Speeches

Thank you, Attorney General, for opening our event this morning and supporting the work of my office. It is exciting to be working in the state with the most advanced privacy law in the country, as the Attorney General said, and leading the office responsible for regulating the Privacy Responsible Information Sharing Act. 

As a small token of our appreciation and in support of Privacy Awareness Week, we have a small gift for the Attorney General to help protect your data when charging your device in public spaces. I might ask the Attorney General to come back on stage. 

I would like to welcome all of our guests this morning. We've had a huge demand. For your colleagues who have missed out on attending, we'll be distributing afterwards this presentation and some of the materials we have produced for the sessions later today. Going forward, this marvellous venue will not only support large in-person events such as this today, but also online events in the near future. We've finally been advised by the Department of Housing and Works that this room will be upgraded in July to enable online events with video conferencing facilities being installed. So next time, we'll be able to have combined in-person and online events in our venue. 

Privacy Awareness Week, commonly known as PAW, is an annual event first run in 2006 and is supported by the Asia Pacific Privacy Authorities. As such, this is the 20th year of PAW regionally and the first in Western Australia. 

In my keynote, I'd like to give you an overview of our new identity and office and address my office's current priorities. I'll also take you through my top four reasons why privacy matters and then introduce the PAW theme this year. I'll conclude by sharing some of our resources, including the launch of our new information sheet on automated decision-making. 

In February this year, we launched our new identity. We have the same name as the previous Office of the Information Commissioner, but now have a dual mandate, privacy and freedom of information. So, it was important for our office to launch our new identity. There are other state-based privacy regulators in Australia and around the world with similar names. Our new identity clearly needed to show that we are the regulator in Western Australia. Our tagline describes the outcomes we are focused on fostering in the sector through privacy and freedom of information, namely trust and accountability. And that was heavily reinforced by the Attorney General in his opening remarks as well. 

Our brand story is on our website, and I've included it on the slide. In particular, our new identity communicates our jurisdiction of WA to minimise confusion with our equivalent counterparts in other jurisdictions. We serve the people of WA. We represent the intersection of privacy and freedom of information, showcasing the connection between our functions through colour. It shows the flow of information between people and government through movement of the gradient and signifies technology and progression. 

My new office commenced on the 1st of July last year and 19 staff were transferred from the previous Office of the Information Commissioner. I, myself moved from the east coast of Australia and took up this inaugural role on the 28th of July last year. 

My new office has expanded functions across privacy and FOI. And as the Attorney General said, whilst WA is the last state in Australia to implement privacy requirements, the Privacy and Responsible Information Sharing Act is the most advanced in Australia. In some respects, it's also quite advanced globally and, in some respects, it's leading in certain provisions. 

I'm setting up the privacy team from ground zero. From the 1st of July 2026, most of the provisions in the PRIS Act commence, and then from the 1st of January 2027, the notifiable information breach scheme. 

There are three statutory roles in the office appointed by the Governor and reporting to Parliament. The first is my role as Information Commissioner and CEO, and also the Information Access Deputy Commissioner and Privacy Deputy Commissioner. 

The Attorney General announced the appointment of my new deputies earlier this year. Nina Skewes, my Privacy Deputy, who commenced on the 27th of January this year, and Patrick Ky, my Information Access Deputy, who commenced on the 23rd of February this year. They will introduce themselves to you in the next panel event. 

I acknowledge the extensive work undertaken by the former PRIS committee led by the Department of Premier and Cabinet in the years leading up to the establishment of my office and its work in building a privacy community. Today, my office is pleased to continue that work through the launch later today of the Privacy Community of Practice. Thank you to those agencies contributing their experiences preparing for PRIS in that session later today. 

Data is the lifeblood of any organisation. It can be an asset or a liability, depending on how it is managed. Later today, I'll be hosting a roundtable discussion with agency leaders on managing privacy risks and what an organisation-wide privacy accountability framework looks like. 

Not only is my office preparing the state for privacy maturity uplift, I'm also ensuring my office is prepared from a people, technology and process perspective with our own internal transformation activities. Indeed, later this week we will have another round of recruitment, particularly focused on investigation and conciliation roles. So just in case you're interested, or if you know colleagues who might be interested in joining my office, opportunities are coming. 

