On 6 December 2024, Western Australia’s Privacy and Responsible Information Sharing Act 2024 (PRIS Act) was given Royal Assent.
The PRIS Act is a significant step towards improving the handling of personal information and setting up a control and enforcement regime for public sector agencies.
The Government has yet to announce the implementation schedule, and we are aware that the Department of Premier and Cabinet has already been working with some local governments to understand how they will implement these changes.
We expect that this will be in force early to mid-2026 – meaning members have a 12-month period to become familiar with the upcoming changes and take steps to become ready when they do come into effect.
Congratulations to the Shire of Yilgarn who were award their Tier 3 Silver diligence in Safety Award. James Sheridan, CEO LGIS and Christ Gilmour, Risk Specialist – Regional visited the
Shire on Tuesday 26 February to meet the Yilgarn team and present the award.
In February this year the Australian Tax Office (ATO) made a private ruling on the following question: ‘Is the income compensation component of the redemption settlement payable under Workers Compensation and Injury Management Act 2023 (WA) included in your assessable income under section 6-5 of the Income Tax Assessment Act 1997 (Cth)?’ The ATO’s very short answer was ‘Yes’.
It’s a question very few people want to ask but given the current cyber risk landscape shows no signs of slowing, it’s likely an inevitable question for organisations, including local governments.
The PRIS Act applies to ‘public entities. This includes WA government departments, local governments, and government trading enterprises (amongst others).
The PRIS Act also applies to Information Privacy Principles (IPP) entities, which include contracted service providers that handle personal information on behalf of public entities provided that the relevant services contract specifies that the PRIS Act will apply to the service provider.
The upshot of this is that public entities can, and should, require their service providers to accept the direct statutory force of the PRIS Act in services contracts.
Public entities and other IPP entities are referred to collectively as ‘IPP entities.
Mandatory Notifiable Information Breach Scheme
The PRIS Act introduces a Mandatory Notifiable Information Breach (NIB) scheme. This is designed to ensure that affected individuals are made aware of serious breaches of their personal information, as well as the Information Commissioner. A failure to comply with the NIB scheme is an interference with the privacy of an individual, enforceable by the Information Commissioner under the PRIS Act.
Similar to the Federal Notifiable Data Breaches scheme under the Privacy Act, a notifiable information breach occurs where personal information held by an IPP entity has been disclosed or accessed without authorisation or lost, and that disclosure, unauthorised access or loss is likely to result in serious harm to any individual to whom the information relates.
In addition, the PRIS Act also empowers the Information Commissioner to make a notifiable information breach determination. This will set out the circumstances in which the Information Commissioner considers unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an IPP entity constitutes a notifiable information breach.
Where an IPP entity reasonably suspects that a notifiable information breach has occurred, the PRIS Act will require it to: If a notifiable information breach has occurred (or there are reasonable grounds to believe it has occurred), the IPP entity must:
The PRIS Act mandates that an IPP entity must prepare an information breach policy setting out the procedures to be followed in compliance with the requirements of the mandatory notifiable information breach scheme. This policy must be made publicly available.
IPP entities are also required to set up and keep a register of notifiable information breaches and prepare an annual report, which must include information regarding assessed notifiable information breaches.
These obligations promote greater transparency in the information breach preparation, assessment and notification processes of IPP entities.
CEOs, or ‘principal officers’, of IPP entities must ensure that the principal officer or another senior officer is designated as the privacy officer for the entity. The privacy officer has several specific responsibilities under the PRIS Act including:
The principal officer must also ensure the Information Commissioner is notified of the name and contact details of the privacy officer, and any changes to the designated officer.
The PRIS Act introduces a series of other key changes including:
The IPP’s under the PRIS Act are comparable to the APPs under the Privacy Act that apply to Commonwealth government entities and certain private sector entities.
That said, there are some notable differences including:
In terms of the NIB scheme, there is an increased emphasis on harm mitigation, responsiveness and transparency than the equivalent provisions under the Privacy Act. Due to a State contracts exemption in the Privacy Act, contracted service providers that must comply with the IPPs will often be exempt from complying the Privacy Act equivalent.
What should local governments do?
All IPP entities, including local governments, subject to PRIS Act should take steps now to ensure that they:
• appoint a privacy officer and an information sharing officer;
• develop and publish a privacy policy and information breach policy;
• have robust plans and systems to follow their wider obligations under the IPP’s, including data classification and management;
• review their broader cyber security risk management strategy (including staff training and education);
• carefully review their supply chain management and the engagement between procurement, governance, IT, and cyber risk teams; and
• have in place a robust incident management plan to support containment, response and communications.
IPP entities need to ensure not only that they are compliant with the requirements of the PRIS Act, the NIB scheme, and the wider obligations introduced by the PRIS Act, but that they are ready from a practical perspective to respond to an incident. This includes testing breach response policies and procedures in tabletop and simulation exercises, preparing communications playbooks, and developing ransomware decision making frameworks.
LGIS is closely watching developments and are committed to supporting all members with understanding what they need to do to get ahead of this and become compliant with obligations and be ready for response.
We have partnered with Atmos to prepare this update and will continue to work with them to obtain support for LGIS members. Atmos has been developed on the back of Clyde & Co’s extensive cyber incident practice.
Reece advises boards and other senior members in the executive, legal, IT, risk management and public relations functions to navigate Australia’s complex cyber landscape. Reece and the wider team have helped thousands of entities respond to incidents, including some of Australia’s most prominent and industry-wide cyber events in recent times, and several supply- chain attacks and multi-party-data-breaches. Following cyber incidents, Reece acts in third party IT liability claims, consumer claims, regulatory investigations, and recovery actions. It is this end-to-end experience which informs Reece’s approach to managing a cyber crisis.
The recent WA Local Government Convention was an excellent opportunity to chat with members and talk about the issues that matter to you. LGIS also appreciated the invitation from WALGA to provide members with an update at their AGM on our 2023/24 results and achievements. For more information, our end of financial year reports, A Year in Review and Annual Financial Report, are now available on the LGIS website or you can read the article on page 18.
Even the smallest or most remote local government in Western Australia is connected to the global commercial market through their protection. Over the next few editions we’ll look at the
factors of concern and influence for each portfolio for LGIS, this edition we’re looking at LGIS Liability and Property protection.
Working from home and hybrid working is now common practice for many local governments. It offers plenty of benefits to individuals and employer alike. It can provide meaningful flexibility for employees to juggle multiple demands and is now expected by many recruits.
LGIS is the unifying name for the dedicated suite of risk financing and management services for WA local governments, established by the WA Local Government Association in conjunction with JLT Public Sector (part of the Marsh group of companies). LGIS is managed by JLT Public Sector (ABN 69 009 098 864 AFS Licence 226827).
Risk Matters, via this website, is designed to keep members, their staff and elected members informed on topical risk management and insurance issues and LGIS programs and services.
