Privacy and information sharing legislation on the horizon for the WA public sector
In a statement to the media earlier this month, the WA State Government committed to introducing legislation governing the privacy of personal information and information sharing in the WA public sector.
As a first step towards fulfilling that commitment, the State Government has released a discussion paper seeking submissions with respect to the framework, form and content of the proposed privacy legislation.
This development offers those potentially affected by the proposed privacy legislation the opportunity to help shape the future of WA State laws in this area.
The current position in WA
WA is one of only two States and Territories that does not have legislation governing the privacy of personal information handled by the WA public sector – a gap that, given the Federal privacy legislation does not apply to the WA public sector, is significant.
Privacy and information-sharing in the WA public sector are currently governed by a patchwork of common law principles and entity-specific legislation and regulation. There are no over-arching legislative principles governing the handling of personal information in the WA public sector; no body with oversight of such handling; and no clear pathway for the raising and resolution of complaints about privacy.
What's in the proposed privacy legislation
The discussion paper envisages that the proposed privacy legislation will impose both privacy and information-sharing regimes for the WA public sector.
While no commitment is given as to the framework or form of the proposed privacy legislation at this stage, the content of the discussion paper strongly suggests that the proposed privacy legislation will have the following characteristics.
- Privacy Principles: Unsurprisingly, the discussion paper highlights a desire to adopt laws consistent with those in force at the Federal level and in other States and Territories. In particular, the flexibility offered by the adoption of a set of overarching privacy principles such as the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).
- State Privacy Body: The application and enforcement of the proposed privacy legislation would be the responsibility of an independent privacy oversight body led by a WA Privacy Commissioner. The extent of its powers remains to be seen.
- Facilitation of appropriate information-sharing: To provide certainty to the WA public sector and the public, the proposed privacy legislation is likely to outline certain activities for which information can be shared (eg. for the efficient delivery of government services); prohibit information-sharing for certain activities (eg. for direct marketing); and otherwise outline a process by which information sharing can be approved. As to the latter, and consistent with other State and Territory legislation and the Federal Government's proposed information sharing legislation, the discussion paper heavily favours the "5 Safes" approach as the basis of its information-sharing framework (the "5 Safes" are a set of criteria that must be satisfied before the relevant organisation can share information with another organisation).
- Chief Data Officer: Information-sharing extends beyond privacy considerations. To support the WA public sector in adopting best practice standards for information-sharing, including for the appropriate use of technology, the proposed privacy legislation is likely to create the role ofChief Data Officer, reporting either to the responsible Minister or to the WA Privacy Commissioner and supported by the recently established Office of Digital Government.
Affecting the WA public sector – and beyond
The discussion paper suggests that the proposed privacy legislation will apply to organisations beyond those which fall within the definition of the public sector under the Public Sector Management Act 1994 (WA) and could include organisations such as local governments, public universities, and State Government trading entities.
However, the practical reach of the proposed privacy legislation can be expected to extend far beyond this to those non-government organisations and entities whose dealings with those covered by the proposed privacy legislation involve the provision or receipt of personal information. Such non-government organisations and entities can expect to see clauses requiring compliance with the proposed privacy legislation feature in future contracts with the WA public sector.
The consultation process for the proposed privacy legislation
In particular, the State Government is seeking views as to a number of specific aspects of the proposed privacy legislation, including:
- the suitability of the Australian Privacy Principles for WA;
- how breaches of privacy should be managed, including the form of response to privacy breaches;
- the role and powers of a WA Privacy Commissioner and Chief Data Officer;
- whether the State Government should facilitate the sharing of information outside of the WA public sector and, if so, under what conditions; and
- what steps need to be taken by the State Government to support the roll-out of the proposed privacy legislation.
The State Government has committed to releasing a summary of the submissions received after the consultation period has closed. Beyond that, there is no mention of any program or timeframe for the preparation and introduction of the proposed privacy legislation. With the next WA State election due in March 2021, we expect to see the introduction of the proposed privacy legislation during the course of next year.
Shaping – and preparing for – the proposed privacy legislation
WA public sector organisations, and those organisations whose interactions with the WA public sector involve the provision or receipt of personal information, should consider whether to make submissions to the State Government to help shape the content of the proposed privacy legislation.
Further, promoting a culture of privacy within large organisations takes time and considerable effort, particularly where such a shift involves changes to long-standing practices or requires updated technology and systems. As such, while compliance with the proposed privacy legislation itself is unlikely to be required for some time, it is never too early to begin the change management process. Beginning to put in place privacy policies and practices now using the Australian Privacy Principles as a guide will not only enable organisations to meet the public's ever-increasing privacy expectations, but will better position the organisation when the time comes to implement any specific changes required to comply with the proposed privacy legislation.