or(f) the Prisoners Review Board established under the
Sentence Administration Act 2003 section 102; or(g) the Supervised Release Review Board established under the
Young Offenders Act 1994 section 151; or(h) the department of the Public Service principally assisting in the administration of the
Sentence Administration Act 2003 Part 8; or(i) the department of the Public Service principally assisting in the administration of the
Police Act 1892 ; or(j) the Director of Public Prosecutions appointed under the
Director of Public Prosecutions Act 1991 section 5; or(k) the Commissioner of State Revenue appointed in accordance with the
Taxation Administration Act 2003 section 6; or(l) the sheriff referred to in the
Supreme Court Act 1935 section 156; or(m) the Australian Crime Commission established by the
Australian Crime Commission Act 2002 (Commonwealth) section 7; or(n) the Australian Federal Police; or
(o) the police force of another State or a Territory; or
(p) a public entity not covered by another paragraph of this definition that is responsible for the performance of functions related to —
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or contraventions of a law that are subject to a penalty or sanction; or
(ii) the management of property seized or restrained under a law relating to the confiscation of proceeds of crime; or
(iii) the enforcement of a law, or of an order made under a law, relating to the confiscation of proceeds of crime; or
(iv) the execution or implementation of orders made by a court or tribunal; or
(v) the protection of public revenue;
or
(q) a body, or the holder of an office, prescribed by the regulations;
(a) means functions of the law enforcement agency that relate to —
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or contraventions of a law that are subject to a penalty or sanction; or
(ii) the management of property seized or restrained under a law relating to the confiscation of proceeds of crime; or
(iii) the enforcement of a law, or of an order made under a law, relating to the confiscation of proceeds of crime; or
(iv) the preparation for or conduct of proceedings in a court or tribunal; or
(v) the execution or implementation of orders made by a court or tribunal; or
(vi) the protection of public revenue;
and
(b) includes, in the case of the Police Force of Western Australia, community policing functions;
(a) the principal officer of the entity; and
(b) a person employed in, by, or for the purposes of, the entity; and
(c) if the entity is a body (whether incorporated or not) constituted by 2 or more persons — any of those persons;
(a) a Parliamentary Secretary appointed under the
Constitution Acts Amendment Act 1899 section 44A(1); or(b) the Parliamentary Secretary of the Cabinet;
(a) means information or an opinion, whether true or not, and whether recorded in a material form or not, that relates to an individual, whether living or dead, whose identity is apparent or can reasonably be ascertained from the information or opinion; and
(b) includes information of the following kinds to which paragraph (a) applies —
(i) a name, date of birth or address;
(ii) a unique identifier, online identifier or pseudonym;
(iii) contact information;
(iv) information that relates to an individual’s location;
(v) technical or behavioural information in relation to an individual’s activities, preferences or identity;
(vi) inferred information that relates to an individual, including predictions in relation to an individual’s behaviour or preferences and profiles generated from aggregated information;
(vii) information that relates to 1 or more features specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity of an individual;
(a) an assessment of a function or activity of an IPP entity conducted under section 79 or in compliance with a direction under section 80; or
(b) an assessment of a relevant activity to be carried out under a proposed information sharing agreement conducted under section 176;
(a) is held by a public entity; and
(b) contains information that a person was required or permitted to give to that public entity under a written law; and
(c) is published, or available for inspection by members of the public (whether for a fee or charge or not), under a written law (other than as a result of a request for access under this Act or an application for access under the
Freedom of Information Act 1992 Part 2);
(a) in relation to a public entity that is a department as defined in the
Public Sector Management Act 1994 section 3(1) — the Minister responsible for the administration of the department; or(b) in relation to a public entity to which paragraph (a) does not apply —
(i) for a public entity established or appointed under an enactment — the Minister to whom the administration of the enactment is from time to time committed by the Governor; or
(ii) for a public entity that is not established or appointed under an enactment — the Minister to whom the administration of the public entity is from time to time committed by the Governor;
or
(c) in relation to a secrecy provision — the Minister to whom the administration of the secrecy provision is from time to time committed by the Governor;
(a) means an officer of the entity who has managerial responsibility; and
(b) includes the principal officer of the entity;
(a) relates to Aboriginal people and their ancestors; and
(b) was collected in the period from 1898 until 1972 for the purposes of implementing laws, and government policies and practices, applying specifically to Aboriginal people;
(a) that relates to an individual’s —
(i) racial or ethnic origin; or
(ii) gender identity, in a case where the individual’s gender identity does not correspond with their designated sex at birth; or
(iii) sexual orientation or practices; or
(iv) political opinions; or
(v) membership of a political association; or
(vi) religious beliefs or affiliations; or
(vii) philosophical beliefs; or
(viii) membership of a professional or trade association; or
(ix) membership of a trade union; or
(x) criminal record;
or
(b) that is health information; or
(c) that is genetic or genomic information (other than health information); or
(d) that is biometric information; or
(e) from which information of a kind referred to in any of paragraphs (a) to (d) can reasonably be inferred;
(a) means a number or other identifier assigned by an entity to an individual to uniquely identify that individual for the purposes of the operations of the entity; but
(b) does not include an identifier that consists only of the individual’s name;
A reference in this Act to an IPP followed by a designation is a reference to the provision with that designation in Schedule 1.
