Australians are sitting with anticipation awaiting August 2024, when the Commonwealth Government promised to deliver a draft bill to update the Privacy Act 1988 (Cth) (Privacy Act). But there’s another bill that’s poised to outshine the Commonwealth’s and champion state privacy rights.
In May 2024, Western Australia (WA) tabled its Privacy and Responsible Information Sharing Bill 2024 (Wa.) (Bill). We’re delighted by this development and in this blog post, our Board member Piotr Debowski will walk you through what we love about the Bill, what we are less keen on, and what we think the WA government needs to do some more thinking on. We focus our attention on the privacy aspects of the Bill, but the Bill does also contain provisions facilitating the sharing of information within the WA government.
The Bill is currently in front of the WA Legislative Assembly. If it passes, it will be handed to the Legislative Council for consideration.
Summary
Item | Our thoughts |
The scope of the Bill: IPP entities | ✅ The Bill will apply to all three branches of WA government, with some exceptions. |
The scope of the Bill: personal, health, and sensitive information | ✅ The Bill will regulate the handling of all three types of information, being personal, health and sensitive and this will all sit with one regulator. ✅ The Bill will regulate the handling of information not only about living persons, but deceased persons. ❌ The definition of ‘personal information’ needs some tidying up as in its current form it can create some ambiguity. |
Notifiable data breach scheme | ✅ The Bill will impose a variety of mandatory requirements on IPP entities to assess, contain, mitigate, and notify regarding a data breach. |
Mandatory PIAs for ‘high privacy impact’ activities | ✅ The Bill will require IPP entities to carry out a Privacy Impact Assessmenton ‘high privacy impact’ activities. ❌ The definition of ‘high privacy impact’ activities needs timely and clear guidance to prevent circumvention from compliance. ❌ There’s no requirement for IPP entities to consult with members of the public when carrying out a Privacy Impact Assessment. |
Enforcement | ✅ The Bill introduces the ability of aggrieved individuals to raise complaints with the WA Information Commissioner who will have powers to conciliate and determine privacy complaints. ✅ The Bill recognises both economic and non-economic loss as compensable. ❌ The Bill does not introduce a direct right of action for individuals or groups to litigate outside of the privacy complaints process. ❌ The Bill sets a maximum of $75,000 on compensation, which is less than other jurisdictions. |
Fair and reasonable test | ✅ The Bill requires IPP entities to comply with lawful basis for collection, use and disclosure as well as imposes a ‘fair and reasonable’ test. ❌ The Bill contains some unnecessary exceptions to the fair and reasonable test. |
Automated decision-making technology | ✅ The Bill imposes a variety of obligations on IPP entities who employ ADM technology to make a ‘significant decision’ about an individual, aimed at eliminating harms such as bias and discrimination. ✅ The definition of ‘significant decision’ is broad and encompasses a wide variety of decisions that affect a person’s legal rights as well as life circumstances, opportunities, behavior or wellbeing. |
Detail
The scope of the Bill: IPP entities
The Attorney General for WA set the scene for the Bill in his Second Reading speech when he said introducing “strong and modern privacy protections for individuals is more important today than ever before… Western Australians should be able to say that their state government values and respects their privacy as much as they do. However, unlike most Australian jurisdictions, Western Australia does not have comprehensive privacy legislation to regulate how the public sector handles personal information.”
The Bill will finally introduce comprehensive regulatory requirements on WA Ministers, public entities, and contracted service providers (these are called IPP entities) to handle personal information in accordance with Information Privacy Principles (IPPs). We’re pleased to see that the term ‘public entity’ is defined broadly to include the vast array of government branches such as: departments, local councils, the Police Force, and bodies or office holders established for a public purpose.
We’re also pleased to see that it extends to judicial bodies, albeit only when they are handling personal information in relation to an administrative matter (e.g., a registry). Nevertheless, this is consistent with other State based jurisdictions’ approaches (such as s 10 in the Victorian Privacy and Data Protection Act 2014 (Vic.) (PDP Act)) and means that all three branches of WA government are bound by the same set of rules.
The scope of the Bill: personal, health, and sensitive information
We’re pleased to see that the Bill will regulate the handling of not only personal but also health and sensitive information. This is similar to the current Commonwealth Privacy Act, but an improvement on other State based hotchpotch legislative approaches. For example: in Victoria the PDP Act regulates the handling of personal and sensitive information which is administered by the Office and Victorian Information Commissioner whilst the Health Records Act 2001 (Vic.) regulates the handling of health information and is administered by the Health Complaints Commissioner. The Victorian approach with two similar but different privacy principles and regulators results in complainants’ experiences being different, and a divergence in interpretation of the principles purely based on the type of information subject to a complaint.
