For the first time, the WA public sector and those that contract with it will need to comply with comprehensive privacy obligations in respect of both the personal information they currently hold and that they plan to collect in the future. With considerable holdings of personal information built up and retained over time, the WA public sector and its contracted service providers face a significant challenge to be ready for the Privacy and Responsible Information Sharing Bill 2024 (WA) and Information Commissioner Bill 2024 (WA) (PRIS) when they are passed and take effect. Understanding precisely what those new laws require is a sensible first step.
After our outline of the PRIS laws and their application to the WA public sector and those that contract with it, we’ll be exploring in greater detail the main features of the PRIS laws, the new mandatory notifiable information breach scheme, and the opportunities presented by the responsible information sharing system. In this article, we provide an overview of the primary source of the privacy obligations: the Information Privacy Principles (IPPs).
WA’s new 11 Information Privacy Principles
Central to the privacy obligations imposed by the PRIS laws is the introduction of 11 IPPs which apply to IPP Entities and govern each step of the personal information lifecycle, from collection through to destruction. IPP Entities includes WA public entities and contracted service providers. “WA public entities” is defined broadly, and extends to WA Government trading enterprises and departments, local and regional governments, SES organisations under the Public Sector Management Act 1994 (WA) and Government trading enterprises (amongst others). Contracted service providers are those who contract with WA public entities and are obliged, under their respective contracts, to comply with the PRIS laws.
The IPPs more closely resemble the information privacy principles in the Victorian privacy legislation than the Australian Privacy Principles under the Commonwealth Privacy Act (APPs), with which many readers will be more familiar. Below is a high-level summary of each IPP, and the stage of the personal information lifecycle they broadly affect.
Preparation and collection
IPP 5: Openness and transparency
Central to the “privacy-by-design” concept which underpins principles-based privacy legislation is the requirement to have in place appropriate privacy practices and procedures. This includes a privacy policy describing how the organisation will handle personal information.
IPP 5 requires that the policy needs to be "clear, concise and expressed in plain language", and that it be kept up-to-date over time. Like many contemporary policies which businesses need to have, it cannot be a “set and forget” document. While IPP 5 does not prescribe the content of the document in the same manner as its equivalent APP 1, the content will necessarily need to address the list of matters included in APP 1, including the manner of collection, disclosure and use.
Interestingly, while APP 1 requires that a privacy policy be publicly available (usually by way of the entity's website), IPP 5 merely requires that it be "available to anyone who requests it". Similarly, IPP 5 also requires that IPP Entities take reasonable steps to respond to individual requests for the entity's information handling processes. The focus on responding to requests, rather than proactively making the policy and information publicly available, likely provides IPP Entities with more flexibility than their Commonwealth counterparts when it comes to meeting this transparency principle.
IPP 1: Collection
IPP 1 governs the collection of personal information. The collection must be "necessary" for one or more of the IPP Entity's functions or activities. This is to be contrasted with the arguably weaker standard of "reasonably necessary" under the equivalent APP 3.
Personal information must be collected in a "fair and reasonable", and not "unreasonably intrusive", way directly from individuals wherever possible. The purpose for the collection must be recorded in writing, and notice given to the individual at or before the time of collection of certain matters relating to the collection, in much the same way as APP 5 requires the provision of privacy collection notices. Such notices must be "up-to-date, clear, concise and expressed in plain language."
IPP 8: Anonymity
Commonly perceived to be lacking in practical utility, the PRIS laws nevertheless include IPP 8 that requires, in the same way as APP 2, that individuals must have the option of not identifying themselves when dealing with the IPP Entity unless the entity is required or authorised by law to deal with the individuals who have identified themselves, or it is impracticable for the entity to deal with individuals who have not identified themselves. Most commonly an issue at the time of collection of personal information, IPP Entities should, as part of any privacy impact assessment, consider whether anonymity might be an option.
Use and disclosure
IPP 2: Use and disclosure
IPP 2 provides the main parameters for the use and disclosure of personal information. Largely mirroring APP 6, personal information can be used for the primary purpose for which it was collected and permitted secondary purposes with the individual's consent or where the individual would expect that use and it relates (or directly relates in the case of sensitive information) to the primary purpose. Continuing the theme from IPP 1, the use of disclosure for a secondary purpose must be recorded in writing and must be "fair and reasonable in the circumstances". This will mean that IPP Entities will need to continuously consider whether use or disclosure for a particular primary or secondary purpose remains "fair and reasonable" having regard to any developments or changes since the time of collection.
IPP 9: Disclosure outside Australia
While its name suggests that IPP 9 will operate in a similar manner to APP 8 in policing the overseas transfer of personal information, IPP 9 arguably provides greater flexibility for IPP Entities to transfer personal information overseas where doing so is in the interests of the individual. This perhaps reflects recognition that APP 8 in its current form was overly restrictive given increasing global connectivity.