(1) A
public entity is —(a) a department of the Public Service; or
(b) an entity specified in the
Public Sector Management Act 1994 Schedule 2 column 2; or(c) the Police Force of Western Australia; or
(d) a local government, regional local government or regional subsidiary; or
(e) a body, or the holder of an office, that is established for a public purpose under a written law; or
(f) a body, or the holder of an office, that is established by the Governor or a Minister; or
(g) a judicial body; or
(h) any other body, or the holder of any other office, that is prescribed by the regulations to be a public entity, being —
(i) a body or office that is established under a written law; or
(ii) a corporation or association over which control can be exercised by the State, a Minister, a body referred to in paragraph (a), (b), (e) or (f) or subparagraph (i), or the holder of an office referred to in paragraph (f) or subparagraph (i).
(2) Despite subsection (1), each of the following is not a
public entity —(a) the Governor or the Governor’s establishment;
(b) the Legislative Council or a member or committee of the Legislative Council;
(c) the Legislative Assembly or a member or committee of the Legislative Assembly;
(d) a joint committee or standing committee of the Legislative Council and the Legislative Assembly;
(e) a Royal Commission or member of a Royal Commission;
(f) a department of the staff of Parliament referred to in the
Parliamentary and Electorate Staff (Employment) Act 1992 ;(g) a person holding an office established under a written law for the purposes of a body referred to in any of paragraphs (a) to (f).
(3) Except to the extent provided by section 199 and regulations made under subsection (4), a person is not a separate public entity for the purposes of this Act by reason of —
(a) holding office as a member or other officer of a public entity; or
(b) holding an office established for the purposes of a public entity.
(4) The regulations may provide that, for the purposes of this Act or specified provisions of this Act —
(a) a specified body, or the holder of a specified office, is not a separate public entity but is part of a specified public entity; or
(b) a specified body, or the holder of a specified office, is a separate public entity and is not part of another public entity.
7. Judicial bodies (1) A
judicial body is a court or tribunal established under a written law.(2) A registry or other office of a judicial body, and the staff of such a registry or other office, are part of the judicial body.
(3) A person holding judicial or quasi‑judicial office is not themselves, and is not part of, a judicial body or other public entity.
(1) A
State services contract is a contract between a public entity (theoutsourcing entity ) and another person (other than a public entity) under which services are provided to the outsourcing entity or to other persons on behalf of the outsourcing entity.(2) A
contracted service provider is —(a) a party to a State services contract who provides services to or on behalf of an outsourcing entity under the contract; or
(b) a person who is a subcontractor (whether direct or indirect) of a person referred to in paragraph (a) for the purposes of the State services contract.
Note for this subsection:
Part 2 Division 11 provides for how Part 2 and the information privacy principles apply in relation to contracted service providers.
(1) The
principal officer of a Minister or Parliamentary Secretary is the Minister or Parliamentary Secretary.(2) The
principal officer of a public entity is —(a) in relation to a department of the Public Service or an entity specified in the
Public Sector Management Act 1994 Schedule 2 column 2 — the chief executive officer or chief employee of the department or entity; or(b) in relation to the Police Force of Western Australia — the Commissioner of Police; or
(c) in relation to a local government — the chief executive officer of the local government; or
(d) in relation to a regional local government — the chief executive officer of the regional local government; or
(e) in relation to a regional subsidiary — the person who manages the affairs of the regional subsidiary; or
(f) in relation to any other public entity —
(i) if the regulations prescribe a person to be the principal officer of the public entity — that person; or
(ii) otherwise — the person determined under subsection (4).
(3) The
principal officer of a contracted service provider is —(a) if the relevant State services contract designates a person with managerial responsibility in relation to the contracted service provider as the principal officer of the contracted service provider for the purposes of this Act — that person; or
(b) otherwise — the person determined under subsection (4).
(4) For the purposes of subsection (2)(f)(ii) or (3)(b), the person is —
(a) if the public entity or contracted service provider consists of 1 person (other than a body corporate) — that person; or
(b) if the public entity or contracted service provider is a body (whether incorporated or not) constituted by 2 or more persons — the person entitled to preside at any meeting of the body at which the person is present; or
(c) otherwise — the person responsible for managing the affairs of the public entity or contracted service provider.
10. Disclosure by public entities and other IPP entities
A reference in this Act to a public entity or other IPP entity
(a) includes a reference to the entity making the information publicly available; and
(b) does not include a reference to the entity disclosing the information to the entity itself or to an officer of the entity.
(1) To
de‑identify personal information means to modify, or apply a process to, the information, with the result that the identity of an individual is not apparent, and cannot reasonably be ascertained, from the information.(2) Information is
de‑identified information at a particular time if, at that time —(a) the information has been de‑identified; and
(b) the identity of an individual is not apparent, and cannot reasonably be ascertained, from the information.
