Privacy and Responsible Information Sharing Act 2024
Privacy and Responsible Information Sharing Act 2024
Western Australia
Privacy and Responsible Information Sharing Act 2024
Contents
Part 1 — Preliminary
1.Short title2
2.Commencement2
3.Objects2
4.Terms used3
5.References to information privacy principles17
6.Public entities17
7.Judicial bodies19
8.State services contracts and contracted service providers19
9.Principal officers20
10.Disclosure by public entities and other IPP entities21
11.De‑identification and re‑identification of information21
12.Data sets, data analytics work, data linkage and data integration22
13.Act binds Crown22
Part 2 — Privacy
Division 12 — Administration
Subdivision 1 — Functions under this Act of Information Commissioner and Privacy Deputy Commissioner
141.Functions of Information Commissioner and Privacy Deputy Commissioner under this Act23
142.Performance of privacy functions24
143.Certain functions cannot be delegated26
144.Information Commissioner and Privacy Deputy Commissioner must have regard to objects of Act in performing functions27
145.Information Commissioner and Privacy Deputy Commissioner may request IPP entity to provide assistance27
Subdivision 2 — Reporting
146.Matters to be included in annual report to Parliament27
147.Special reports to Parliament28
Subdivision 3 — Guidelines, documents and notices
148.Privacy guidelines29
149.Making documents publicly available30
150.Notices of decisions or determinations30
Part 3 — Responsible information sharing
Division 8 — Administration
Subdivision 1 — Chief Data Officer
198.Chief Data Officer31
199.Chief Data Officer is separate public entity for information sharing purposes31
200.Functions of Chief Data Officer32
201.Power to issue guidelines33
202.Consultation on guidelines34
203.Chief Data Officer must have regard to objects of Act34
Subdivision 2 — Privacy and Responsible Information Sharing Advisory Committee
204.Privacy and Responsible Information Sharing Advisory Committee35
205.Functions of Privacy and Responsible Information Sharing Advisory Committee35
206.Regulations about Privacy and Responsible Information Sharing Advisory Committee36
Subdivision 3 — Delegation and secrecy
207.Delegation by Chief Data Officer37
208.Secrecy and authorised disclosure and use of information37
Subdivision 4 — Making documents publicly available
209.Making documents publicly available38
Part 4 — Miscellaneous
215.False or misleading information40
216.Acts and practices of public entities and other IPP entities40
217.States of mind of public entities and other IPP entities41
218.Protection from personal liability41
219.Giving documents42
220.Laying documents before House of Parliament not sitting42
221.General provisions about guidelines43
222.Regulations44
Part 5 — Transitional provisions
223.Application of information privacy principles45
224.Application of approved privacy codes of practice46
225.Notifiable information breach may involve personal information collected before commencement day46
226.Public register obligations apply to personal information collected before commencement day47
227.Privacy impact assessments not required for functions or activities performed before commencement day47
228.State services contracts entered into before commencement day48
229.Transitional regulations48
Part 7 — Amendment to this Act linked to commencement of Criminal Law (Mental Impairment) Act 2023
246.Act amended50
247.Section 4 amended50
Notes
Compilation table51
Uncommenced provisions table51
Defined terms
Privacy and Responsible Information Sharing Act 2024
·to provide a framework to protect the privacy of personal information handled by public entities, Ministers, Parliamentary Secretaries and contracted service providers to public entities; and
·to provide a framework to authorise the responsible sharing of information held by public entities; and
·to establish the office of Chief Data Officer; and
·to amend the Freedom of Information Act 1992; and
·to make consequential amendments to other Acts; and
·for related purposes.
This is the Privacy and Responsible Information Sharing Act 2024.
This Act comes into operation as follows —
(a)Part 1 — on the day on which this Act receives the Royal Assent;
(b)Part 7 —
(i)if the Criminal Law (Mental Impairment) Act 2023 section 156 comes into operation on or before the day on which Part 1 of this Act comes into operation under paragraph (a) — immediately after Part 1 of this Act comes into operation; or
(ii)otherwise — on the day on which the Criminal Law (Mental Impairment) Act 2023 section 156 comes into operation;
(c)the rest of the Act — on a day fixed by proclamation, and different days may be fixed for different provisions.
The objects of this Act are as follows —
(a)to promote responsible and transparent practices for handling personal information by IPP entities;
(b)to balance the public interest in protecting the privacy of personal information handled by IPP entities with the public interest in the free flow of information;
(c)to provide a means for individuals to complain about alleged interferences with their privacy;
(d)to promote responsible information security practices by IPP entities;
(e)to promote the responsible handling of information held by public entities as a public resource that supports government policy, programs and services;
(f)to facilitate the responsible collection, use and disclosure for permitted purposes of information held by public entities;
(g)to remove barriers that unnecessarily impede the responsible sharing of information held by public entities;
(h)to provide protections in connection with the sharing of information under this Act, including by —
(i)specifying the purposes for which, and the circumstances in which, information sharing is permitted or required; and
(ii)ensuring that information shared under this Act is protected from unauthorised use or disclosure.