We're also taking steps to address our FOI backlog to ensure we can serve as many agencies and citizens as efficiently as possible. Our new queue management policy was released in January and is available on our website. 

In this day and age, people ask, does privacy matter? And I say it does, more so than ever for these reasons. The first is that technological advances impact our personal information at scale. AI is being built on massive amounts of data. We live in a world where it is harder to forget information than remember it. Our ancestors struggled to retain knowledge and record it. Today, we struggle to delete data that is no longer needed and hampers our own ability to change and forget our past mistakes. We are in an era of mass customisation, where we have combined the individual bespoke tailoring capabilities of the pre-industrial era with the mass production capability of the industrial era to produce mass customisation based on our data. 

Secondly, privacy fosters a free and open society. Interference with privacy not only leads to individual harm, but can impact our societies, our elections, our democracy. This was seen in the landmark actions privacy regulators globally took against Facebook and Cambridge Analytica for inappropriate use of personal information for political advertising; including in Australia where the Office of the Australian Information Commissioner agreed on a $50 million settlement with Facebook distributed to affected Australians. 

Thirdly, an increasing number of data breaches. The more data we keep, the more technology we use, the more data breaches we have when privacy and security are not front of mind. In Australia alone, in 2025, the average cost of a data breach was $3.5 million, based on the annual Ponemon Institute study, which was done in conjunction with IBM last year. These surveys have been running for 20 years.

Finally, privacy facilitates trusted innovation. We have food safety regulations so that we can be confident we won't get sick when we buy milk and other food items. We have product safety regulations so we can trust when we switch on our lights we won't get electrocuted. We have car safety regulations so we can be more confident that we won't die in a crash. Likewise, effective privacy laws help citizens have confidence that using digital technology won't harm us. 

Turning to our digital and AI theme, you will see we have an AI generated image for PAW this year, which is a reflection on automated decision-making. I particularly like this year's theme as it is focused on AI. And what better jurisdiction to focus on this theme than here in Western Australia where we have the first automated decision-making law in Australia regulating personal information, IPP 10. 

I'm really excited to launch our new information sheet on automated decision-making when handling personal information. Those handouts are on your chairs. IPP10 applies where a significant decision is made impacting on an individual's life, opportunities, well-being, rights, interests, entitlements, liabilities or otherwise. In those circumstances, risks of harm, bias, discrimination and privacy need to be addressed. Our information sheet also includes tips on how regulated entities can better manage their use of automated decision-making, including maintaining a register of automated decision-making processes and ensuring staff using automated decision-making understand its potential limitations, biases and circumstances where human oversight and intervention is required. 

We have many resources already available on our website. We have the plain english Information Privacy Principles. We also have frequently asked questions about PRIS. And we change this depending on the inquiries that we receive through our hotline. We've also released transitional guidance for regulated entities and members of the public. What this guidance shows is what IPPs apply to personal information collected before and after the 1 July start date. We've done that from both perspectives for members of the public and regulated entities. 

We've also recently released our privacy policy, which can be used as a guide to help inform your own policies. But remember, privacy policies have to reflect your own agency's operations. So there's no point cutting and pasting someone else's policy, even a good one like ours. 

We've released the information sheet on privacy and accountability in automated decision-making today, and we've also released a brochure for members of the public on what are my privacy rights, which you'll also find on your chairs. Coming soon, we'll have guidance on contracted service providers and how those arrangements with agencies work. We’re still working with Treasury and Finance to ensure there is appropriate standardised language for those contracts when negotiating with your contracted service providers. 

We have a number of ways in which you can keep in touch with our office. Our main communication channel is our e-newsletter, which we release on a monthly basis. If you're not already subscribed to that, you can use that QR code to subscribe. We're also increasing our social media presence, we have a profile on LinkedIn as well. 

Importantly, I would like to give a shout out to all my staff who have been working tirelessly over the last few weeks to make this day a success. Particular thanks to my deputies and privacy policy staff. My director of business services, business manager, systems administrator, coordinator of training, strategy and design, communications officer, our enquiries officers, our administrative officer and our intern. Last, but not least, my executive assistant, a meticulous event manager as well. 

I hope you enjoy the sessions you'll be participating in today. I would now like to invite to the stage Megan Ashford, Senior Assistant State Solicitor from the State Solicitor’s Office, our moderator for the panel with my deputies. 

Thank you.