(3) To
re‑identify de‑identified information means to modify, or apply a process to, the information, with the result that the information again becomes personal information.
(1) A
data set is an organised collection of information in a form that is capable of being analysed or processed (whether by an individual or an automated system).(2) Data analytics work —(a) is the examination and analysis of information for the purpose of drawing conclusions as a result of that examination and analysis; but
(b) does not include data linkage or data integration.
(3) Data linkage is a process for —(a) detecting instances where separate records (whether within a single data set or different data sets) appear to relate to the same individual, family, place, event or matter; and
(b) assigning an identifier (a
data linkage key ) to enable related records to be linked.
(4) Data integration is the combination or collation of information in 2 or more data sets, whether using data linkage keys or by another process.
This Act binds the Crown in right of Western Australia and, so far as the legislative power of the Parliament permits, the Crown in all its other capacities.
(1) The Information Commissioner has the following functions under this Act —
(a) to promote the understanding of matters relating to the information privacy principles and this Part;
(b) to promote the objects of this Act set out in section 3(a) to (e);
(c) to promote compliance with the information privacy principles and this Part;
(d) to prepare and make available information and material in relation to protecting the privacy of personal information;
(e) to provide assistance to members of the public and IPP entities in relation to any matter relevant to the operation of this Part;
(f) to undertake reviews of any matter relating to the privacy of personal information, on request by the Privacy Minister or on the Commissioner’s own initiative;
(g) to report and make recommendations on any matter relating to the privacy of personal information;
(h) to undertake, participate in or promote research in relation to any matter relating to the privacy of personal information;
(i) any other function given to the Information Commissioner under this Act.
(2) The Privacy Deputy Commissioner also has all the functions of the Information Commissioner under this Act, other than the following —
(a) giving approvals under section 142(3) and directions under section 142(4);
(b) any function in relation to a report under Subdivision 2;
(c) any function in relation to consultation under section 202(2) or serving as a member of the Privacy and Responsible Information Sharing Advisory Committee.
Note for this section:
The
(1) The functions under this Act that are functions of both the Information Commissioner and the Privacy Deputy Commissioner are the
privacy functions .(2) A privacy function may be performed —
(a) by the Information Commissioner; or
(b) by the Privacy Deputy Commissioner, subject to subsection (3) and any direction given under subsection (4).
(3) The Privacy Deputy Commissioner must obtain the approval of the Information Commissioner before performing any of the following privacy functions —
(a) making a public interest determination under section 45(1);
(b) making a temporary public interest determination under section 49(1);
(c) extending a temporary public interest determination under section 52(3);
(d) revoking a public interest determination or temporary public interest determination under section 54(1) or (2);
(e) making a notifiable information breach determination under section 60(1);
(f) amending or repealing a notifiable information breach determination;
(g) issuing privacy guidelines under section 148(1);
(h) amending or revoking privacy guidelines under section 148(2).
(4) The Information Commissioner may direct the Privacy Deputy Commissioner as to —
(a) which of the privacy functions the Privacy Deputy Commissioner is to perform; and
(b) the manner in which the Privacy Deputy Commissioner must perform any privacy function.
(5) If the Privacy Deputy Commissioner performs a privacy function —
(a) the Privacy Deputy Commissioner performs the function in the Privacy Deputy Commissioner’s own right and not on behalf of the Information Commissioner; and
(b) the Privacy Deputy Commissioner may perform the function upon the Privacy Deputy Commissioner’s own belief or state of mind (to the extent that the performance or exercise is dependent on the belief or state of mind of the Information Commissioner); and
(c) the performance of the function is as effectual for all purposes as if it were performed by the Information Commissioner; and
(d) a reference in this Act or another written law to anything done by, to, or in relation to, the Information Commissioner in connection with the function includes a reference to the thing as done by, to, or in relation to, the Privacy Deputy Commissioner; and
(e) the Information Commissioner is not prevented from performing the same function on another occasion (in relation to a different matter).
143. Certain functions cannot be delegated
The following privacy functions cannot be delegated by the Information Commissioner or the Privacy Deputy Commissioner under the
(a) making a public interest determination under section 45(1);
(b) making a temporary public interest determination under section 49(1);
(c) extending a temporary public interest determination under section 52(3);
(d) revoking a public interest determination or temporary public interest determination under section 54(1) or (2);
(e) making a notifiable information breach determination under section 60(1);
(f) amending or repealing a notifiable information breach determination;
(g) making an order to give effect to a conciliation agreement under section 98(3);
(h) determining a privacy complaint under section 104(1);
(i) making a determination following an investigation under section 107(1);
(j) issuing a compliance notice under section 122(1);
(k) issuing privacy guidelines under section 148(1);
(l) amending or revoking privacy guidelines under section 148(2).
In performing their functions under this Act, the Information Commissioner and Privacy Deputy Commissioner must have regard to the objects of this Act.
The Information Commissioner or Privacy Deputy Commissioner may request an IPP entity to provide any assistance that that Commissioner reasonably considers appropriate to perform their functions under this Act.
