Western Australia will appoint its first-ever Privacy Commissioner and introduce a mandatory data breach notification scheme similar to that of New South Wales as part of proposed new public sector privacy laws.
Attorney General John Quigley and Innovation and Digital Economy minister Stephen Dawson committed to the “once-in-a-generation” privacy reforms on Wednesday, following three years of consultation on the long-awaited legislation.
It comes just weeks after calls to introduce privacy laws intensified in the wake of the Optus data breach and revelations that WA Police will retain data collected by the G2G Pass border management system for at least 25 years.
The proposed changes will bring Western Australia – one of only two remaining jurisdictions without dedicated privacy legislation, the other being South Australia – into line with other states and territories – and in some cases surpass them.
“The Western Australian public is keener than ever to see their personal information safely and responsibly. After consulting extensively, we are confident our privacy reforms will be at the forefront of privacy protections nationally,” Mr Quigley said.
The state government is continuing to draft the necessary laws, protracting a process that first kicked off with the release of the 2016 Data Linkage Review chaired by the state’s chief scientist Professor Peter Klinken. It has not offered a timeline for when the laws will be introduced.
The legislation is expected to provide Western Australians with greater control over their personal information, while also enabling “data to be shared within government for the right reasons and provide greater accountability and transparency” over the use of data.
The new Privacy Commissioner – an independent statutory position – will provide a new pathway for individuals who believe their personal data has been incorrectly handled or shared to complain and seek resolution.
The position will be accompanied by the new whole-of-government role of chief data officer, which will be responsible for promoting “a culture of transparency, accountability and safe use for government-held information”.
The government first proposed both positions following its first round of consultations on the proposed privacy laws in 2019. A second round of consultations were conducted by the Department of Premier and Cabinet over the past three years.
The proposed mandatory data breach notification scheme, meanwhile, is a new commitment, and will require government agencies to notify the Privacy Commissioner and affected individuals of serious data breaches.
New South Wales is the only state or territory to have legislated a state-based mandatory data breach notification scheme to date, but similar proposals are also being considered in Queensland and Victoria.