We’re also pleased to see that the definition of ‘personal information’ extends to not only living persons, but deceased persons as well. This is broader than most Australian jurisdictions whose privacy legislation only extends to living persons. It’s a welcome addition as it recognises that there are privacy harms that can arise even though a person is deceased (e.g., to a deceased person’s relatives, or to their own reputation) and these are proliferating because of advances in technology such as machine learning and artificial intelligence (AI) (e.g., information about a deceased person being used to train an AI without consent and in circumstances where the AI can make negative or inaccurate inferences about the deceased person affecting their reputation).
We’re a little disappointed about the current definition of ‘personal information’. It looks like WA has taken the definition of ‘personal information’ that exists from the Victorian PDP Act or current Commonwealth Privacy Act and then attempted to modify it to address some of the criticisms these definition have faced, largely that they do not extend to certain types of metadata, by then inserting the words ‘relates to’ into the definition and some examples of personal information (one of which is metadata such as technical or behavioral information). This is messy and could be improved.
Whilst we like the inclusion of the examples, we’re concerned that the current definition will lead to ambiguity. This is unfavorable to Western Australians because if data is not caught within the definition then it will not be protected by the IPPs. We encourage the WA government to tidy up the definition, and make it simple, like the European Union’s General Data Protection Regulation 2016 (EU GDPR) which simply requires data to relate to an identified or identifiable person.
Notifiable data breach scheme
We’re pleased to see that the Bill will introduce a mandatory requirement for IPP entities to:
- take reasonable steps to contain, assess and mitigate harm from a notifiable data breach;
- notify the WA Information Commissioner and affected individuals of an assessed notifiable data breach; and
- empowers the WA Information Commissioner to issue a direction that an IPP entity comply with the above requirements.
This approach is consistent with how other jurisdictions like the Commonwealth, New South Wales, Victoria, and more recently Queensland are targeting the issue. We’re hopeful that it will reduce the risks of harm that affected individuals may experience.
Mandatory Privacy Impact Assessments for ‘high privacy impact’ activities
We’re pleased to see that the Bill introduces a mandatory requirement for IPP entities to carry out a Privacy Impact Assessment (PIA). PIAs are a fantastic tool to help build privacy-by-design (if carried out early), identify risks, and propose risk mitigation strategies. This will see WA as the only jurisdiction in Australia to currently mandate PIAs (although there is some promise at the Commonwealth level with future law reform) and is a time-proven approach adopted by the European GDPR in 2016.
At present, the only guidance that the Bill provides is that PIAs will be mandatory for ‘high privacy impact’ functions or activities which are defined as those “likely to have a significant impact on the privacy of individuals.” We’re hopeful that like the EU’s approach with its publication of the Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, the WA Information Commissioner issues some guidelines on what it considers ‘high privacy impact’ means. This is already envisaged by the Bill, but only time will tell how quickly and effectively the WA Information Commissioner can deliver. Without such early and clear guidance, we’re fearful that many activities won’t have a PIA carried out, as IPP entities will either be unsure or make the wrong assessment regarding whether their activity has a ‘high privacy impact’.
Whilst we are pleased to see that the WA Information Commissioner will have the power to direct an IPP entity to carry out a PIA, we’re a bit disappointed that unlike Europe’s GDPR, the Bill does not mandate or suggest any public consultation on PIAs. We’d also suggest that the Bill, or at least IPP entities’ practices, are to publish the results of their PIAs to improve transparency and accountability.
Enforcement
The effectiveness of human rights legislation is only as good as its ability to encourage compliance and provide meaningful avenues and remedies to address wrongs when they occur; privacy legislation is no different.
The Bill introduces the ability of individuals to raise privacy complaints to the WA Information Commissioner who is responsible for attempting to resolve them through conciliation at first instance and, if unsuccessful, able to make a determination as to how they should be resolved. Individuals who are not satisfied with the WA Information Commissioner’s decision will be able to appeal it to the State Administrative Tribunal. This complaints system appears to be similar to the way that the Office of the Australian Information Commissioner (OAIC) is setup under the Commonwealth Privacy Act. We are pleased to see this approach as it is a cost-effective and informal way for aggrieved individuals to seek remedies rather than pursue litigation as other models entail.
