The Privacy and Responsible Information Sharing Bill 2024 (WA), awaiting assent and to be read alongside the WA Information Commissioner Bill 2024 (also at the assent stage), is intended to —
• provide a framework to protect the privacy of personal information handled by public entities, Ministers, Parliamentary Secretaries and contracted service providers to public entities;
• provide a framework to authorise the responsible sharing of information held by public entities;
• establish the office of Chief Data Officer;
• amend the Freedom of Information Act 1992; and
• make consequential amendments to other Acts.
The privacy provisions of the Bill are described as seeking to introduce privacy protections for individuals in the handling of their personal information by IPP entities.
At the core of these privacy protections are the 11 Information Privacy Principles (IPPs). The IPPs are general rules that guide the handling of personal information. The Bill includes two flexibility mechanisms that allow IPP entities to depart from the IPPs in limited circumstances. First, IPP entities may develop privacy codes of practice which are intended to give them flexibility in the way that they manage personal information. Privacy codes of practice must be as stringent as the IPPs, are approved by the Governor on the recommendation of the Information Commissioner and are disallowable by Parliament.
Second, on application, the Information Commissioner may make a public interest determination that the public interest in doing an act or engaging in a practice substantially outweighs the public interest in complying with the IPPs. A public interest determination can be temporary (less than 6 months) or longer, and is disallowable by Parliament.
The Bill will also establish a mandatory information breach notification scheme to ensure that affected individuals are made aware of serious breaches of their personal information, as well as the Information Commissioner.
The Bill will require IPP entities to undertake a privacy impact assessment before engaging in a high privacy impact function or activity (i.e. functions or activities likely to have a significant impact on the privacy of individuals), to identify privacy risks and implement measures to mitigate those risks. The Bill will also provide a clear pathway for individuals who consider that their privacy has been interfered with to make a complaint, and confer various functions and powers on the Information Commissioner to investigate and enforce compliance by IPP entities with the privacy provisions. The offices of Information Commissioner and Privacy Deputy Commissioner are established under the Information Commissioner Bill 2024.
The responsible information sharing provisions of the Bill seek to enable government to share its information for the benefit of the community, through the entering into of information sharing agreements. It overcomes existing legislative barriers to support information sharing for permitted purposes and requires public entities to ensure strong governance, privacy and security safeguards are in place.
The sharing of government information by public entities under the Bill is voluntary. There is no obligation on public entities to disclose information under the Bill (subject to the Ministerial power of direction). Certain categories of information also cannot be shared at all under the responsible information sharing framework.
The Bill will require all proposed providers to assess the risks and benefits to sharing information through the application of the Responsible Sharing Principles (RSPs). The RSPs are based on the internationally recognised 'Five Safes', a framework to help organisations make decisions about data sharing.
The Bill will also require parties to undertake a privacy impact assessment and an Aboriginal information assessment in certain circumstances before entering into an information sharing agreement. The Bill will establish a Chief Data Officer, a public servant who sits in the information sharing Department and whose functions include building the capability of public entities to share information in accordance with the Bill. The Bill will also establish a statutory committee called the Privacy and Responsible Information Sharing Advisory Committee, which has the function of advising the Chief Data Officer in relation to the performance of their functions.
The complementary Information Commissioner Bill 2024 seeks to establish three new commissioners to support the privacy provisions of the Privacy Bill and the Freedom of Information Act 1992.
The bill will establish a tripartite, single-authority structure whereby the regulation of privacy and freedom of information will sit within one organisation. The model recognises the complementary nature of privacy and freedom-of-information laws. Both are underpinned by common principles of transparency and accountability. Both involve the consideration and balancing of the public interest in the protection of personal privacy with the free flow of information for public benefit. In an environment where privacy and information access practices are being strongly challenged by the digital environment, having a single regulator empowered to oversee and guide the public sector on both matters provides Western Australia with contemporary and effective oversight that best matches public expectation.
The first of the commissioners is the new Information Commissioner, who will have overall responsibility for both privacy and freedom of information matters. The second is the Information Access Deputy Commissioner, who will be responsible for freedom-of-information matters under the Freedom of Information Act 1992. The current Information Commissioner under the Freedom of Information Act 1992 will be transitioned across to this deputy role. The third is the Privacy Deputy Commissioner, who will be responsible for privacy matters under the Privacy and Responsible Information Sharing Bill 2024.
The Information Access Deputy Commissioner and Privacy Deputy Commissioner are deputies of the Information Commissioner and will be subject to the direction of the new Information Commissioner. The three commissioners will be supported by staff appointed under part 3 of the Public Sector Management Act 1994. It is intended that a department known as the Office of the Information Commissioner will be established under the Public Sector Management Act 1994, akin to the approach taken in respect of other independent offices such as the Office of the Auditor General, the Office of the Inspector of Custodial Services and the Public Sector Commission. The new Information Commissioner will be the head of this department. ...
Part 2 of the bill will provide for the appointment of each of the commissioners. Each commissioner will be appointed by the Governor for up to five years and is eligible for reappointment once. Each commissioner will be eligible for appointment only if the person is or has been a legal practitioner of at least five years’ standing or is, in the opinion of the Governor, suitable for appointment as a commissioner by reason of the person’s legal qualifications and experience. Each commissioner is not part of the public service. This part also deals with matters ancillary to their appointment such as their remuneration and terms and conditions of service, the taking of an oath or affirmation of office, and the appointment of acting commissioners.
Part 3 of the bill will provide for the functions and powers of each of the commissioners and includes a power of delegation.
Part 4 of the bill will provide for staff and related matters. Staff are to be appointed under part 3 of the Public Sector Management Act 1994 to assist the commissioners in the performance of their functions. In addition, the Information Commissioner may seek the services of officers in the public service or engage persons to provide services, information or advice to the commissioners.
Part 5 of the bill contains miscellaneous provisions relating to the Information Commissioner’s requirement to report directly to Parliament, secrecy provisions, protection from liability and general regulation-making powers. Part 6 of the bill contains transitional provisions, including provisions to transition the current Information Commissioner to the Office of Information Access Deputy Commissioner. Staff of the current Information Commissioner will also be transitioned to the new department.
In the Information Privacy Bill 'Personal information' means
information or an opinion, whether true or not, and whether recorded in a material form or not, that relates to an individual, whether living or dead, whose identity is apparent or can reasonably be ascertained from the information or opinion.
The definition includes a non-exhaustive list of kinds of information that may be personal information:
• a name, date of birth or address;
• a unique identifier, online identifier or pseudonym;
• contact information; • information that relates to an individual’s location;
• technical or behavioural information in relation to an individual’s activities, preferences or identity;
• inferred information that relates to an individual, including predictions in relation to an individual’s behaviour or preferences and profiles generated from aggregated information;
• information that relates to 1 or more features specific to the physical, physiological, genetic, mental, behavioural, economic, cultural or social identity of an individual.
Sensitive personal information means personal information —
• that relates to an individual’s
o racial or ethnic origin; or
o gender identity, in a case where the individual's gender identity does not correspond with their designated sex at birth; or
o sexual orientation or practices; or
o political opinions; or
o membership of a political association; or
o religious beliefs or affiliations; or
o philosophical beliefs; or
o membership of a professional or trade association; or
o membership of a trade union; or o criminal record;
or
• that is health information; or
• that is genetic or genomic information (other than health information); or
• that is biometric information; or
• from which information of a kind referred to in any of paragraphs (a) to (d) can reasonably be inferred.