(1) Without limiting the
Information Commissioner Act 2024 section 32, the Information Commissioner must include the following information in the annual report required under that section for a financial year —(a) the number of applications for public interest determinations made under section 46 and the outcome of those applications;
(b) the number of applications for temporary public interest determinations made under section 50 and the outcome of those applications;
(c) the number of applications for extensions of temporary public interest determinations made under section 52(1) and the outcome of those applications;
(d) the number of privacy complaints made and the outcome of those complaints;
(e) the number of applications for review made to the State Administrative Tribunal under sections 70(5), 90(5), 91(3), 105, 108 and 124 and the outcome of those applications;
(f) the number of appeals made to the Supreme Court under the
State Administrative Tribunal Act 2004 section 105 from decisions of the State Administrative Tribunal on applications referred to in paragraph (e) and the outcome of those appeals;(g) the number of notifiable information breaches notified under section 62;
(h) the number, or an estimate of the number, of affected individuals in relation to notifiable information breaches notified under section 62;
(i) the number of compliance notices issued under section 122;
(j) any other information prescribed by the regulations.
(2) A public entity must provide the Information Commissioner with any information the Information Commissioner requires for the purposes of including the matters referred to in subsection (1) in the annual report.
(1) The Information Commissioner may, if the Information Commissioner considers it to be in the public interest to do so —
(a) prepare a report on —
(i) any matter arising in connection with the performance of the privacy functions; or
(ii) any act or practice of an IPP entity that the Information Commissioner considers to be an interference with the privacy of an individual;
and
(b) submit the report to the President of the Legislative Council and the Speaker of the Legislative Assembly.
(2) A report under subsection (1) may include recommendations.
(3) The President or Speaker must cause a copy of a report submitted to them under subsection (1) to be laid before the Legislative Council or Legislative Assembly, as the case requires, within 15 sitting days of that House after the report is submitted.
(1) The Information Commissioner may issue guidelines —
(a) in relation to any matter required or permitted by this Part or section 176 to be the subject of privacy guidelines; or
(b) to provide information and guidance in relation to the application and administration of the information privacy principles and this Part.
(2) The Information Commissioner may amend or revoke privacy guidelines.
(3) The Information Commissioner may consult with any person or body the Commissioner considers appropriate before issuing, amending or revoking any privacy guidelines.
(4) The Information Commissioner must ensure that privacy guidelines are made publicly available.
Note for this section:
Section 221 makes provision for the status and effect of privacy guidelines.
(1) The regulations may make provision for how documents are to be made publicly available by the Information Commissioner or an entity for the purposes of any provision of this Part.
(2) If a provision of this Part requires or permits the Information Commissioner to make a document publicly available, the Commissioner must comply with that requirement or exercise that power —
(a) if regulations under subsection (1) apply — in accordance with those regulations; or
(b) otherwise — by making the document publicly available in the manner the Commissioner considers appropriate.
150. Notices of decisions or determinations
Without limiting any other provision of this Part, the Information Commissioner must include the following information in a notice of a decision or determination of the Commissioner given under this Part —
(a) the day on which the decision or determination was made;
(b) the name and designation of the person who made the decision or determination;
(c) the reasons for the decision or determination;
(d) any right under this Act to apply for a review of the decision or determination.
A Chief Data Officer must be appointed under the
(1) For the purposes of a reference to a public entity in this Part —
(a) the Chief Data Officer is to be treated as a separate public entity and not as part of the information sharing Department; and
(b) the Chief Data Officer is to be treated as the principal officer of that public entity.
(2) Without limiting subsection (1), the Chief Data Officer may, on the Chief Data Officer’s own initiative, make information sharing requests and enter into information sharing agreements as a public entity under this Part.
(3) Subsection (1) does not affect —
(a) the power under section 207 for the Chief Data Officer to delegate to an officer of the information sharing Department; or
(b) the requirement under section 211 for matters relating to the Chief Data Officer to be included in the annual report in respect of the information sharing Department referred to in that section.
200. Functions of Chief Data Officer (1) The Chief Data Officer has the following functions —
(a) on request by a public entity or Minister or on the Chief Data Officer’s own initiative, to undertake data analytics work, data integration and data linkage on information disclosed to the Chief Data Officer under this Part;
(b) to disclose or make publicly available information generated from undertaking data analytics work, data integration or data linkage if the Chief Data Officer considers it appropriate to do so;
(c) to do anything the Chief Data Officer may do as a public entity under this Part (including as referred to in section 199(2));
(d) to promote the objects of this Act;
(e) to build the capability of public entities to share information in accordance with this Part;
(f) to prepare and make available information and material in relation to the sharing of information in accordance with this Part;
(g) to provide assistance to public entities and external entities in relation to the sharing of information in accordance with this Part;
(h) to provide advice to the Information Sharing Minister or to any other person or body about any matters relating to the sharing of information held by public entities;
(i) to oversee and monitor the use of information sharing agreements;
(j) to promote and support the responsible sharing of information between public entities in the State and agencies and instrumentalities in other jurisdictions;
(k) any other functions given to the Chief Data Officer under this Act or another written law.