In this Act —
Aboriginal community controlled organisation means an organisation described in clause 44 of the “National Agreement on Closing the Gap” between the Coalition of Aboriginal and Torres Strait Islander Peak Organisations, the Commonwealth, the States, the Australian Capital Territory, the Northern Territory and the Australian Local Government Association dated July 2020;
Aboriginal information assessment has the meaning given in section 177(1);
Aboriginal information use plan has the meaning given in section 177(4);
act includes an omission;
affected individual —
(a)in relation to a notifiable information breach, has the meaning given in section 58; or
(b)in relation to a determination by the Information Commissioner under section 107, has the meaning given in section 107(1);
approved form means a form approved by the person to whom the form is permitted or required to be given under this Act;
approved privacy code of practice means a privacy code of practice approved by the Governor under section 32(3);
assessed notifiable information breach, in relation to an IPP entity, has the meaning given in section 61(3);
assessed shared information breach, in relation to a recipient under an information sharing agreement, has the meaning given in section 192(4);
Australian Information Commissioner means the person appointed as Australian Information Commissioner under the Australian Information Commissioner Act 2010 (Commonwealth) section 14(1);
authorised officer means a person designated as an authorised officer under section 120(1);
automated decision‑making process has the meaning given in section 16(2);
automated system has the meaning given in section 16(1);
care leaver means a person who —
(a)has reached 18 years of age; and
(b)qualifies for assistance under the Children and Community Services Act 2004 section 96 for the purposes of Part 4 Division 6 of that Act;
Chief Data Officer means the Chief Data Officer appointed in accordance with section 198;
Chief Data Officer guidelines means guidelines issued under section 201, as in effect from time to time;
child means a person who is under 18 years of age;
child protection functions means functions that relate to —
(a)the protection and care of children, unborn children and care leavers; or
(b)promoting the wellbeing of children, unborn children and care leavers, including their —
(i)care; and
(ii)physical, emotional, psychological and educational development; and
(iii)physical, emotional and psychological health; and
(iv)safety;
collect, in relation to information —
(a)means to obtain the information from any source or by any means; and
(b)includes to infer the information from, or generate the information by the use or interpretation of, other information;
community policing functions, of the Police Force of Western Australia, includes the following —
(a)undertaking missing persons investigations;
(b)transferring individuals into the care or custody of another entity;
(c)supporting victims of crime;
(d)locating next of kin;
(e)employing diversionary strategies;
(f)coordinating operational response and dispatch;
(g)other functions prescribed by the regulations;
compliance notice has the meaning given in section 122(1);
conciliator means a person nominated as a conciliator under section 96(1);
confidential or commercially sensitive information means —
(a)information that is required to be kept confidential because of a contractual or equitable obligation; or
(b)any other information the disclosure of which would prejudice any person’s legitimate business, professional, commercial or financial interests;
consent means express consent or implied consent;
contracted service provider has the meaning given in section 8(2);
data analytics work has the meaning given in section 12(2);
data integration has the meaning given in section 12(4);
data linkage has the meaning given in section 12(3);
data set has the meaning given in section 12(1);
de‑identified information has the meaning given in section 11(2);
de‑identify, in relation to personal information, has the meaning given in section 11(1);
derived information has the meaning given in section 170(d)(iv);
disability has the meaning given in the Disability Services Act 1993 section 3;
disclose has a meaning affected by section 10;
electronic means includes —
(a)an electronic database or document system; and
(b)any other means by which a document can be given or accessed electronically;
emergency response functions means functions that relate to responding to an emergency, including by combating its effects, providing emergency assistance to persons affected and reducing resulting damage;
exempt information has the meaning given in section 158;
external entity has the meaning given in section 156(2);
family violence has the meaning given in the Restraining Orders Act 1997 section 5A(1);
government information, in relation to a public entity, has the meaning given in section 157;
handle, in relation to information, means to collect, hold, manage, use or disclose the information;
Health and Disability Services Complaints Office Director means the Director as defined in the Health and Disability Services (Complaints) Act 1995 section 3(1);
health information means —
(a)personal information that relates to —
(i)the health (at any time) of an individual; or
(ii)the disability (at any time) of an individual; or
(iii)an individual’s expressed wishes about the future provision of health services to the individual; or
(iv)a health service provided, or to be provided, to an individual;
or
(b)other personal information collected to provide, or in providing, a health service;
health service means any of the following —
(a)a health service as defined in the Health Services Act 2016 section 7;
(b)the supply or prescription of a medicine by a person registered under the Health Practitioner Regulation National Law (Western Australia);
(c)the prescription, supply or administration of a voluntary assisted dying substance under the Voluntary Assisted Dying Act 2019;
(d)a service or activity, provided in conjunction with a service or activity referred to in paragraph (a), (b) or (c), of a class prescribed by the regulations;
high privacy impact function or activity has the meaning given in section 79(1);
hold, in relation to information, means to have possession or control of the information, whether alone or jointly with others;
holding entity, in relation to an information sharing request, has the meaning given in section 160(3)(b);
information breach means —
(a)unauthorised access to, or unauthorised disclosure of, information; or
(b)loss of information;
Information Commissioner means the person appointed as Information Commissioner under the Information Commissioner Act 2024 section 5(2);
information holdings request has the meaning given in section 196(2);
information privacy principle (IPP) means an information privacy principle set out in Schedule 1;
information sharing agreement has the meaning given in section 168(1);
information sharing CEO means the chief executive officer of the information sharing Department;
information sharing Department means the department of the Public Service principally assisting in the administration of Part 3;
information sharing direction has the meaning given in section 163(1);
Information Sharing Minister means the Minister to whom the administration of Part 3 is from time to time committed by the Governor;
information sharing request has the meaning given in section 160(3)(a);
interference with the privacy, of an individual, has the meaning given in section 15;
IPP entity has the meaning given in section 14;
judicial body has the meaning given in section 7;
law enforcement agency means any of the following bodies or persons, including staff under the control of the body or person —
(a)the Police Force of Western Australia; or
(b)the Corruption and Crime Commission established under the Corruption, Crime and Misconduct Act 2003 section 8; or
(c)the Parliamentary Inspector of the Corruption and Crime Commission appointed under the Corruption, Crime and Misconduct Act 2003 section 189; or
(d)a commission established under a written law or a law of the Commonwealth, another State or a Territory that has the function of investigating criminal activity or a class of criminal activity; or
(e)the Mental Impairment Review Tribunal established under the Criminal Law (Mental Impairment) Act 2023 section 156; or
(f)the Prisoners Review Board established under the Sentence Administration Act 2003 section 102; or
(g)the Supervised Release Review Board established under the Young Offenders Act 1994 section 151; or
(h)the department of the Public Service principally assisting in the administration of the Sentence Administration Act 2003 Part 8; or
(i)the department of the Public Service principally assisting in the administration of the Police Act 1892; or
(j)the Director of Public Prosecutions appointed under the Director of Public Prosecutions Act 1991 section 5; or
(k)the Commissioner of State Revenue appointed in accordance with the Taxation Administration Act 2003 section 6; or
(l)the sheriff referred to in the Supreme Court Act 1935 section 156; or
(m)the Australian Crime Commission established by the Australian Crime Commission Act 2002 (Commonwealth) section 7; or
(n)the Australian Federal Police; or
(o)the police force of another State or a Territory; or
(p)a public entity not covered by another paragraph of this definition that is responsible for the performance of functions related to —
(i)the prevention, detection, investigation, prosecution or punishment of criminal offences or contraventions of a law that are subject to a penalty or sanction; or
(ii)the management of property seized or restrained under a law relating to the confiscation of proceeds of crime; or
(iii)the enforcement of a law, or of an order made under a law, relating to the confiscation of proceeds of crime; or
(iv)the execution or implementation of orders made by a court or tribunal; or
(v)the protection of public revenue;
or
(q)a body, or the holder of an office, prescribed by the regulations;
law enforcement functions, of a law enforcement agency —
(a)means functions of the law enforcement agency that relate to —
(i)the prevention, detection, investigation, prosecution or punishment of criminal offences or contraventions of a law that are subject to a penalty or sanction; or
