Privacy Policy Goal
To protect the privacy of families and ensure compliance with the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APP’s) by ensuring that personal and sensitive information (which includes health information) about individual children and families is only collected, held, used and disclosed in accordance with this policy and the Privacy Act.
This policy is in addition to the Privacy of Digital Records and the Retention of Records Policy which set out the service’s responsibility to maintain confidentiality in areas not specifically covered by the Privacy Act (for example in relation to colleagues or management of the service), and obligations under the Education and Care Services National Regulations.
Rationale
This policy exists to ensure that our service takes reasonable steps to comply with the Privacy Act and the APP’s.
As a necessary part of the provision of education and care to children, the service regularly collects, holds, and uses both personal information and sensitive information (including health information) about children or their families.
Reasonable steps to implement practices, procedures and systems to ensure compliance with the Privacy Act and the APP’s
The Privacy Act requires the service to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the Privacy Act and the APP’s and to ensure that it is able to deal with any privacy inquiries and complaints
In satisfaction of this requirement, the service will:
- Ensure that all staff of the service and parents of children enrolled with the service are aware of the content of this policy by upon employment/orientation and have access to this policy at all times. Information related to this policy may also be communicated using other means such as newsletters, noticeboards and written or electronic communication methods
- Recognise the potential for privacy breaches as a major risk and will continually, consider, identify and manage privacy risks at each stage of the information lifecycle, including the stages of collection of information, use, disclosure, storage, destruction or de-identification. An annual review of how data is collected, stored and destroyed will occur and a risk management approach will be used to identify modifications
- Implement security systems for protecting personal and sensitive information from misuse, interference and loss and from unauthorised access, modification or disclosure. This may include the use of locked locations or passwords to protect electronic data.
- Supervise staff who have access to personal and sensitive information and will provide mentoring and advice in relation to this policy and the APP’s.
- Ensure visitors are supervised and monitored in order to ensure compliance with this policy.
- Develop and adopt a Data Breach Response Plan;
- Review the adequacy and currency of this policy and the privacy practices and procedures of the service on a regular basis and this policy will be updated to reflect any amendments or improvements required; and
- Ensure this policy is available at all times to any person who requests it, free of charge, as soon as reasonably practicable after the request is made.
- Ensure a copy of this policy is included in the family orientation documentation
What is personal and sensitive information?
In this policy, the words ‘personal information’ have the meaning given to them in the Privacy Act, which is: “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
In this policy, the words ‘sensitive information’ have the meaning given to them in the Privacy Act which is:
- (a) information or an opinion about an individual’s:
- (i) racial or ethnic origin; or
- (ii) political opinions; or
- (iii) membership of a political association; or
- (iv) religious beliefs or affiliations; or
- (v) philosophical beliefs; or
- (vi) membership of a professional or trade association; or
- (vii) membership of a trade union; or
- (viii) sexual orientation or practices; or
- (ix) criminal record;
that is also personal information; or
- (b) health information about an individual; or
- (c) genetic information about an individual that is not otherwise health information; or
- (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- (e) biometric templates.
The Privacy Act imposes greater restrictions on the collection, holding, use or disclosure of sensitive information than it does on non-sensitive personal information.
Families will generally expect that their sensitive information will be given a higher level of protection by the service. For this reason, great care must be taken to protect the privacy of sensitive information such as health information, financial information, information about race or religion or disabilities.
Kinds of personal and sensitive information collected and held by the service
As a necessary part of providing an education and care service, the service collects and holds personal and sensitive information (including health and financial information) about children and their families by completion of a variety of forms and records on the enrolment of a child with the service, and ongoing as education and care is delivered.
This includes information required on child enrolment forms including:
- Language used in the child’s home;
- The name, address and contact details (telephone numbers and email addresses) of:
- (a) each known parent of the child;
- (b) any person who is to be notified of an emergency involving the child if any parent cannot be immediately contacted;
- (c) any person who is an authorised nominee under Regulation 160; (d) any person who is authorised to consent to medical treatment of, or to authorise administration of medication to the child; and
- (e) persons who are authorised to provide written authorisation for an educator to take the child outside the education and care service premises; such as on an excursion
- Details of any court orders, parenting orders or parenting plans relating to a child;
- Details of any other court orders provided to the service relating to a child’s residence or contact with a parent or other person;
- Gender of the child;
- Language used in the child’s home;
- Cultural background of the child and, if applicable, the child’s parents;
- Any special considerations for the child, for example, any cultural, religious or dietary requirements or additional needs;
- Authorisations required by National Regulations 161 (consent to medical treatment, transport and regular outings);
- Health information required by National Regulation 162 including:
- (a) the name, address and telephone number of the child’s registered medical practitioner or medical service;
- (b) if available, the child’s Medicare number;
- (c) details of any specific healthcare needs of the child including any medical condition and allergies including whether the child has been diagnosed as at risk of anaphylaxis;
- (d) any medical management plan, anaphylaxis medical management plan or risk minimisation plan to be followed with respect to specific healthcare need, medical condition or allergy;
- (e) details of any dietary restrictions for the child; and
- (f) if the approved provider of staff member has sighted the health record for the child, a notation to that effect;
- Information relating to the child’s immunisation or relevant exemptions;
- Records and documentation of child assessments or evaluations for delivery of education program;
- Incident, injury, trauma and illness records;
- Medication records;
- Children’s attendance records (including the date and time each child arrives and departs);
- Any other records collected and stored for the direct purpose of delivering education and care; and
- Any communication methods shared by the family or authorised contacts including, but not limited to email, Facebook and other social media platforms.