(2) The Chief Data Officer has all the powers that are needed for the performance of the Chief Data Officer’s functions.
(1) The Chief Data Officer may issue guidelines —
(a) in relation to any matter required or permitted by this Part to be the subject of Chief Data Officer guidelines; or
(b) to provide information and guidance in relation to matters relating to this Part and the responsible sharing principles.
(2) Without limiting subsection (1)(b), guidelines may be issued in relation to any of the following —
(a) the form and contents of information sharing agreements, including template provisions for inclusion in information sharing agreements;
(b) processes to be followed before entering into information sharing agreements;
(c) processes and safeguards relating to the handling of information shared under this Part, including for the purposes of protecting —
(i) the privacy of individuals; and
(ii) the confidentiality and security of information;
(d) the management of risks relating to the sharing of information under this Part;
(e) the use of information shared under this Part for activities involving data analytics work, data integration or data linkage, including in relation to the design and governance of those activities.
(3) The Chief Data Officer may amend or revoke Chief Data Officer guidelines.
(4) The Chief Data Officer must ensure that Chief Data Officer guidelines are made publicly available.
Note for this section:
Section 221 makes provision for the status and effect of Chief Data Officer guidelines.
(1) The Chief Data Officer may consult with any person or body the Chief Data Officer considers appropriate before issuing, amending or revoking any guidelines under section 201.
(2) The Chief Data Officer must consult with the Information Commissioner before issuing, amending or revoking under section 201 any guidelines that relate to the handling of personal information or the privacy of individuals.
(3) The Chief Data Officer must consult with the Privacy and Responsible Information Sharing Advisory Committee before issuing, amending or revoking under section 201 any guidelines for the purpose of section 177(6).
In performing functions under this Act, the Chief Data Officer must have regard to the objects of this Act.
(1) A committee called the Privacy and Responsible Information Sharing Advisory Committee is established.
(2) The committee consists of the following members —
(a) the Chief Data Officer;
(b) the Information Commissioner;
(c) at least 2, and no more than 5, other members appointed by the Information Sharing Minister.
(3) The Information Sharing Minister must ensure that each person appointed under subsection (2)(c) has appropriate qualifications, skills or experience relevant to the functions of the committee.
(4) Before appointing a person under subsection (2)(c), the Information Sharing Minister must consult with the Privacy Minister.
(5) A person may be appointed under subsection (2)(c) —
(a) for a period not exceeding 3 years; and
(b) on a full‑time basis or part‑time basis.
(6) A person who has been appointed under subsection (2)(c) is eligible for reappointment.
(1) The Privacy and Responsible Information Sharing Advisory Committee has the function of advising the Chief Data Officer in relation to the performance of the Chief Data Officer’s functions.
(2) Without limiting subsection (1), the Privacy and Responsible Information Sharing Advisory Committee may give the Chief Data Officer advice in relation to the following —
(a) balancing the public interest in the protection of privacy with the public interest in the free flow of information;
(b) community expectations in relation to the matters referred to in section 177(6)(a) to (e);
(c) technical best practices in relation to the handling of information;
(d) developments in industry or other jurisdictions relevant to the handling of information.
(3) The Privacy and Responsible Information Sharing Advisory Committee may consult with any person or body for the purposes of providing advice to the Chief Data Officer.
(1) The regulations may make provision for or in relation to the Privacy and Responsible Information Sharing Advisory Committee.
(2) Without limiting subsection (1), regulations made under that subsection may make provision for or in relation to any of the following —
(a) the appointment of a chairperson and deputy chairperson of the committee;
(b) the conditions of appointment of members of the committee appointed under section 204(2)(c), including remuneration, allowances and leave;
(c) the resignation or removal of members of the committee appointed under section 204(2)(c);
(d) meetings and procedures of the committee, including the management of any conflicts of interest relating to the committee.
(3) Subject to any regulations made under subsection (1), the committee may determine its own procedures.
(1) The Chief Data Officer may delegate to a person employed or engaged in the information sharing Department any power or duty of the Chief Data Officer under another provision of this Act.
(2) The delegation must be in writing signed by the Chief Data Officer.
(3) A person to whom a power or duty is delegated under this section cannot delegate that power or duty.
(4) A person exercising or performing a power or duty that has been delegated to the person under this section is taken to do so in accordance with the terms of the delegation unless the contrary is shown.
(5) Nothing in this section limits the ability of the Chief Data Officer to perform a function through an officer or agent.
(1) In this section —
(a) the Chief Data Officer; or
(b) a member of the Privacy and Responsible Information Sharing Advisory Committee; or
(c) a person employed or engaged in the information sharing Department.
(2) A relevant official must not, directly or indirectly, record, disclose or use information obtained in the administration of this Act.
Penalty for this subsection: a fine of $6 000.
(3) Subsection (2) does not apply to the recording, disclosure or use of statistical or other information that is not personal information.
(4) A relevant official does not commit an offence under subsection (2) if the recording, disclosure or use of the information is authorised under subsection (5).