IPP 9 prohibits the disclosure of personal information to an overseas recipient unless an exception applies in much the same way as APP 8. However, it is the nature of the exceptions that differ. In particular, IPP Entities will be able to disclose personal information overseas where it is:
- necessary for the performance of a contract (or pre-contract measures) between the individual and the IPP Entity;
- necessary for the conclusion or performance of a contract between the IPP Entity and a third party, which contract is in the interest of the individual; and
- for the benefit of the individual and, while it is impracticable to obtain the consent the of the individual, the individual would "be likely to give it".
How the new regulator, the Office of the Information Commissioner, interprets these exceptions will be a point of interest, particularly with the last one seemingly incorporating a subjective assessment of the attitude a particular individual might take to a disclosure. Proving that the disclosure falls within that exception could be challenging.
In a further new feature, IPP 9 prohibits the overseas disclosure of de-identified information unless the IPP Entity takes reasonable steps to ensure that the recipient complies with the obligations imposed by IPP 11 (see below).
IPP 10: Automated decision-making
A first of its kind in Australia, IPP 10 requires that IPP Entities be transparent about the adoption of automated decision-making (ADM) processes which involve the use of personal information.
ADM is technology to automate a decision-making process, which can be used to assist or replace the judgment of human decision-makers. These can range from applying simple business rules through to those that use sophisticated algorithms to make discretionary decisions. While ADM processes offer the potential to increase the efficiency, accuracy and consistency of decisions, they also raise complex ethical and legal issues. Personal information can be used to train, test or deploy ADM processes, which encourages greater data collection, sharing and combining.
IPP 10 strikes a balance between enabling IPP Entities to benefit from the use of ADM, while ensuring that:
- there are appropriate safeguards;
- individuals are aware of their use; and
- human intervention is available where requested.
IPP Entities must assess the impact of the use of ADM processes, periodically evaluate their operation and effectiveness, and reassess where required. They will also need to give notice to individuals of the use of ADM processes in making decisions about them, and provide a process for the individual to request human intervention in the decision.
Storage and handling
IPP 4: Information security
Much like APP 11, IPP Entities will be required to take reasonable steps to protect the personal information it holds from misuse and loss, unauthorised access, modification or disclosure. While the focus will be on the interaction of IPP 4 with the entity's cybersecurity practices and the notifiable information breach scheme, it is important to remember that IPP 4 also extends to paper records held by IPP Entities.
IPP 7: Unique identifiers
IPP Entities will not be able to assign unique identifiers to individuals unless doing so is necessary for it to perform its functions or activities efficiently. Further, much like its Commonwealth equivalent, APP 9, the sharing and use of other entities' unique identifiers is also restricted, as are demands that the individual provide the unique identifiers assigned by others in order to obtain services.
IPP 3: Information quality
Largely equivalent to APP 10, IPP 3 requires that IPP Entities take such steps (if any) that are reasonable in the circumstances to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. Policies and practices for complying with this requirement will need to be included in an IPP Entity’s storage and handling practices.
IPP 6: Access and correction
IPP 6 will require that IPP Entities have policies and practices for dealing with requests by individuals for access to, and correction of, the personal information about them held by the entity.
Reasons for refusal of access or correction largely mirror those available under APPs 12 and 13, although the procedural requirements on IPP Entities under IPP 6 are less prescriptive, perhaps allowing for greater flexibility in approach. Nevertheless, it will be important that entities have robust and efficient processes, with a response to a request by an individual required "as soon as possible" and "no later than 45 days" after the request is made.
Deidentification or destruction
IPP 4: Information security
Going hand in hand with the obligation to keep information secure, the importance of appropriate data retention arrangements has been highlighted since the Medibank data breach in 2022.
Under IPP4, personal information must be destroyed or permanently de-identified if it is no longer needed for any purpose, unless the IPP Entity is expressly required or authorised to retain the information by or under another law. This will likely require a re-examination of State laws such as the State Records Act 2000 (WA) and its interaction with the requirement under IPP 4 to limit the amount of personal information which a WA public entity retains.
IPP 11: De-identified information
Unlike the APPs, IPP 11 extends certain privacy protections to information even after it has been de-identified. De-identified information must be the subject of reasonable security measures in much the same way as personal information under IPP 4. It goes on to prohibit the re-identification of de-identified information save for certain scenarios, such as where the IPP Entity was the one that de-identified the information or where de-identified information is obtained from another IPP Entity and is re-identified with that other entity's written authorisation for a specific purpose.
Retrospective application of some IPPs
IPPs 2 (use and disclosure), 3 (information quality), 4 (information security), 5 (openness and transparency), 6 (access and correction), and 9.1 (disclosures outside Australia) will all apply to any personal information held by the IPP Entity, regardless of whether the personal information was collected before or after the PRIS laws come into force.