Safeguards and Reform: PRIS Champions and the Information Landscape

Recent Privacy Act reforms have meant significant upcoming and continuing changes to the information landscape in Australia.

Personal privacy protections, and accountability for information sharing within Government and between Government Organisations in Western Australia will, from July 2026, be underpinned by the PRIS (Privacy and Responsible Information Sharing) Act 2024.

What is “personal information”?

“Personal information” collected by Government Organisations about individuals may now mean: demographic information, employment information, images, voice and facial biometric imprints, individual location information, financial and credit information, and deeply sensitive personal data such as religious beliefs and sexual orientation. 

The ways in which Government Organisations manage this information will now be influenced by a powerful framework as set out in the PRIS Act 2024, including the Information Privacy Principles (IPPs) contained within the Act.

Information gold standards such as retaining personal information only for as long as it is required, and for only the legitimate and specific reasons it is required, will soon be augmented by processes such as establishing why a Public Sector Agency believes it must collect and retain such information.

Minimum Requirements

Minimum requirements for Agencies will also mean protocols such as deciding where personal information will be captured – that is, which digital systems – and how it will be protected.

Who may legitimately access the information, how it will be indexed and arranged for access and retrieval, the ways in which people can openly review the personal information collected about them by an Agency, and which information may be sighted, but not retained, will all form part of the minimum requirements of PRIS.

Automated decision-making based on data sets of personal information is similarly part of privacy reform and PRIS legislation, with millions of lives now potentially affected by decisions “materially assisted” by an automated system. The impact of AI, and associated automated decision-making affecting individuals, must now be subject to Information Privacy Principles and guidelines. Additionally, organisations contracting with Government Organisations may need to comply, and at a bare minimum assist with meeting breach notification requirements.

Responsible Information Sharing

Responsible information sharing forms further objects of the PRIS Act 2024, with Government accountability a central aim.

Mandatory information breach notification via the Information Commissioner, Statutory mechanisms requiring information sharing to be subject to risk assessment, decision-making, governance and transparency actions by Agencies, and mechanisms supporting Aboriginal data governance will all be required to engender accountability.

PRIS Champions, Progress and Tools

The tools at our disposal to embrace the world according to PRIS begin with a designated PRIS Champion within each Government Organisation.

Readiness, action plans, progress steps, and major tools such as Privacy Impact Assessment (PIA) make up the emerging environment – with governance vehicles and tools, and internal policy frameworks, supporting implementation, management and reporting.

Follow the IRIS Blog to discover next steps in preparation for a rapidly changing information landscape.