Western Australia moves slowly to have a Privacy Act
September 3, 2024 |
Western Australia is slowly moving towards having a Privacy Act. The Privacy and Responsible Information Sharing Bill 2024 has passed the Legislative Assembly and is working its way through the Legislative Council. It is principles based legislation. It is modeled broadly on the Victorian/New South Wales/Queensland legislation. Its complaint and enforcement provisions are, like the other State Acts, quite process orientated and generally weak. It has a significant weakness in dealing with complaints which are not resolved by conciliation. Under the legislation a complaint is determined by the Information Commissioner (section 104). However the Commission is involved in the mandatory attempt at conciliation of a complaint. A party should have a complaint heard by an independent judicial or quasi judicial body. Preferably a court. Tribunals have a poor record in considering privacy complaints. The jurisprudence by the Victorian Civil and Administrative Tribunal has been so ineffective as to render the enforcement provisions in Victoria dead letter.
There will be 11 Information Privacy Principles (“IPPs”) will apply to IPP Entities which will include WA public entities, its contracted service providers WA Government trading enterprises and departments, local and regional governments.
Most of the IPPs follow the same structure as the Commonwealth APPs and State IPPs. A new development is aprinciples involving the Automated Decision Making. The weakness of the IPPs are that they are replete with exceptions, being drafted in general terms and with vague terminonology (such as what is reasonable). That has tended to be interpreted by Courts, Tribunals and Commissioners in favour of the entities. As such the protections are not as effective as appears on paper.
Some of the key IPPs are:
IPP 1: Collection
Collection must be “necessary” for one or more of the IPP Entity’s functions or activities. Personal information must be collected in a “fair and reasonable”, and not “unreasonably intrusive”, way directly from individuals wherever possible.
The purpose for the collection must be recorded in writing, and notice given to the individual at or before the time of collection of certain matters relating to the collection.
IPP 2: Use and disclosure
IPP 2 deals with the use and disclosure of personal information. Uue of disclosure for a secondary purpose must be recorded in writing and must be “fair and reasonable in the circumstances”.
IPP 3: Information quality
IPP Entities must take such steps that are reasonable in the circumstances to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. Policies and practices for complying with this requirement will need to be included in an IPP Entity’s storage and handling practices.
IPP 4: Information security
IPP Entities must take reasonable steps to protect the personal information it holds from misuse and loss, unauthorised access, modification or disclosure.
IPP 5: Openness and transparency
There will be a requirement to have in place appropriate privacy practices and procedures, including includes a privacy policy which needs to be “clear, concise and expressed in plain language”, and that it be kept up-to-date.
PP 6: Access and correction
IPP Entities must have policies and practices for dealing with requests by individuals for access to, and correction of, the personal information about them held by the entity.
Entities must response to a request by an individual required “as soon as possible” and “no later than 45 days” after the request is made.
IPP 7: Unique identifiers
IPP Entities will not be able to assign unique identifiers to individuals unless doing so is necessary for it to perform its functions or activities efficiently.
IPP 8: Anonymity
Individuals must have the option of not identifying themselves when dealing with the IPP Entity unless the entity is required or authorised by law to deal with the individuals who have identified themselves, or it is impracticable for the entity to deal with individuals who have not identified themselves.
IPP 9: Disclosure outside Australia
IPP 9 prohibits the disclosure of personal information to an overseas recipient unless an exception applies. IPP Entities will be able to disclose personal information overseas where it is:
- necessary for the performance of a contract (or pre-contract measures) between the individual and the IPP Entity;
- necessary for the conclusion or performance of a contract between the IPP Entity and a third party, which contract is in the interest of the individual; and
- for the benefit of the individual and, while it is impracticable to obtain the consent the of the individual, the individual would “be likely to give it”.
IPP 9 prohibits the overseas disclosure of de-identified information unless the IPP Entity takes reasonable steps to ensure that the recipient complies with the obligations imposed by IPP 11.
IPP 10: Automated decision-making
IPP 10 requires that IPP Entities be transparent about the adoption of automated decision-making processes which involve the use of personal information.
IPP 11: De-identified information
IPP 11 extends privacy protections to information even after it has been de-identified. De-identified information must be the subject of reasonable security measures. It prohibits the re-identification of de-identified information except in certain cases
The Government’s media release provides:
The WA Government provides a range of services and programs aimed at improving the quality of life for Western Australians. In order to deliver these, we collect and hold information about Western Australians.
To protect the personal information of Western Australians and facilitate responsible use and sharing of government information, the WA Government has introduced the Privacy and Responsible Information Sharing Bill to Parliament.
The proposed privacy and responsible information sharing legislation will provide Western Australians with greater control over their personal information and improve the delivery of government services. This legislation will enable information to be shared within government for the right reasons and provide greater accountability and transparency about how government handles your personal information.
Alongside the Privacy and Responsible Information Sharing Bill is the proposed Information Commissioner Bill, the proposed legislation will establish new officeholders, the Information Commissioner, Privacy Deputy Commissioner, Information Access Deputy Commissioner and Chief Data Officer. The Information Commissioner and Privacy Deputy Commissioner will be independent statutory officeholders, reporting directly to Parliament and having responsibility for privacy matters in WA. The Chief Data Officer will promote a culture of transparency, accountability, and safe use for government information.
Broadly, the proposed legislation introduces reforms that provide:
-
- guiding privacy principles and a framework to govern the collection, use, disclosure and security of personal information across the public sector;
- a mandatory information breach notification scheme, requiring agencies to notify the Information Commissioner and affected individuals of serious information breaches involving personal information;
- a statutory mechanism for WA public sector agencies to share information only when adhering to new stringent standards for risk assessment, decision making, governance and transparency; and
- a mechanism that supports Aboriginal data governance in WA, by requiring that Aboriginal people and communities are involved or consulted when government information that primarily affects Aboriginal people is shared.