WA privacy and responsible information sharing laws: a framework for the responsible sharing of government information

WA’s privacy and responsible information sharing (PRIS) laws passed late last year and the majority of the substantive provisions are expected to come into force in 2026. There are steps that both WA public entities and external entities should proactively take now to prepare to comply with the forthcoming PRIS provisions. In this series, we have been exploring the main features of the PRIS laws, providing our first impressions, an overview of the information privacy principles and a look at the notifiable information breaches scheme. Here, we provide an overview of the responsible information sharing framework, including the associated obligations and opportunities that it brings.

In the course of providing public services, WA public entities regularly collect considerable volumes of information from the public. It is however often siloed and restricted to use within the collecting public entity, so it's often of limited utility despite its potential to be better leveraged to inform government policy and improve government services.

The responsible information sharing framework is the WA Government's solution to this problem. It provides an avenue for a WA public entity to share "government information" in prescribed circumstances with protection against liability. "Government information" is broadly defined to include any information (including personal information) held by a WA public entity, excluding the lengthy list of typical exemptions ("exempt information"), such as where the information may put investigations or persons at risk.

Responsible sharing principles

At its heart, the responsible information sharing framework seeks to permit information sharing where it would be consistent with five responsible sharing principles (RSPs). These principles are intended to provide a consistent framework for the assessment of risks and benefits associated with a data sharing arrangement, and focus on:

• Activities: whether the proposed activities will be appropriate, having regard to matters including whether the disclosure is necessary for the activity, whether it will benefit the public, the risks or harms which might occur if the information is not shared and, conversely, whether there is a risk of harm if the sharing occurs and any potential mitigation.
• Recipients: whether it is appropriate to share the information with the proposed recipient having regard to matters including to their suitability to carry out the activity, their systems, processes and governance arrangements, and the nature of any third party interests in the outputs of the activities.
• Information: whether the information that will be shared is appropriate for the activity, including whether it is restricted to that which is necessary for the activity (and no more), is of sufficient quality, or contains sensitive Aboriginal family history information or sensitive Aboriginal traditional information. If it includes personal information, RSP 3 outlines additional considerations, such as whether the individual has consented to the sharing.
• Settings: whether the mechanics of the sharing are up to scratch, including the proposed physical or digital location of the information, the retention period, the recipient's security arrangements, the likelihood of a breach, and how information will be returned or destroyed once the activity is complete.
• Outputs: where an output derived from the proposed activity will be disclosed to third parties, whether that will be appropriate having regard to the nature and purpose of the disclosure, the likely recipients, whether individuals can be identified from the output, and whether there will be any external review or audit prior to the disclosure.

What can the shared information be used for?

Government information may be shared for a permitted purpose with other WA public entities, as well as other "external entities" including other Commonwealth and State agencies, higher education providers, health-related research bodies and contracted service providers. The "permitted purposes" include to inform or enable:

• government policy;
• government programs and services;
• research and development with clear and direct benefits to the public; or
• emergency management.

Government information may not be shared for law enforcement or compliance purposes, national security purposes or, perhaps most interestingly, for the primary purpose of obtaining commercial gain. While the prohibition on use for commercial gain is unsurprising given the framework is tied to public benefit, there will not always be a bright line between commercial gain being a primary or secondary purpose which introduces an element of uncertainty.

How to request and share government information

Step 1 – The request

WA public entities and external entities will be able to request that a WA public entity disclose government information to them. The request must be in writing and specify the government information sought, the applicable permitted purpose, the activity that would be carried out to achieve that purpose, how the information would be used as part of that activity, and how the information will otherwise be handled.

Unless otherwise agreed, the recipient of the request (the "holding entity") must respond within 45 days. If the holding entity is able to provide the requested information through an alternative to the responsible information sharing framework, it may do so. But if the responsible information sharing framework applies, the response must indicate whether the holding entity is prepared to share the information (and comply with the further steps described below) or refuses to share the information.

Should it refuse, reasons must be given. However, the holding entity has no obligation to provide the information and may refuse "for any reason".

Step 2 – Preparing an information sharing agreement

If the holding entity is inclined to share government information, it must enter into an information sharing agreement with the requesting entity. The PRIS laws are fairly prescriptive for the content of the information sharing agreement, ensuring that the sharing is appropriately limited, tied to the obligations under the PRIS laws, and adequately safeguarded. Significant emphasis is placed on ensuring that the agreement clearly outlines what will happen to the information once the activity or agreement is concluded, including to any material derived from the underlying information.

Information sharing agreements can be between multiple parties (ie. more than one holding entity or requesting entity), and can permit further disclosure of the information if the specific circumstances in which that may occur are set out in the agreement.

Step 3 – Assessments

Before it can enter into an information sharing agreement, the holding entity must undertake one or more of the following assessments depending on the circumstances:

1. RSP Assessment – an assessment of the five RSPs against the proposed agreement. The holding entity must be satisfied that the proposed handling of the information in accordance with the terms of the proposed agreement would be consistent with the RSPs in all the circumstances.
2. Privacy Impact Assessment – required where information will be shared with an external entity, involves data linkage or integration, or is likely to have a significant impact on the privacy of individuals. The parties to the proposed agreement must undertake a privacy impact assessment (PIA) outlining the risks and potential impacts, and steps that will be taken to manage or eliminate them.
3. Aboriginal Information Assessment – an assessment must be undertaken to determine whether the proposed agreement will involve sharing sensitive Aboriginal family history or traditional information, or if the relevant activity will primarily or especially affect Aboriginal people. If either situation applies, the holding entity must consult with the relevant Aboriginal stakeholders and take further steps prescribed by the PRIS laws.

Each assessment conducted, and report subsequently generated, must have regard to any applicable guidance issued by the Chief Data Officer (CDO) and Information Commissioner. Importantly, if a PIA is conducted and the information sharing agreement executed, the PIA report must be made publicly available. Designed to foster the culture of transparency, these assessments and reports must be robust enough to withstand public scrutiny, particularly should something subsequently go awry.

Step 4 – Entry into the information sharing agreement

If the assessments are completed and the parties can proceed, the information sharing agreement can be executed. Once executed by the parties, the agreement will not come into force until it is given to the CDO. This must occur within 30 days after execution. The CDO will then include the details of the information sharing agreement in a public register which the CDO will maintain.

It is only once an information sharing agreement is in force that government information may be shared and managed in a manner consistent with the terms of the agreement.

Shared information breaches

Reflecting the current trend towards managing risk through notification and assessment, a recipient under an information sharing agreement must comply with the PRIS laws' shared information breaches requirements.

A recipient of government information, whether it is another WA public entity or not, is required to assess, contain, mitigate and notify the information provider as soon as practicable if it reasonably suspects that a "shared information breach" has occurred. If its assessment establishes that the shared information breach has occurred (or there are reasonable grounds to believe it has occurred), the recipient is also required to notify the CDO.

If the recipient is an Information Privacy Principle (IPP) entity, it will also need to consider whether the shared information breach constitutes an assessed notifiable information breach under the privacy provisions of the PRIS laws. If the recipient is not an IPP entity, responsibility for that further assessment must be undertaken by the information provider (with all reasonable assistance of the recipient). If that assessment finds that an assessed notifiable information breach has occurred, additional notification obligations will apply.