(ii)the management of property seized or restrained under a law relating to the confiscation of proceeds of crime; or
(iii)the enforcement of a law, or of an order made under a law, relating to the confiscation of proceeds of crime; or
(iv)the preparation for or conduct of proceedings in a court or tribunal; or
(v)the execution or implementation of orders made by a court or tribunal; or
(vi)the protection of public revenue;
and
(b)includes, in the case of the Police Force of Western Australia, community policing functions;
materially assisted, in relation to the making of a decision and an automated system, has the meaning given in section 16(3);
member of Commissioner staff means a member of staff as defined in the Information Commissioner Act 2024 section 3;
notice to produce or attend has the meaning given in section 113(1);
notifiable information breach has the meaning given in section 57;
officer, of a public entity or other IPP entity, includes —
(a)the principal officer of the entity; and
(b)a person employed in, by, or for the purposes of, the entity; and
(c)if the entity is a body (whether incorporated or not) constituted by 2 or more persons — any of those persons;
outsourcing entity has the meaning given in section 8(1);
Parliamentary Commissioner for Administrative Investigations means the Commissioner as defined in the Parliamentary Commissioner Act 1971 section 4;
Parliamentary Secretary means —
(a)a Parliamentary Secretary appointed under the Constitution Acts Amendment Act 1899 section 44A(1); or
(b)the Parliamentary Secretary of the Cabinet;
permitted purpose has the meaning given in section 159(1);
personal information —
(a)means information or an opinion, whether true or not, and whether recorded in a material form or not, that relates to an individual, whether living or dead, whose identity is apparent or can reasonably be ascertained from the information or opinion; and
(b)includes information of the following kinds to which paragraph (a) applies —
(i)a name, date of birth or address;
(ii)a unique identifier, online identifier or pseudonym;
(iii)contact information;
(iv)information that relates to an individual’s location;
(v)technical or behavioural information in relation to an individual’s activities, preferences or identity;
(vi)inferred information that relates to an individual, including predictions in relation to an individual’s behaviour or preferences and profiles generated from aggregated information;
(vii)information that relates to 1 or more features specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity of an individual;
Police Force of Western Australia means the Police Force of Western Australia provided for by the Police Act 1892;
principal officer, in relation to a public entity or other IPP entity, has the meaning given in section 9;
privacy code of practice has the meaning given in section 28(1);
privacy complaint means a complaint under section 82(1);
Privacy Deputy Commissioner means the person appointed as Privacy Deputy Commissioner under the Information Commissioner Act 2024 section 13(2);
privacy functions has the meaning given in section 142(1);
privacy guidelines means guidelines issued under section 148, as in effect from time to time;
privacy impact assessment means —
(a)an assessment of a function or activity of an IPP entity conducted under section 79 or in compliance with a direction under section 80; or
(b)an assessment of a relevant activity to be carried out under a proposed information sharing agreement conducted under section 176;
Privacy Minister means the Minister to whom the administration of Part 2 is from time to time committed by the Governor;
proposed provider, in relation to a proposed information sharing agreement, means a public entity that would be a provider under the agreement;
proposed recipient, in relation to a proposed information sharing agreement, means a public entity or external entity that would be a recipient under the agreement;
provider, in relation to an information sharing agreement, has the meaning given in section 168(2);
public entity has the meaning given in section 6;
public interest determination has the meaning given in section 45(1);
public register means a register or other document that —
(a)is held by a public entity; and
(b)contains information that a person was required or permitted to give to that public entity under a written law; and
(c)is published, or available for inspection by members of the public (whether for a fee or charge or not), under a written law (other than as a result of a request for access under this Act or an application for access under the Freedom of Information Act 1992 Part 2);
recipient, in relation to an information sharing agreement, has the meaning given in section 168(3);
re‑identify, in relation to de‑identified information, has the meaning given in section 11(3);
relevant activity, in relation to an information sharing agreement, has the meaning given in section 168(1)(c);
requesting entity, in relation to an information sharing request, has the meaning given in section 160(3)(c);
respondent, in relation to a privacy complaint, has the meaning given in section 82(2)(b);
responsible Minister means —
(a)in relation to a public entity that is a department as defined in the Public Sector Management Act 1994 section 3(1) — the Minister responsible for the administration of the department; or
(b)in relation to a public entity to which paragraph (a) does not apply —
(i)for a public entity established or appointed under an enactment — the Minister to whom the administration of the enactment is from time to time committed by the Governor; or
(ii)for a public entity that is not established or appointed under an enactment — the Minister to whom the administration of the public entity is from time to time committed by the Governor;
or
(c)in relation to a secrecy provision — the Minister to whom the administration of the secrecy provision is from time to time committed by the Governor;
responsible sharing principle means a responsible sharing principle set out in Schedule 2;
secrecy provision means a provision of a written law that prohibits or regulates the handling of information;
senior executive officer has the meaning given in the Public Sector Management Act 1994 section 3(1);
senior officer, of a public entity or other IPP entity —
(a)means an officer of the entity who has managerial responsibility; and
(b)includes the principal officer of the entity;
sensitive Aboriginal family history information means information, including family history information, that —
(a)relates to Aboriginal people and their ancestors; and
(b)was collected in the period from 1898 until 1972 for the purposes of implementing laws, and government policies and practices, applying specifically to Aboriginal people;
sensitive Aboriginal traditional information means information that, according to Aboriginal tradition, should not be disclosed to individuals who are not the knowledge holders of that information;
sensitive personal information means personal information —
(a)that relates to an individual’s —
(i)racial or ethnic origin; or
(ii)gender identity, in a case where the individual’s gender identity does not correspond with their designated sex at birth; or
(iii)sexual orientation or practices; or
(iv)political opinions; or
(v)membership of a political association; or
(vi)religious beliefs or affiliations; or
(vii)philosophical beliefs; or
(viii)membership of a professional or trade association; or
(ix)membership of a trade union; or
(x)criminal record;
or
(b)that is health information; or
(c)that is genetic or genomic information (other than health information); or
(d)that is biometric information; or
(e)from which information of a kind referred to in any of paragraphs (a) to (d) can reasonably be inferred;
shared information, in relation to a shared information breach, has the meaning given in section 191(a);
shared information breach has the meaning given in section 191;
significant decision has the meaning given in section 16(4);
special information sharing entity has the meaning given in section 156(1);
State services contract has the meaning given in section 8(1);
temporary public interest determination has the meaning given in section 49(1);
unique identifier —
(a)means a number or other identifier assigned by an entity to an individual to uniquely identify that individual for the purposes of the operations of the entity; but
(b)does not include an identifier that consists only of the individual’s name;
variation agreement has the meaning given in section 179(1).
[Section 4 amended: No. 51 of 2024 s. 247.]
5.References to information privacy principles
A reference in this Act to an IPP followed by a designation is a reference to the provision with that designation in Schedule 1.
(1)A public entity is —
(a)a department of the Public Service; or
(b)an entity specified in the Public Sector Management Act 1994 Schedule 2 column 2; or
(c)the Police Force of Western Australia; or
(d)a local government, regional local government or regional subsidiary; or
(e)a body, or the holder of an office, that is established for a public purpose under a written law; or
(f)a body, or the holder of an office, that is established by the Governor or a Minister; or
(g)a judicial body; or
(h)any other body, or the holder of any other office, that is prescribed by the regulations to be a public entity, being —
(i)a body or office that is established under a written law; or
(ii)a corporation or association over which control can be exercised by the State, a Minister, a body referred to in paragraph (a), (b), (e) or (f) or subparagraph (i), or the holder of an office referred to in paragraph (f) or subparagraph (i).
(2)Despite subsection (1), each of the following is not a public entity —
(a)the Governor or the Governor’s establishment;
(b)the Legislative Council or a member or committee of the Legislative Council;
(c)the Legislative Assembly or a member or committee of the Legislative Assembly;
(d)a joint committee or standing committee of the Legislative Council and the Legislative Assembly;
(e)a Royal Commission or member of a Royal Commission;
(f)a department of the staff of Parliament referred to in the Parliamentary and Electorate Staff (Employment) Act 1992;
(g)a person holding an office established under a written law for the purposes of a body referred to in any of paragraphs (a) to (f).