We are, however, disappointed to see that the Bill does not create a direct right of action for individuals or groups to bring a case in a court or tribunal, outside of the abovementioned complaints process. We urge the WA government to consider including the ability for individuals or groups to bring direct actions against IPP entities because this would provide additional incentives for IPP entities to comply, act as a deterrent, and increase the amount of jurisprudence under the Bill (providing greater guidance to IPP entities).
We’re also pleased to see that the Bill recognises both economic and non-economic loss (described as injury to hurt feelings or humiliation suffered by the complainant) as compensable. This reinforces the fact that the types of harm that can arise from an interference of privacy are varied and can range from an individual being merely upset, to long lasting emotional or psychological injury, to financial harms like loss of employment, and even to physical harms such as being stalked or assaulted.
We are, however, disappointed to see that the statutory maximum that the WA Information Commissioner can award as part of a determination is $75,000. This is $15,000 less than the maximum available under the Victorian PDP Act. We urge the WA government to increase the maximum in recognition of the wide range of harms that an interference of privacy can occasion.
Fair and reasonable test
We’re pleased to see that the Bill requires IPP entities to only collect or use or disclose personal information in circumstances that are ‘fair and reasonable’ and provides some factors to assist with determining what is fair and reasonable. We recognise that there has been a lot of debate regarding the Commonwealth Privacy Act and whether a similar fair and reasonable test should be included, with the fair and reasonable test facing a lot of criticism as to operability. WA’s inclusion of the fair and reasonable test in its Bill is one of the reasons why we believe the Bill will be (until we see the Commonwealth’s proposed bill) leading the nation’s privacy regulation.
The fair and reasonable test will apply in addition to the other requirements that accompany collection and use or disclosure and acts as an additional safeguard. In Piotr’s experience working with a wide range of client’s as a privacy consultant, sometimes a client’s practices will satisfy the lawful basis for collecting or using/disclosing personal information, but it will feel unethical or wrong. Currently, with all State or the Commonwealth’s privacy legislation, there’s little you can do or point to, to influence a client away from such a practice. We’re hopeful that the fair and reasonable test will help facilitate the ethical handling of personal information by encouraging good data management practices and giving Privacy Officers, advisors, and most importantly IPP entities themselves another set of guardrails to abide by.
We do query the necessity of having exceptions to the fair and reasonable test. For example, IPP 2.3(b)(i) provides that an IPP entity does not have to comply with the fair and reasonable test if it believes that a use or disclosure is necessary to prevent or lessen a serious threat to life, health, safety, or welfare of any individual. In our view, if such a situation exists, then the IPP entity will be able to point to factors that led it to the conclusion that the exception applies. These very same factors would be relevant to support a conclusion that the use or disclosure is fair and reasonable in the circumstances. Accordingly, we suggest that the WA government remove the exceptions and instead incorporate some of the contemplated scenarios as factors to consider within the fair and reasonable test itself.
Automated decision-making technology
Australian governments have a longstanding history of using ADM technology ineffectively, resulting in significant human rights violations and loss of public confidence in government and government decision-making. We only have to think back to the Commonwealth Government’s Robodebt scheme which resulted in the inaccurate debt calculations for more than 470,000 welfare recipients; or its use of ADM technology to administer income management for vulnerable youth which the Commonwealth Ombudsman found potentially unlawful.
Despite the track history and ADM technology’s propensity for human rights violations, there is an argument to say that ADM technology can be in the publics’ interest as it can decrease costs (saving public money that can be redistributed to fund other initiatives) and increase the timeliness of decisions, provided appropriate safeguards are implemented.
Accordingly, we’re pleased to see that the Bill attempts to implement some safeguards by requiring IPP entities who employ automated decision-making (ADM) technology to make a ‘significant decision’ about an individual to:
- carry out an assessment that considers any harms, bias or discrimination arising from the use of ADM technology;
- periodically evaluate the operation and effectiveness of the ADM process;
- inform individuals that ADM technology is being used to make a decision affecting them;
- give individuals information about how the ADM technology is being used; and
- provide a process by which individuals can request human intervention in relation to ADM decisions.
We’re also pleased to see that the definition of ‘significant decision’ (which acts as a gatekeeper to when an IPP entity has to comply with the above requirements) is broad and covers decisions that affect an individual’s rights, entitlements, interests, liabilities, or otherwise significantly affects their life circumstances, opportunities, behavior, or wellbeing.