Skip to content
Get Started. Free Consult
Blog/Governance/4 June 2026

AI and WA's PRIS Act: what Perth agencies and businesses must know

Western Australia's first public sector privacy law, the PRIS Act, comes into force on 1 July 2026, just as agencies start feeding personal information into AI tools. Here is where the two collide, and what agencies and the Perth businesses serving them should do now.

JO
Josh·Founder·6 min read·4 June 2026
$cat ai-pris-act-wa-government.md1255 words
Back to all articles
On this page

On 1 July 2026, Western Australia finally gets a public sector privacy law. The Privacy and Responsible Information Sharing Act 2024, usually shortened to the PRIS Act, sets binding rules for how WA government agencies collect, use, store and share personal information. It lands at the exact moment those same agencies are quietly feeding that information into AI tools. The two are on a collision course, and most people have not connected them yet.

If you run a Perth organisation, this matters whether you are an agency, you sell to one, or you are simply watching where Australian privacy law is heading.

One note before we start. This is general information from a team that does governance work, not legal advice. For your situation, talk to your privacy lawyer.

What the PRIS Act actually is

WA's public sector had long operated without a general privacy law of its own. The PRIS Act, together with the Information Commissioner Act 2024, changes that. Both received Royal Assent on 6 December 2024 (WA Government).

It does two things. First, it introduces 11 Information Privacy Principles, the IPPs, that govern the whole life of a piece of personal information, from collection through to destruction. They sit closer to Victoria's privacy regime than to the Commonwealth's Australian Privacy Principles. Second, it creates a Responsible Information Sharing scheme, so agencies can share data for public benefit, but only by following set principles for risk, transparency and decision making.

A new Office of the Information Commissioner, with a dedicated Privacy Deputy Commissioner, oversees all of it and reports straight to Parliament. It can investigate complaints and enforce the rules. Legal commentators note the Act allows compensation orders of up to $75,000 and fines for entities that ignore a compliance notice, so this is not a voluntary code.

Who it binds, and who it does not

The IPPs apply to WA public sector entities: government departments, local and regional governments, government trading enterprises, public universities, the Police Force, and courts and tribunals. Ministers are covered in their executive capacity.

Here is the part Perth businesses miss. A private company is not directly bound by the PRIS Act. But a contracted service provider can be pulled in when the government contract says the Act applies to it. So if you build, host or run anything that touches a WA agency's personal information, the right clause in your contract makes their obligations your obligations.

If you do not contract to government, you stay under the federal Privacy Act 1988, which already covers most private businesses. Either way the direction of travel is the same, and the federal regime is tightening too.

The timeline that matters

Per the WA Government:

  • 1 July 2025: the new officeholders started, to prepare for the laws.
  • 1 July 2026: the privacy and data sharing rules come into force.
  • 1 January 2027: agencies must report all serious data breaches to the Commissioner and to the people affected.

So the window is narrow. The IPPs bite from the middle of 2026, and mandatory breach reporting follows six months later.

Where AI quietly breaks the rules

This is the part nobody is talking about. The WA Government's own guidance does not mention artificial intelligence at all. But run the everyday ways agencies already use AI through the IPPs, and the conflicts are obvious.

Sending data overseas. This is the big one. Most mainstream AI tools, ChatGPT, Claude, Gemini and Microsoft Copilot among them, process and may store data on servers outside Australia. The IPPs restrict disclosing personal information outside WA unless a narrow set of conditions is met. A staff member pasting a resident's details into a public chatbot is, in plain terms, an overseas disclosure. Most agencies have no record it happened, let alone a lawful basis for it.

Collecting more than you should. The collection principle uses a strict "necessary" test, with fair collection and a plain language notice. AI features that vacuum up whole documents, transcripts or mailboxes to be helpful collect far more than the task needs, usually with no notice to the person.

Using data for a new purpose. Feeding personal information into an AI tool can be a use or a disclosure beyond the reason it was collected. If the tool learns from that input, that is a secondary use the person never agreed to.

Security and deletion. The security principle requires reasonable steps to protect information, and to destroy it once it is no longer needed. Hand data to a third party AI vendor and you inherit their retention, their access controls and their breach exposure. Shadow AI, meaning staff using personal accounts and tools nobody approved, makes any of this impossible to evidence.

The breach clock. From January 2027, a serious data breach has to be reported. An AI tool that exposes prompts, leaks data or is misconfigured is exactly the kind of incident that triggers it. If you cannot see what staff are putting into AI, you cannot tell whether you have had a breach to report in the first place.

None of this means agencies should ban AI. A blanket ban gets ignored within weeks and pushes the usage into the shadows. It means the AI has to be governed: known tools, known data flows, written rules, and controls that keep personal information out of the places the IPPs do not allow it to go.

If you sell to a WA agency

Expect procurement to change. Government contracts and tender questionnaires will increasingly ask how you handle personal information, where it goes, and which AI tools touch it. If your contract applies the PRIS Act to you, your AI stack and your vendors' offshore processing become your compliance problem, not just the agency's. The suppliers who can answer those questions cleanly will win the work. The ones who cannot will quietly fall off shortlists.

What to do before July 2026

The work is not exotic. It is the same governance discipline that has always separated a safe rollout from a risky one.

  1. Find out what AI your team actually uses, including the personal accounts and browser tools nobody approved. You cannot govern what you cannot see. An AI usage review is the honest starting point.
  2. Map where personal information flows, and flag anything that leaves Australia through an AI vendor.
  3. Write a short, usable AI policy that names the sanctioned tools and the data that must never go into them.
  4. Get the contract and vendor terms right, especially data residency and retention.
  5. Stand up an incident response path before the breach rules start in 2027, not after your first incident.

We do exactly this work. A data and privacy advisory review tells you where your data actually lives and who can reach it. AI data loss prevention keeps personal information out of the tools that would breach the IPPs. And a Fractional Chief AI Officer gives an agency or a growing business ongoing AI ownership without a full time hire.

The PRIS Act is not anti AI, and neither are we. But AI dropped into an agency with no governance is now a legal risk with a date attached. The agencies and suppliers that treat 1 July 2026 as a deadline, not a surprise, are the ones that will still be using AI confidently a year later.

If you want a straight read on where you stand, book a free consult and we will take a look.