(3)Except to the extent provided by section 199 and regulations made under subsection (4), a person is not a separate public entity for the purposes of this Act by reason of —
(a)holding office as a member or other officer of a public entity; or
(b)holding an office established for the purposes of a public entity.
(4)The regulations may provide that, for the purposes of this Act or specified provisions of this Act —
(a)a specified body, or the holder of a specified office, is not a separate public entity but is part of a specified public entity; or
(b)a specified body, or the holder of a specified office, is a separate public entity and is not part of another public entity.
(1)A judicial body is a court or tribunal established under a written law.
(2)A registry or other office of a judicial body, and the staff of such a registry or other office, are part of the judicial body.
(3)A person holding judicial or quasi‑judicial office is not themselves, and is not part of, a judicial body or other public entity.
8.State services contracts and contracted service providers
(1)A State services contract is a contract between a public entity (the outsourcing entity) and another person (other than a public entity) under which services are provided to the outsourcing entity or to other persons on behalf of the outsourcing entity.
(2)A contracted service provider is —
(a)a party to a State services contract who provides services to or on behalf of an outsourcing entity under the contract; or
(b)a person who is a subcontractor (whether direct or indirect) of a person referred to in paragraph (a) for the purposes of the State services contract.
Note for this subsection:
Part 2 Division 11 provides for how Part 2 and the information privacy principles apply in relation to contracted service providers.
(1)The principal officer of a Minister or Parliamentary Secretary is the Minister or Parliamentary Secretary.
(2)The principal officer of a public entity is —
(a)in relation to a department of the Public Service or an entity specified in the Public Sector Management Act 1994 Schedule 2 column 2 — the chief executive officer or chief employee of the department or entity; or
(b)in relation to the Police Force of Western Australia — the Commissioner of Police; or
(c)in relation to a local government — the chief executive officer of the local government; or
(d)in relation to a regional local government — the chief executive officer of the regional local government; or
(e)in relation to a regional subsidiary — the person who manages the affairs of the regional subsidiary; or
(f)in relation to any other public entity —
(i)if the regulations prescribe a person to be the principal officer of the public entity — that person; or
(ii)otherwise — the person determined under subsection (4).
(3)The principal officer of a contracted service provider is —
(a)if the relevant State services contract designates a person with managerial responsibility in relation to the contracted service provider as the principal officer of the contracted service provider for the purposes of this Act — that person; or
(b)otherwise — the person determined under subsection (4).
(4)For the purposes of subsection (2)(f)(ii) or (3)(b), the person is —
(a)if the public entity or contracted service provider consists of 1 person (other than a body corporate) — that person; or
(b)if the public entity or contracted service provider is a body (whether incorporated or not) constituted by 2 or more persons — the person entitled to preside at any meeting of the body at which the person is present; or
(c)otherwise — the person responsible for managing the affairs of the public entity or contracted service provider.
10.Disclosure by public entities and other IPP entities
A reference in this Act to a public entity or other IPP entity disclosing information —
(a)includes a reference to the entity making the information publicly available; and
(b)does not include a reference to the entity disclosing the information to the entity itself or to an officer of the entity.
11.De‑identification and re‑identification of information
(1)To de‑identify personal information means to modify, or apply a process to, the information, with the result that the identity of an individual is not apparent, and cannot reasonably be ascertained, from the information.
(2)Information is de‑identified information at a particular time if, at that time —
(a)the information has been de‑identified; and
(b)the identity of an individual is not apparent, and cannot reasonably be ascertained, from the information.
(3)To re‑identify de‑identified information means to modify, or apply a process to, the information, with the result that the information again becomes personal information.
12.Data sets, data analytics work, data linkage and data integration
(1)A data set is an organised collection of information in a form that is capable of being analysed or processed (whether by an individual or an automated system).
(2)Data analytics work —
(a)is the examination and analysis of information for the purpose of drawing conclusions as a result of that examination and analysis; but
(b)does not include data linkage or data integration.
(3)Data linkage is a process for —
(a)detecting instances where separate records (whether within a single data set or different data sets) appear to relate to the same individual, family, place, event or matter; and
(b)assigning an identifier (a data linkage key) to enable related records to be linked.
(4)Data integration is the combination or collation of information in 2 or more data sets, whether using data linkage keys or by another process.
This Act binds the Crown in right of Western Australia and, so far as the legislative power of the Parliament permits, the Crown in all its other capacities.
[Divisions 1-11 have not come into operation.]
Subdivision 1 — Functions under this Act of Information Commissioner and Privacy Deputy Commissioner
141.Functions of Information Commissioner and Privacy Deputy Commissioner under this Act
(1)The Information Commissioner has the following functions under this Act —
(a)to promote the understanding of matters relating to the information privacy principles and this Part;
(b)to promote the objects of this Act set out in section 3(a) to (e);
(c)to promote compliance with the information privacy principles and this Part;
(d)to prepare and make available information and material in relation to protecting the privacy of personal information;
(e)to provide assistance to members of the public and IPP entities in relation to any matter relevant to the operation of this Part;
(f)to undertake reviews of any matter relating to the privacy of personal information, on request by the Privacy Minister or on the Commissioner’s own initiative;
(g)to report and make recommendations on any matter relating to the privacy of personal information;
(h)to undertake, participate in or promote research in relation to any matter relating to the privacy of personal information;
(i)any other function given to the Information Commissioner under this Act.
(2)The Privacy Deputy Commissioner also has all the functions of the Information Commissioner under this Act, other than the following —
(a)giving approvals under section 142(3) and directions under section 142(4);
(b)any function in relation to a report under Subdivision 2;
(c)any function in relation to consultation under section 202(2) or serving as a member of the Privacy and Responsible Information Sharing Advisory Committee.
Note for this section:
The Information Commissioner Act 2024 sections 25 and 27 provide for the functions of the Information Commissioner and Privacy Deputy Commissioner generally.
142.Performance of privacy functions
(1)The functions under this Act that are functions of both the Information Commissioner and the Privacy Deputy Commissioner are the privacy functions.
(2)A privacy function may be performed —
(a)by the Information Commissioner; or
(b)by the Privacy Deputy Commissioner, subject to subsection (3) and any direction given under subsection (4).
(3)The Privacy Deputy Commissioner must obtain the approval of the Information Commissioner before performing any of the following privacy functions —
(a)making a public interest determination under section 45(1);
(b)making a temporary public interest determination under section 49(1);
(c)extending a temporary public interest determination under section 52(3);
(d)revoking a public interest determination or temporary public interest determination under section 54(1) or (2);
(e)making a notifiable information breach determination under section 60(1);
(f)amending or repealing a notifiable information breach determination;
(g)issuing privacy guidelines under section 148(1);
(h)amending or revoking privacy guidelines under section 148(2).
(4)The Information Commissioner may direct the Privacy Deputy Commissioner as to —
(a)which of the privacy functions the Privacy Deputy Commissioner is to perform; and
(b)the manner in which the Privacy Deputy Commissioner must perform any privacy function.