(5) The recording, disclosure or use of information to which subsection (2) applies is authorised if the information is recorded, disclosed or used —
(a) for the purpose of, or in connection with, performing a function under this Act; or
(b) as permitted or required by this Act or another written law; or
(c) for the purposes of legal proceedings arising out of the administration of this Act or another written law; or
(d) with the written consent of the person to whom the information relates; or
(e) in circumstances prescribed by the regulations.
Subdivision 4 – Making documents publicly available
(1) The regulations may make provision for how documents are to be made publicly available by the Chief Data Officer or an entity for the purposes of any provision of this Part.
(2) If a provision of this Part requires or permits the Chief Data Officer to make a document publicly available, the Chief Data Officer must comply with that requirement or exercise that power —
(a) if regulations under subsection (1) apply — in accordance with those regulations; or
(b) otherwise — by making the document publicly available in the manner the Chief Data Officer considers appropriate.
A person commits an offence if the person gives to the Information Commissioner or Chief Data Officer a document or information that the person knows to be false or misleading in a material particular.
Penalty: a fine of $6 000.
(1) The following actions by a public entity or other IPP entity must be taken for the entity by the principal officer or by an officer authorised by the principal officer for that purpose (either generally or in a particular case) —
(a) making any application or submission, or giving any notice or other document, to the Information Commissioner under this Act;
(b) giving any notice or other document to the Chief Data Officer under this Act (subject to subsection (2));
(c) conducting, or preparing a report on, any assessment required under this Act.
(2) The following actions by a public entity must be taken for the entity by the principal officer or by a senior officer authorised by the principal officer for that purpose (either generally or in a particular case) —
(a) making an information sharing request;
(b) responding to an information sharing request;
(c) entering into an information sharing agreement;
(d) responding to an information holdings request.
(3) Subject to subsections (1) and (2), any act done or practice engaged in by an officer of a public entity or other IPP entity, acting in their capacity as officer and within the scope of their actual or apparent authority, is taken for the purposes of this Act to have been done or engaged in by the entity.
(1) In this section —
(a) knowledge, intention, opinion, belief, suspicion or purpose; and
(b) reasons for an intention, opinion, belief, suspicion or purpose.
(2) If this Act refers to a state of mind of a public entity or other IPP entity, the entity is considered to have that state of mind if an officer of the entity, acting in their capacity as officer and within the scope of their actual or apparent authority, has that state of mind.
(1) In this section —
(a) the Privacy Minister; or
(b) the Information Sharing Minister; or
(c) the Chief Data Officer; or
(d) a member of the Privacy and Responsible Information Sharing Advisory Committee; or
(e) a person employed or engaged in the information sharing Department.
(2) No civil liability is incurred by a relevant official for anything that the relevant official has done, in good faith, in the performance or purported performance of a function under this Act.
(3) The protection given by this section applies even though the thing done as described in subsection (2) may have been capable of being done whether or not this Act had been enacted.
(4) Despite subsection (2), the State is not relieved of any liability that it might have for a relevant official having done anything as described in that subsection.
(5) Subsection (2) does not affect the operation of section 181.
(6) In this section, a reference to the doing of anything includes a reference to an omission to do anything.
(1) The regulations may make provision for or in relation to the following —
(a) the giving of a document required or permitted to be given under this Act (including the giving of the document by electronic means);
(b) the time at which the document is taken to have been given;
(c) the means of satisfying a requirement under this Act in relation to a document in writing (for example, a requirement that the original of a document be given or that a document be signed) if the document is given by electronic means.
(2) This section applies to a requirement or permission to give a document whether the term “give”, “issue”, “send” or “serve”, or any other similar term, is used.
(1) This section applies if —
(a) a provision of this Act requires a Minister (the
relevant Minister ) to cause a document to be laid before each House of Parliament, or dealt with under this section, within a specified period; and(b) at the beginning of the period, a House of Parliament is not sitting; and
(c) in the relevant Minister’s opinion, the House will not sit before the end of the period.
(2) The relevant Minister must send the document to the Clerk of the House before the end of the period.
(3) When the document is sent to the Clerk of the House it is taken to have been laid before the House.
(4) The laying of the document that is taken to have occurred under subsection (3) must be recorded in the Minutes, or Votes and Proceedings, of the House on the first sitting day of the House after the Clerk receives the document.
(1) Privacy guidelines and Chief Data Officer guidelines are not subsidiary legislation for the purposes of the
Interpretation Act 1984 .(2) If there is a conflict or inconsistency between a provision of this Act and a provision of privacy guidelines or Chief Data Officer guidelines, the provision of this Act prevails.
(3) A requirement under this Act to have regard to privacy guidelines or Chief Data Officer guidelines does not —
(a) derogate from a duty to exercise discretion in a particular case; or
(b) prevent a person from having regard to matters not set out in the guidelines; or
(c) require the entity to have regard to guidelines that are inconsistent with a provision of this Act.
222. Regulations (1) The Governor may make regulations prescribing matters —
(a) required or permitted by this Act to be prescribed; or
(b) necessary or convenient for giving effect to the purposes of this Act.
