Western Australia's data privacy reform: how to prepare for new data privacy laws

Organizations committed to safeguarding their customers’ sensitive information need to be proactive. As the data privacy regulatory landscape evolves, being prepared before the regulation goes into effect can ensure organizations can meet their obligations and maintain compliance.

At RecordPoint, we’re committed to helping customers comply with data privacy laws from federal and state governments, including the upcoming Privacy and Responsible Information Sharing (PRIS) legislation in Western Australia (WA). But the first step in compliance is understanding.

While PRIS has yet to be finalized, we can get a head start on our response by reviewing the features of the law and comparing it to similar laws. Let's first take a closer look at the high-level features of PRIS.

Understanding WA's privacy landscape and PRIS

According to the Western Australian government, PRIS aims to modernize privacy safeguards and enhance transparency and accountability in government information sharing. This will establish a robust data privacy system that effectively protects the personal information of Western Australians.  

The proposed new laws in Western Australia will focus on several areas of reform, including:

• New Information Privacy Principles (IPPs) will be introduced, expected to align with the Australian Privacy Principles (APPs) in the Commonwealth Privacy Act.
• Responsible Sharing Principles (RSPs) will suggest a framework for WA government organizations to share personal information responsibly. The RSPs aim to help these organizations balance the benefits and risks of data sharing.
• A Mandatory Data Breach Notification Scheme will be introduced. In the event of a serious data privacy breach involving personal information within a government organization in WA, notification to the Privacy Commissioner will be mandatory. This aligns with the current rule under the Commonwealth Privacy Act.
• Support for Aboriginal Personal Information Sovereignty and Governance will be introduced.

You can access a helpful fact sheet on the upcoming legislation here.  

To ensure the successful implementation of these privacy measures, the government plans to appoint a Privacy Commissioner and a Chief Data Officer, alongside establishing a mandatory breach notification scheme, providing increased oversight, accountability, and penalties for non-compliance.

Taking action now for compliance

While some organizations may delay addressing their privacy practices until the legislation is finalized, the urgency to address ongoing these issues cannot be overstated. Although we don't yet have all the details of the upcoming PRIS reforms, Western Australian-based organizations should look to other legislation to get a head start.

If we use the Australian Privacy Principles (APPs) as a guide, there are some key areas that you can focus on to get ready for the introduction of the new legislation.

Safeguarding Government-Issued PII

APP 9 places restrictions on organizations concerning the adoption, use, and disclosure of government-related identifiers. To handle government-related identifiers in a compliant manner, you need to know which government-issued personally identifiable information (PII) you hold.

Organizations must diligently identify and safeguard government-issued identifiers such as Medicare numbers, tax file numbers, and driver's license numbers in their data.  

The RecordPoint Platform enables organizations to detect this sensitive data, allowing customers to protect what matters and remove the rest.

Sharing our insights on PII

Through an analysis of millions of records, we've identified some key trends that shed light on the rates of personal information that may be present in your organization's repositories. Of the records we analyzed, half had some form of PII, and 10% of those records contained critical PII such as passport numbers, social security numbers, and driver's licenses. It's clear most organizations need help managing their PII. See our full report on the rates of PII and PCI here.

Stringent data protection mandates

APP 11  states that organizations must take reasonable steps  to protect personal information they hold from misuse, interference, and loss, as well as from unauthorized access, modification, or disclosure.  Organizations are also obligated to destroy or de-identify personal information in certain circumstances.

By maintaining a comprehensive data inventory, entities can enhance their ability to monitor, control, and respond to potential risks, thus fortifying their defense against privacy breaches. This underscores a proactive approach to privacy management, requiring entities to assess the ongoing necessity of retaining certain data and responding appropriately to mitigate risks associated with prolonged storage.

Respecting data access rights

APP 12 mandates that organizations holding personal information must provide individuals access to their data upon request.

By maintaining a comprehensive inventory of the data you hold, organizations can more effectively respond to consumer requests for access to their personal information. This not only ensures compliance but also fosters transparency and trust between organizations and their customers.

Mandatory data breach notification

In the aftermath of a data breach, swift and strategic action is paramount. One of the critical steps in this process is the identification of compromised data and a comprehensive understanding of its implications. This knowledge not only forms the basis for an effective response but is also essential in meeting legal requirements, particularly mandatory data breach notification schemes like the one that will be introduced in Western Australia.

By leveraging the capabilities of the RecordPoint Platform, organizations can transform their data breach response from a reactive scramble to a proactive, well-informed process. It's not just about responding to incidents; it's about doing so while ensuring compliance with legal frameworks, and, most importantly, safeguarding the trust and privacy of stakeholders.

Empowering responsible data sharing

The upcoming legislation will place significant emphasis on governing inter-departmental data sharing with the introduction of 'Responsible Sharing Principles' (RSPs). The primary goal? Safeguarding the personal information of Western Australians while optimizing the delivery of services to the WA public.

Where should you start? A comprehensive data inventory

A crucial step to ensuring compliance with regulation is maintaining a comprehensive understanding of the information held, how it's stored, and who has access to it. This is where a data inventory tool becomes invaluable. By categorizing records containing personal information, you can identify redundant or outdated data, facilitating its secure destruction when no longer required. This proactive approach not only reduces the risk and impact of data breaches but also ensures that personal information is retained only for as long as necessary.

RecordPoint can help organizations redefine how they approach data governance. It's not just about meeting legal requirements; it's about doing so in a way that prioritizes privacy, upholds responsible privacy principles, and contributes to a more efficient and secure information exchange landscape for the benefit of all Western Australians.