(5)If the Privacy Deputy Commissioner performs a privacy function —
(a)the Privacy Deputy Commissioner performs the function in the Privacy Deputy Commissioner’s own right and not on behalf of the Information Commissioner; and
(b)the Privacy Deputy Commissioner may perform the function upon the Privacy Deputy Commissioner’s own belief or state of mind (to the extent that the performance or exercise is dependent on the belief or state of mind of the Information Commissioner); and
(c)the performance of the function is as effectual for all purposes as if it were performed by the Information Commissioner; and
(d)a reference in this Act or another written law to anything done by, to, or in relation to, the Information Commissioner in connection with the function includes a reference to the thing as done by, to, or in relation to, the Privacy Deputy Commissioner; and
(e)the Information Commissioner is not prevented from performing the same function on another occasion (in relation to a different matter).
143.Certain functions cannot be delegated
The following privacy functions cannot be delegated by the Information Commissioner or the Privacy Deputy Commissioner under the Information Commissioner Act 2024 section 28 —
(a)making a public interest determination under section 45(1);
(b)making a temporary public interest determination under section 49(1);
(c)extending a temporary public interest determination under section 52(3);
(d)revoking a public interest determination or temporary public interest determination under section 54(1) or (2);
(e)making a notifiable information breach determination under section 60(1);
(f)amending or repealing a notifiable information breach determination;
(g)making an order to give effect to a conciliation agreement under section 98(3);
(h)determining a privacy complaint under section 104(1);
(i)making a determination following an investigation under section 107(1);
(j)issuing a compliance notice under section 122(1);
(k)issuing privacy guidelines under section 148(1);
(l)amending or revoking privacy guidelines under section 148(2).
144.Information Commissioner and Privacy Deputy Commissioner must have regard to objects of Act in performing functions
In performing their functions under this Act, the Information Commissioner and Privacy Deputy Commissioner must have regard to the objects of this Act.
145.Information Commissioner and Privacy Deputy Commissioner may request IPP entity to provide assistance
The Information Commissioner or Privacy Deputy Commissioner may request an IPP entity to provide any assistance that that Commissioner reasonably considers appropriate to perform their functions under this Act.
146.Matters to be included in annual report to Parliament
(1)Without limiting the Information Commissioner Act 2024 section 32, the Information Commissioner must include the following information in the annual report required under that section for a financial year —
(a)the number of applications for public interest determinations made under section 46 and the outcome of those applications;
(b)the number of applications for temporary public interest determinations made under section 50 and the outcome of those applications;
(c)the number of applications for extensions of temporary public interest determinations made under section 52(1) and the outcome of those applications;
(d)the number of privacy complaints made and the outcome of those complaints;
(e)the number of applications for review made to the State Administrative Tribunal under sections 70(5), 90(5), 91(3), 105, 108 and 124 and the outcome of those applications;
(f)the number of appeals made to the Supreme Court under the State Administrative Tribunal Act 2004 section 105 from decisions of the State Administrative Tribunal on applications referred to in paragraph (e) and the outcome of those appeals;
(g)the number of notifiable information breaches notified under section 62;
(h)the number, or an estimate of the number, of affected individuals in relation to notifiable information breaches notified under section 62;
(i)the number of compliance notices issued under section 122;
(j)any other information prescribed by the regulations.
(2)A public entity must provide the Information Commissioner with any information the Information Commissioner requires for the purposes of including the matters referred to in subsection (1) in the annual report.
147.Special reports to Parliament
(1)The Information Commissioner may, if the Information Commissioner considers it to be in the public interest to do so —
(a)prepare a report on —
(i)any matter arising in connection with the performance of the privacy functions; or
(ii)any act or practice of an IPP entity that the Information Commissioner considers to be an interference with the privacy of an individual;
and
(b)submit the report to the President of the Legislative Council and the Speaker of the Legislative Assembly.
(2)A report under subsection (1) may include recommendations.
(3)The President or Speaker must cause a copy of a report submitted to them under subsection (1) to be laid before the Legislative Council or Legislative Assembly, as the case requires, within 15 sitting days of that House after the report is submitted.
Subdivision 3 — Guidelines, documents and notices
(1)The Information Commissioner may issue guidelines —
(a)in relation to any matter required or permitted by this Part or section 176 to be the subject of privacy guidelines; or
(b)to provide information and guidance in relation to the application and administration of the information privacy principles and this Part.
(2)The Information Commissioner may amend or revoke privacy guidelines.
(3)The Information Commissioner may consult with any person or body the Commissioner considers appropriate before issuing, amending or revoking any privacy guidelines.
(4)The Information Commissioner must ensure that privacy guidelines are made publicly available.
Note for this section:
Section 221 makes provision for the status and effect of privacy guidelines.
149.Making documents publicly available
(1)The regulations may make provision for how documents are to be made publicly available by the Information Commissioner or an entity for the purposes of any provision of this Part.
(2)If a provision of this Part requires or permits the Information Commissioner to make a document publicly available, the Commissioner must comply with that requirement or exercise that power —
(a)if regulations under subsection (1) apply — in accordance with those regulations; or
(b)otherwise — by making the document publicly available in the manner the Commissioner considers appropriate.
150.Notices of decisions or determinations
Without limiting any other provision of this Part, the Information Commissioner must include the following information in a notice of a decision or determination of the Commissioner given under this Part —
(a)the day on which the decision or determination was made;
(b)the name and designation of the person who made the decision or determination;
(c)the reasons for the decision or determination;
(d)any right under this Act to apply for a review of the decision or determination.
[Division 13 has not come into operation.]
Part 3 — Responsible information sharing
[Divisions 1-7 have not come into operation.]
Subdivision 1 — Chief Data Officer
A Chief Data Officer must be appointed under the Public Sector Management Act 1994 Part 3 as a senior executive officer in the information sharing Department.
199.Chief Data Officer is separate public entity for information sharing purposes
(1)For the purposes of a reference to a public entity in this Part —
(a)the Chief Data Officer is to be treated as a separate public entity and not as part of the information sharing Department; and
(b)the Chief Data Officer is to be treated as the principal officer of that public entity.
(2)Without limiting subsection (1), the Chief Data Officer may, on the Chief Data Officer’s own initiative, make information sharing requests and enter into information sharing agreements as a public entity under this Part.
(3)Subsection (1) does not affect —
(a)the power under section 207 for the Chief Data Officer to delegate to an officer of the information sharing Department; or
(b)the requirement under section 211 for matters relating to the Chief Data Officer to be included in the annual report in respect of the information sharing Department referred to in that section.