(2) Without limiting any other provision of this Act, regulations may make provision for or in relation to the following —
(a) applications under this Act;
(b) forms for the purposes of this Act;
(c) fees or charges in relation to any matter under this Act.
(3) Regulations for the purposes of section 6(1)(h) or (4) or 9(2)(f)(i) can only be made on the recommendation of the Privacy Minister and the Information Sharing Minister.
(1) In this section —
(2) The following information privacy principles apply only in relation to personal information collected on or after commencement day —
(a) IPP 1;
(b) IPP 7;
(c) IPP 8;
(d) IPP 10.
(3) The following information privacy principles apply in relation to personal information whether collected before, on or after commencement day —
(a) IPP 2;
(b) IPP 3;
(c) IPP 4;
(d) IPP 5;
(e) IPP 6;
(f) IPP 9.1.
(4) The following information privacy principles apply to de‑identified information whether collected before, on or after commencement day —
(a) IPP 9.2;
(b) IPP 11.
224. Application of approved privacy codes of practice (1) In this section —
(2) To the extent that an approved privacy code of practice modifies the application of an IPP referred to in section 223(2), or provides for how an IPP referred to in section 223(2) is to be applied or complied with, the approved privacy code of practice applies only in relation to personal information collected on or after commencement day.
(3) Any other provision of an approved privacy code of practice applies in relation to personal information or de‑identified information whether collected before, on or after commencement day.
(4) Subsections (2) and (3) apply subject to any provision of the approved privacy code of practice that provides for the approved privacy code of practice, or any provision of it, to apply only in relation to information collected on or after a day that is later than commencement day.
(1) In this section —
(2) For the purposes of section 57, a notifiable information breach may occur in relation to personal information held by an IPP entity whether the personal information was collected before, on or after commencement day.
(1) In this section —
(2) Part 2 Division 7 applies to personal information contained, or proposed to be contained, in a public register whether the personal information was collected before, on or after commencement day.
(1) In this section —
(2) The requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment before first performing a high privacy impact function or activity does not apply in relation to a function or activity that the IPP entity started to perform before commencement day.
(3) Subsection (2) does not limit —
(a) any requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment before making a significant change to the way in which personal information is handled as part of a high privacy impact function or activity that the IPP entity started to perform before commencement day; or
(b) any requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment in relation to an activity that the IPP entity first performs on or after commencement day, even if the activity is performed in connection with a function that the IPP entity started to perform before commencement day; or
(c) the Information Commissioner’s power to issue a direction under section 80 in relation to a function or activity that an IPP entity started to perform before commencement day.
228. State services contracts entered into before commencement day (1) In this section —
(2) This Act applies in relation to a provision of a State services contract of the kind referred to in section 129 even if that provision was included in the contract before commencement day.
(3) Section 140(2) does not apply in relation to a State services contract entered into before commencement day.
(1) In this section —
(a) means a matter or issue of a transitional nature that arises as a result of the enactment of this Act or the coming into operation of any provisions of this Act or regulations made under it; and
(b) includes a savings or application matter.
(2) If there is not sufficient provision in this Part for dealing with a transitional matter, regulations may prescribe anything required, necessary or convenient to be prescribed in relation to the matter.
(3) Without limiting subsection (2), regulations made for the purposes of that subsection may provide that specified provisions of this Act —
(a) do not apply to, or in relation to, a specified matter or thing; or
(b) apply with specified modifications to, or in relation to, a specified matter or thing.
(4) If regulations made for the purposes of subsection (2) provide that a specified state of affairs is taken to have existed, or not to have existed, on and from a day that is earlier than the day on which the regulations are published in accordance with the
Interpretation Act 1984 section 41(1)(a) but not earlier than the day on which this section comes into operation, the regulations have effect according to their terms.(5) If regulations made for the purposes of subsection (2) contain a provision of a kind described in subsection (4), the provision does not operate so as —
(a) to affect in a manner prejudicial to any person (other than the State or an authority of the State) the rights of that person existing before the day of publication of those regulations; or
(b) to impose liabilities on any person (other than the State or an authority of the State) in respect of anything done or omitted to be done before the day of publication of those regulations.
This Part amends this Act.