200.Functions of Chief Data Officer
(1)The Chief Data Officer has the following functions —
(a)on request by a public entity or Minister or on the Chief Data Officer’s own initiative, to undertake data analytics work, data integration and data linkage on information disclosed to the Chief Data Officer under this Part;
(b)to disclose or make publicly available information generated from undertaking data analytics work, data integration or data linkage if the Chief Data Officer considers it appropriate to do so;
(c)to do anything the Chief Data Officer may do as a public entity under this Part (including as referred to in section 199(2));
(d)to promote the objects of this Act;
(e)to build the capability of public entities to share information in accordance with this Part;
(f)to prepare and make available information and material in relation to the sharing of information in accordance with this Part;
(g)to provide assistance to public entities and external entities in relation to the sharing of information in accordance with this Part;
(h)to provide advice to the Information Sharing Minister or to any other person or body about any matters relating to the sharing of information held by public entities;
(i)to oversee and monitor the use of information sharing agreements;
(j)to promote and support the responsible sharing of information between public entities in the State and agencies and instrumentalities in other jurisdictions;
(k)any other functions given to the Chief Data Officer under this Act or another written law.
(2)The Chief Data Officer has all the powers that are needed for the performance of the Chief Data Officer’s functions.
(1)The Chief Data Officer may issue guidelines —
(a)in relation to any matter required or permitted by this Part to be the subject of Chief Data Officer guidelines; or
(b)to provide information and guidance in relation to matters relating to this Part and the responsible sharing principles.
(2)Without limiting subsection (1)(b), guidelines may be issued in relation to any of the following —
(a)the form and contents of information sharing agreements, including template provisions for inclusion in information sharing agreements;
(b)processes to be followed before entering into information sharing agreements;
(c)processes and safeguards relating to the handling of information shared under this Part, including for the purposes of protecting —
(i)the privacy of individuals; and
(ii)the confidentiality and security of information;
(d)the management of risks relating to the sharing of information under this Part;
(e)the use of information shared under this Part for activities involving data analytics work, data integration or data linkage, including in relation to the design and governance of those activities.
(3)The Chief Data Officer may amend or revoke Chief Data Officer guidelines.
(4)The Chief Data Officer must ensure that Chief Data Officer guidelines are made publicly available.
Note for this section:
Section 221 makes provision for the status and effect of Chief Data Officer guidelines.
202.Consultation on guidelines
(1)The Chief Data Officer may consult with any person or body the Chief Data Officer considers appropriate before issuing, amending or revoking any guidelines under section 201.
(2)The Chief Data Officer must consult with the Information Commissioner before issuing, amending or revoking under section 201 any guidelines that relate to the handling of personal information or the privacy of individuals.
(3)The Chief Data Officer must consult with the Privacy and Responsible Information Sharing Advisory Committee before issuing, amending or revoking under section 201 any guidelines for the purpose of section 177(6).
203.Chief Data Officer must have regard to objects of Act
In performing functions under this Act, the Chief Data Officer must have regard to the objects of this Act.
Subdivision 2 — Privacy and Responsible Information Sharing Advisory Committee
204.Privacy and Responsible Information Sharing Advisory Committee
(1)A committee called the Privacy and Responsible Information Sharing Advisory Committee is established.
(2)The committee consists of the following members —
(a)the Chief Data Officer;
(b)the Information Commissioner;
(c)at least 2, and no more than 5, other members appointed by the Information Sharing Minister.
(3)The Information Sharing Minister must ensure that each person appointed under subsection (2)(c) has appropriate qualifications, skills or experience relevant to the functions of the committee.
(4)Before appointing a person under subsection (2)(c), the Information Sharing Minister must consult with the Privacy Minister.
(5)A person may be appointed under subsection (2)(c) —
(a)for a period not exceeding 3 years; and
(b)on a full‑time basis or part‑time basis.
(6)A person who has been appointed under subsection (2)(c) is eligible for reappointment.
205.Functions of Privacy and Responsible Information Sharing Advisory Committee
(1)The Privacy and Responsible Information Sharing Advisory Committee has the function of advising the Chief Data Officer in relation to the performance of the Chief Data Officer’s functions.
(2)Without limiting subsection (1), the Privacy and Responsible Information Sharing Advisory Committee may give the Chief Data Officer advice in relation to the following —
(a)balancing the public interest in the protection of privacy with the public interest in the free flow of information;
(b)community expectations in relation to the matters referred to in section 177(6)(a) to (e);
(c)technical best practices in relation to the handling of information;
(d)developments in industry or other jurisdictions relevant to the handling of information.
(3)The Privacy and Responsible Information Sharing Advisory Committee may consult with any person or body for the purposes of providing advice to the Chief Data Officer.
206.Regulations about Privacy and Responsible Information Sharing Advisory Committee
(1)The regulations may make provision for or in relation to the Privacy and Responsible Information Sharing Advisory Committee.
(2)Without limiting subsection (1), regulations made under that subsection may make provision for or in relation to any of the following —
(a)the appointment of a chairperson and deputy chairperson of the committee;
(b)the conditions of appointment of members of the committee appointed under section 204(2)(c), including remuneration, allowances and leave;
(c)the resignation or removal of members of the committee appointed under section 204(2)(c);
(d)meetings and procedures of the committee, including the management of any conflicts of interest relating to the committee.
(3)Subject to any regulations made under subsection (1), the committee may determine its own procedures.
Subdivision 3 — Delegation and secrecy
207.Delegation by Chief Data Officer
(1)The Chief Data Officer may delegate to a person employed or engaged in the information sharing Department any power or duty of the Chief Data Officer under another provision of this Act.
(2)The delegation must be in writing signed by the Chief Data Officer.
(3)A person to whom a power or duty is delegated under this section cannot delegate that power or duty.
(4)A person exercising or performing a power or duty that has been delegated to the person under this section is taken to do so in accordance with the terms of the delegation unless the contrary is shown.
(5)Nothing in this section limits the ability of the Chief Data Officer to perform a function through an officer or agent.
208.Secrecy and authorised disclosure and use of information
(1)In this section —
relevant official means a person who is or has been —
(a)the Chief Data Officer; or
(b)a member of the Privacy and Responsible Information Sharing Advisory Committee; or
(c)a person employed or engaged in the information sharing Department.
(2)A relevant official must not, directly or indirectly, record, disclose or use information obtained in the administration of this Act.
Penalty for this subsection: a fine of $6 000.
(3)Subsection (2) does not apply to the recording, disclosure or use of statistical or other information that is not personal information.
(4)A relevant official does not commit an offence under subsection (2) if the recording, disclosure or use of the information is authorised under subsection (5).
(5)The recording, disclosure or use of information to which subsection (2) applies is authorised if the information is recorded, disclosed or used —
(a)for the purpose of, or in connection with, performing a function under this Act; or
(b)as permitted or required by this Act or another written law; or
(c)for the purposes of legal proceedings arising out of the administration of this Act or another written law; or
(d)with the written consent of the person to whom the information relates; or
(e)in circumstances prescribed by the regulations.
Subdivision 4 — Making documents publicly available
209.Making documents publicly available
(1)The regulations may make provision for how documents are to be made publicly available by the Chief Data Officer or an entity for the purposes of any provision of this Part.
(2)If a provision of this Part requires or permits the Chief Data Officer to make a document publicly available, the Chief Data Officer must comply with that requirement or exercise that power —
(a)if regulations under subsection (1) apply — in accordance with those regulations; or
(b)otherwise — by making the document publicly available in the manner the Chief Data Officer considers appropriate.
[Division 9 has not come into operation.]
215.False or misleading information
A person commits an offence if the person gives to the Information Commissioner or Chief Data Officer a document or information that the person knows to be false or misleading in a material particular.
Penalty: a fine of $6 000.
216.Acts and practices of public entities and other IPP entities
(1)The following actions by a public entity or other IPP entity must be taken for the entity by the principal officer or by an officer authorised by the principal officer for that purpose (either generally or in a particular case) —
(a)making any application or submission, or giving any notice or other document, to the Information Commissioner under this Act;
(b)giving any notice or other document to the Chief Data Officer under this Act (subject to subsection (2));
(c)conducting, or preparing a report on, any assessment required under this Act.
(2)The following actions by a public entity must be taken for the entity by the principal officer or by a senior officer authorised by the principal officer for that purpose (either generally or in a particular case) —
(a)making an information sharing request;
(b)responding to an information sharing request;
(c)entering into an information sharing agreement;
(d)responding to an information holdings request.
(3)Subject to subsections (1) and (2), any act done or practice engaged in by an officer of a public entity or other IPP entity, acting in their capacity as officer and within the scope of their actual or apparent authority, is taken for the purposes of this Act to have been done or engaged in by the entity.
217.States of mind of public entities and other IPP entities
(1)In this section —
state of mind includes —
(a)knowledge, intention, opinion, belief, suspicion or purpose; and
(b)reasons for an intention, opinion, belief, suspicion or purpose.
(2)If this Act refers to a state of mind of a public entity or other IPP entity, the entity is considered to have that state of mind if an officer of the entity, acting in their capacity as officer and within the scope of their actual or apparent authority, has that state of mind.
218.Protection from personal liability
(1)In this section —
relevant official means a person who is or has been —
(a)the Privacy Minister; or
(b)the Information Sharing Minister; or
(c)the Chief Data Officer; or
(d)a member of the Privacy and Responsible Information Sharing Advisory Committee; or
(e)a person employed or engaged in the information sharing Department.
(2)No civil liability is incurred by a relevant official for anything that the relevant official has done, in good faith, in the performance or purported performance of a function under this Act.
(3)The protection given by this section applies even though the thing done as described in subsection (2) may have been capable of being done whether or not this Act had been enacted.
(4)Despite subsection (2), the State is not relieved of any liability that it might have for a relevant official having done anything as described in that subsection.
(5)Subsection (2) does not affect the operation of section 181.
(6)In this section, a reference to the doing of anything includes a reference to an omission to do anything.
(1)The regulations may make provision for or in relation to the following —
(a)the giving of a document required or permitted to be given under this Act (including the giving of the document by electronic means);
(b)the time at which the document is taken to have been given;
(c)the means of satisfying a requirement under this Act in relation to a document in writing (for example, a requirement that the original of a document be given or that a document be signed) if the document is given by electronic means.
(2)This section applies to a requirement or permission to give a document whether the term “give”, “issue”, “send” or “serve”, or any other similar term, is used.
220.Laying documents before House of Parliament not sitting
(1)This section applies if —
(a)a provision of this Act requires a Minister (the relevant Minister) to cause a document to be laid before each House of Parliament, or dealt with under this section, within a specified period; and
(b)at the beginning of the period, a House of Parliament is not sitting; and
(c)in the relevant Minister’s opinion, the House will not sit before the end of the period.
(2)The relevant Minister must send the document to the Clerk of the House before the end of the period.
(3)When the document is sent to the Clerk of the House it is taken to have been laid before the House.
(4)The laying of the document that is taken to have occurred under subsection (3) must be recorded in the Minutes, or Votes and Proceedings, of the House on the first sitting day of the House after the Clerk receives the document.
221.General provisions about guidelines
(1)Privacy guidelines and Chief Data Officer guidelines are not subsidiary legislation for the purposes of the Interpretation Act 1984.
(2)If there is a conflict or inconsistency between a provision of this Act and a provision of privacy guidelines or Chief Data Officer guidelines, the provision of this Act prevails.
(3)A requirement under this Act to have regard to privacy guidelines or Chief Data Officer guidelines does not —
(a)derogate from a duty to exercise discretion in a particular case; or
(b)prevent a person from having regard to matters not set out in the guidelines; or
(c)require the entity to have regard to guidelines that are inconsistent with a provision of this Act.
(1)The Governor may make regulations prescribing matters —
(a)required or permitted by this Act to be prescribed; or
(b)necessary or convenient for giving effect to the purposes of this Act.
(2)Without limiting any other provision of this Act, regulations may make provision for or in relation to the following —
(a)applications under this Act;
(b)forms for the purposes of this Act;
(c)fees or charges in relation to any matter under this Act.
(3)Regulations for the purposes of section 6(1)(h) or (4) or 9(2)(f)(i) can only be made on the recommendation of the Privacy Minister and the Information Sharing Minister.
Part 5 — Transitional provisions
223.Application of information privacy principles
(1)In this section —
commencement day means the day on which section 20 comes into operation.
(2)The following information privacy principles apply only in relation to personal information collected on or after commencement day —
(a)IPP 1;
(b)IPP 7;
(c)IPP 8;
(d)IPP 10.
(3)The following information privacy principles apply in relation to personal information whether collected before, on or after commencement day —
(a)IPP 2;
(b)IPP 3;
(c)IPP 4;
(d)IPP 5;
(e)IPP 6;
(f)IPP 9.1.
(4)The following information privacy principles apply to de‑identified information whether collected before, on or after commencement day —
(a)IPP 9.2;
(b)IPP 11.
224.Application of approved privacy codes of practice
(1)In this section —
commencement day means the day on which section 33 comes into operation.
(2)To the extent that an approved privacy code of practice modifies the application of an IPP referred to in section 223(2), or provides for how an IPP referred to in section 223(2) is to be applied or complied with, the approved privacy code of practice applies only in relation to personal information collected on or after commencement day.
(3)Any other provision of an approved privacy code of practice applies in relation to personal information or de‑identified information whether collected before, on or after commencement day.
(4)Subsections (2) and (3) apply subject to any provision of the approved privacy code of practice that provides for the approved privacy code of practice, or any provision of it, to apply only in relation to information collected on or after a day that is later than commencement day.
225.Notifiable information breach may involve personal information collected before commencement day
(1)In this section —
commencement day means the day on which section 61 comes into operation.
(2)For the purposes of section 57, a notifiable information breach may occur in relation to personal information held by an IPP entity whether the personal information was collected before, on or after commencement day.
226.Public register obligations apply to personal information collected before commencement day
(1)In this section —
commencement day means the day on which section 76 comes into operation.
(2)Part 2 Division 7 applies to personal information contained, or proposed to be contained, in a public register whether the personal information was collected before, on or after commencement day.
227.Privacy impact assessments not required for functions or activities performed before commencement day
(1)In this section —
commencement day means the day on which section 79 comes into operation.
(2)The requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment before first performing a high privacy impact function or activity does not apply in relation to a function or activity that the IPP entity started to perform before commencement day.