In section 4 in the definition of
(e) the Mental Impairment Review Tribunal established under the
Criminal Law (Mental Impairment) Act 2023 section 156; or
This is a compilation of the
51 of 2024 | 6 Dec 2024 | Pt. 1 and 7: 6 Dec 2024 (see s. 2(a) and (b)(i)); Pt. 2 Div. 12, Pt. 3 Div. 8, Pt. 4 and 5: 1 Jul 2025 (see s. 2(c) and SL 2025/102 cl. 2) |
To view the text of the uncommenced provisions see
51 of 2024 | 6 Dec 2024 | To be proclaimed (see s. 2(c)) |
Aboriginal community controlled organisation.......................................................... 4
Aboriginal information assessment.............................................................................. 4
Aboriginal information use plan................................................................................... 4
act....................................................................................................................................... 4
affected individual........................................................................................................... 4
approved form.................................................................................................................. 4
approved privacy code of practice................................................................................ 4
assessed notifiable information breach........................................................................ 4
assessed shared information breach.............................................................................. 4
Australian Information Commissioner......................................................................... 4
authorised officer............................................................................................................. 4
automated decision-making process............................................................................. 4
automated system............................................................................................................. 4
care leaver......................................................................................................................... 4
Chief Data Officer........................................................................................................... 4
Chief Data Officer guidelines........................................................................................ 4
child.................................................................................................................................... 4
child protection functions............................................................................................... 4
collect................................................................................................................................. 4
commencement day......................... 223(1), 224(1), 225(1), 226(1), 227(1), 228(1)
community policing functions....................................................................................... 4
compliance notice............................................................................................................ 4
conciliator.......................................................................................................................... 4
confidential or commercially sensitive information.................................................. 4
consent............................................................................................................................... 4
contracted service provider................................................................................... 4, 8(2)
data analytics work.......................................................................................................... 4
Data analytics work.................................................................................................. 12(2)
data integration................................................................................................................. 4
Data integration......................................................................................................... 12(4)
data linkage....................................................................................................................... 4
Data linkage............................................................................................................... 12(3)
data linkage key........................................................................................................ 12(3)
data set.................................................................................................................... 4, 12(1)
de-identified information.................................................................................... 4, 11(2)
de-identify............................................................................................................. 4, 11(1)
derived information......................................................................................................... 4
disability............................................................................................................................ 4
disclose.............................................................................................................................. 4
disclosing........................................................................................................................ 10
electronic means............................................................................................................... 4
emergency response functions....................................................................................... 4
exempt information......................................................................................................... 4
external entity................................................................................................................... 4
family violence................................................................................................................. 4
government information................................................................................................. 4
handle................................................................................................................................. 4
Health and Disability Services Complaints Office Director.................................... 4
health information............................................................................................................ 4
health service.................................................................................................................... 4
high privacy impact function or activity...................................................................... 4
hold..................................................................................................................................... 4
holding entity.................................................................................................................... 4
information breach........................................................................................................... 4
Information Commissioner............................................................................................ 4
information holdings request......................................................................................... 4
information privacy principle........................................................................................ 4
information sharing agreement...................................................................................... 4
information sharing CEO............................................................................................... 4
information sharing Department................................................................................... 4
information sharing direction........................................................................................ 4
Information Sharing Minister........................................................................................ 4
information sharing request........................................................................................... 4
interference with the privacy......................................................................................... 4
IPP...................................................................................................................................... 4
IPP entity........................................................................................................................... 4
judicial body............................................................................................................ 4, 7(1)
law enforcement agency................................................................................................. 4
law enforcement functions............................................................................................. 4
materially assisted............................................................................................................ 4
member of Commissioner staff..................................................................................... 4
notice to produce or attend............................................................................................. 4
notifiable information breach........................................................................................ 4
officer................................................................................................................................. 4
outsourcing entity................................................................................................... 4, 8(1)
Parliamentary Commissioner for Administrative Investigations............................ 4
Parliamentary Secretary.................................................................................................. 4
permitted purpose............................................................................................................ 4
personal information....................................................................................................... 4
Police Force of Western Australia................................................................................ 4
principal officer................................................................................. 4, 9(1), (2) and (3)
privacy code of practice.................................................................................................. 4
privacy complaint............................................................................................................ 4
Privacy Deputy Commissioner...................................................................................... 4
privacy functions................................................................................................ 4, 142(1)
privacy guidelines............................................................................................................ 4
privacy impact assessment............................................................................................. 4
Privacy Minister............................................................................................................... 4
proposed provider............................................................................................................ 4
proposed recipient............................................................................................................ 4
provider.............................................................................................................................. 4
public entity................................................................................................... 4, 6(1), 6(2)
public interest determination......................................................................................... 4
public register................................................................................................................... 4
recipient............................................................................................................................. 4
re-identify.............................................................................................................. 4, 11(3)
relevant activity................................................................................................................ 4
relevant Minister.................................................................................................... 220(1)
relevant official......................................................................................... 208(1), 218(1)
requesting entity............................................................................................................... 4
respondent......................................................................................................................... 4
responsible Minister........................................................................................................ 4
responsible sharing principle......................................................................................... 4
secrecy provision............................................................................................................. 4
senior executive officer................................................................................................... 4
senior officer..................................................................................................................... 4
sensitive Aboriginal family history information........................................................ 4
sensitive Aboriginal traditional information............................................................... 4
sensitive personal information....................................................................................... 4
shared information........................................................................................................... 4
shared information breach.............................................................................................. 4
significant decision.......................................................................................................... 4
special information sharing entity................................................................................. 4
specified................................................................................................................... 229(1)
state of mind............................................................................................................ 217(1)
State services contract........................................................................................... 4, 8(1)
temporary public interest determination...................................................................... 4
transitional matter.................................................................................................. 229(1)
unique identifier............................................................................................................... 4
variation agreement......................................................................................................... 4
0
0
0