(3)Subsection (2) does not limit —
(a)any requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment before making a significant change to the way in which personal information is handled as part of a high privacy impact function or activity that the IPP entity started to perform before commencement day; or
(b)any requirement under section 79(2) for an IPP entity to conduct a privacy impact assessment in relation to an activity that the IPP entity first performs on or after commencement day, even if the activity is performed in connection with a function that the IPP entity started to perform before commencement day; or
(c)the Information Commissioner’s power to issue a direction under section 80 in relation to a function or activity that an IPP entity started to perform before commencement day.
228.State services contracts entered into before commencement day
(1)In this section —
commencement day means the day on which section 129 comes into operation.
(2)This Act applies in relation to a provision of a State services contract of the kind referred to in section 129 even if that provision was included in the contract before commencement day.
(3)Section 140(2) does not apply in relation to a State services contract entered into before commencement day.
(1)In this section —
specified means specified or described in regulations;
transitional matter —
(a)means a matter or issue of a transitional nature that arises as a result of the enactment of this Act or the coming into operation of any provisions of this Act or regulations made under it; and
(b)includes a savings or application matter.
(2)If there is not sufficient provision in this Part for dealing with a transitional matter, regulations may prescribe anything required, necessary or convenient to be prescribed in relation to the matter.
(3)Without limiting subsection (2), regulations made for the purposes of that subsection may provide that specified provisions of this Act —
(a)do not apply to, or in relation to, a specified matter or thing; or
(b)apply with specified modifications to, or in relation to, a specified matter or thing.
(4)If regulations made for the purposes of subsection (2) provide that a specified state of affairs is taken to have existed, or not to have existed, on and from a day that is earlier than the day on which the regulations are published in accordance with the Interpretation Act 1984 section 41(1)(a) but not earlier than the day on which this section comes into operation, the regulations have effect according to their terms.
(5)If regulations made for the purposes of subsection (2) contain a provision of a kind described in subsection (4), the provision does not operate so as —
(a)to affect in a manner prejudicial to any person (other than the State or an authority of the State) the rights of that person existing before the day of publication of those regulations; or
(b)to impose liabilities on any person (other than the State or an authority of the State) in respect of anything done or omitted to be done before the day of publication of those regulations.
[Part 6 has not come into operation.]
Part 7 — Amendment to this Act linked to commencement of Criminal Law (Mental Impairment) Act 2023
This Part amends this Act.
In section 4 in the definition of law enforcement agency delete paragraph (e) and insert:
(e)the Mental Impairment Review Tribunal established under the Criminal Law (Mental Impairment) Act 2023 section 156; or
[Schedules 1 and 2 have not come into operation.]
This is a compilation of the Privacy and Responsible Information Sharing Act 2024. For provisions that have come into operation see the compilation table. For provisions that have not yet come into operation see the uncommenced provisions table.
|
Short title |
Number and year |
Assent |
Commencement |
|
Privacy and Responsible Information Sharing Act 2024 Pt. 1, Pt. 2 Div. 12, Pt. 3 Div. 8, Pt. 4, Pt. 5 and Pt. 7 |
51 of 2024 |
6 Dec 2024 |
Pt. 1 and 7: 6 Dec 2024 (see s. 2(a) and (b)(i)); |
To view the text of the uncommenced provisions see Acts as passed on the WA legislation website.
|
Short title |
Number and year |
Assent |
Commencement |
|
Privacy and Responsible Information Sharing Act 2024 Pt. 2 (other than Div. 12), Pt. 3 (other than Div. 8), Pt. 6 and Sch. 1 and 2 |
51 of 2024 |
6 Dec 2024 |
To be proclaimed (see s. 2(c)) |
|
Evidence Act 2025 Pt. 12 Div. 17 |
15 of 2025 |
25 Sep 2025 |
Immediately after the Privacy and Responsible Information Sharing Act 2024 s. 158 comes into operation (see s. 2(d)(ii)) |
|
Assisted Reproductive Technology and Surrogacy Act 2025 Pt. 17 Div. 13 |
19 of 2025 |
18 Dec 2025 |
Immediately after the Privacy and Responsible Information Sharing Act 2024 s. 158 comes into operation (see s. 2(b)(ii)) |
[This is a list of terms defined and the provisions where they are defined. The list is not part of the law.]
Defined termProvision(s)
Aboriginal community controlled organisation4
Aboriginal information assessment4
Aboriginal information use plan4
act4
affected individual4
approved form4
approved privacy code of practice4
assessed notifiable information breach4
assessed shared information breach4
Australian Information Commissioner4
authorised officer4
automated decision-making process4
automated system4
care leaver4
Chief Data Officer4
Chief Data Officer guidelines4
child4
child protection functions4
collect4
commencement day223(1), 224(1), 225(1), 226(1), 227(1), 228(1)
community policing functions4
compliance notice4
conciliator4
confidential or commercially sensitive information4
consent4
contracted service provider4, 8(2)
data analytics work4
Data analytics work12(2)
data integration4
Data integration12(4)
data linkage4
Data linkage12(3)
data linkage key12(3)
data set4, 12(1)
de-identified information4, 11(2)
de-identify4, 11(1)
derived information4
disability4
disclose4
disclosing10
electronic means4
emergency response functions4
exempt information4
external entity4
family violence4
government information4
handle4
Health and Disability Services Complaints Office Director4
health information4
health service4
high privacy impact function or activity4
hold4
holding entity4
information breach4
Information Commissioner4
information holdings request4
information privacy principle4
information sharing agreement4
information sharing CEO4
information sharing Department4
information sharing direction4
Information Sharing Minister4
information sharing request4
interference with the privacy4
IPP4
IPP entity4
judicial body4, 7(1)
law enforcement agency4
law enforcement functions4
materially assisted4
member of Commissioner staff4
notice to produce or attend4
notifiable information breach4
officer4
outsourcing entity4, 8(1)
Parliamentary Commissioner for Administrative Investigations4
Parliamentary Secretary4
permitted purpose4
personal information4
Police Force of Western Australia4
principal officer4, 9(1), (2) and (3)
privacy code of practice4
privacy complaint4
Privacy Deputy Commissioner4
privacy functions4, 142(1)
privacy guidelines4
privacy impact assessment4
Privacy Minister4
proposed provider4
proposed recipient4
provider4
public entity4, 6(1), 6(2)
public interest determination4
public register4
recipient4
re-identify4, 11(3)
relevant activity4
relevant Minister220(1)
relevant official208(1), 218(1)
requesting entity4
respondent4
responsible Minister4
responsible sharing principle4
secrecy provision4
senior executive officer4
senior officer4
sensitive Aboriginal family history information4
sensitive Aboriginal traditional information4
sensitive personal information4
shared information4
shared information breach4
significant decision4
special information sharing entity4
specified229(1)
state of mind217(1)
State services contract4, 8(1)
temporary public interest determination4
transitional matter229(1)
unique identifier4
variation agreement4
© State of Western Australia 2025. This work is licensed under a Creative Commons Attribution 4.0 International Licence (CC BY 4.0). To view relevant information and for a link to a copy of the licence, visit www.legislation.wa.gov.au. Attribute work as: © State of Western Australia 2025. By Authority: ROGER JACOBS, Acting Government Printer