Information about Staff
As a necessary part of providing an education and care service and ensuring the health, safety and wellbeing of staff, students and volunteers, the service collects and holds personal and sensitive information (including health and financial information) about staff by completion of a variety of forms and records, including those required under Regulation 145, 146, 147, 148, 149, 150, 151 and 152. Other records which may be collected and stored including, but are not limited to:
- Immunisation status
- Bank details for payment of wages
- Person details, change of name details, contact details and next of kin details
- Health and some relevant medical information
- Photo identification and working with children documentation
How the service collects and holds personal and sensitive information
Information may be collected electronically or in paper form from a family member or authorised contact in an enrolment form and a range of other associated service forms. Information may be stored in the following ways:
- Entered into a third-party software such as a Child Care Subsidy System package which communicates directly with the Australian Government for the purpose of administrating the Child Care Subsidy.
- Entered into databases or files on a service computer
- Stored in paper form in locked filing cabinets, cupboards or in rooms with a lockable door.
Information about staff details may be collected, prior to employment, at the time of employment and during employment both electronically and in paper form. Information may be stored in the following ways:
- Entered into a third-party software with password protection such as a Child Care Subsidy System package which communicates directly with the Australian Government for the purpose of administrating the Child Care Subsidy
- Entered into third-part software with password protection for the purposes of payroll
- Entered into databases or files on a service computer
- Stored in paper form in locked filing cabinets, cupboards or in rooms with a lockable door.
The purposes for which personal information is collected, held, used and disclosed
The service collects, uses and discloses personal information directly from parents and staff for the purposes of:
- registering and maintaining the enrolment of children with the service [including an electronic database of customers of the service];
- compliance with the requirements of the Education and Care Services National Law (National Law) and Education and Care Services National Regulations (National Regulations), National Quality Standards, Family Assistance Law and where applicable relevant Child Safety Legislation;
- effective management and administration of the service;
- the provision of education and care services to children enrolled with the service;
- the organisation and management of events and activities;
- performing the functions of an approved education and care service in accordance with all laws;
- providing information to the Australian Government or the Government of the State or Territory in which the service is situated including child protection agencies as requested or by the service’s own volition if thought appropriate for the purposes of compliance with all laws;
- compliance with Australian Tax and Superannuation laws;
- delivering a safe workplace under the Workplace Health and Safety Regulations;
- the provision of payments for employment purposes;
- ensuring compliance with relevant State laws in relation to working with children checks;
- sharing of information with families at the service which may also market the service through social media or web-based programs, newspapers or magazines, only with written permission from families upon enrolment;
Disclosure of personal information
The service discloses personal information to:
- Australian Government for the purposes of the Family Assistance Law and to regulatory authorities of the service and their authorised officers;
- Where appropriate, child protection agencies;
- to staff or medical practitioners or other health care or emergency service professionals to the extent necessary for the education and care or medical treatment of the child to whom the information relates;
- the Australian Taxation Office and application Superannuation organisations in relation to employment at the service;
- Authorised Officers under the Education and Care Services National Law and Regulations
We will not disclose identifying personal information to third parties for the purposes of marketing products or services to you.
Disclosure of personal information to persons not in Australia or an external territory
Information will not be directly or purposefully disclosed to persons not in Australia. Information man be shared on social media or other external platforms, but would only be done so with written permission by the parent of the child or the staff member.
Quality of personal information
The service must ensure that the personal and sensitive information it collects and holds is accurate, up to date, and complete. Families and staff are asked to update details in writing when their circumstance change.
Security of personal information
In accordance with National Regulation 183, records and documents of the service must be stored in a safe and secure place.
The service takes reasonable steps to protect all information it holds from misuse and loss and from unauthorised access, modification or disclosure. The service applies a range of technologies (including access control passwords and procedures differentiated according to the authority of the service staff member, network firewalls, encryption and physical security of paper records) to protect the privacy of children, families and the staff at the service.
In accordance with National Regulation 183 the Service will keep records and documentation for the following periods:
(a) if the record relates to an incident, illness, injury or trauma suffered by a child while being educated and cared for by the service, until the child is aged 25 years;
(b) if the record relates to an incident, illness, injury or trauma suffered by a child that may have occurred following an incident while being educated and cared for by the service, until the child is aged 25 years;
(c) if the record relates to the death of a child while being educated and cared for by the service or that may have occurred as a result of an incident while being educated and cared for, until the end of 7 years after the death;
(d) in the case of any other record relating to a child enrolled at the education and care service, until the end of 3 years after the last date on which the child was educated and cared for by the service;
(e) if the record relates to the approved provider, until the end of 3 years after the last date on which the approved provider operated the service;
(f) if the record relates to a nominated supervisor or staff member of the service, until the end of 3 years after the last date on which the nominated supervisor or staff member provided education and care on behalf of the service; and
(g) in the case of any other record, until the end of 3 years after the date on which the record is made.
In accordance with National Regulation 183, records and documents of the service must be stored in a safe and secure place.
The service takes reasonable steps to protect all information it holds from misuse and loss and from unauthorised access, modification or disclosure. The service applies a range of technologies (including access control passwords and procedures differentiated according to the authority of the service staff member, network firewalls, encryption and physical security of paper records) to protect the privacy of children, families and the staff at the service.
In accordance with National Regulation 183 the Service will keep records and documentation for the following periods:
The service will destroy or permanently unidentify any personal or sensitive information which is no longer needed for its intended purposes after expiry of the timescales for the keeping of records in accordance with the National Law and National Regulations from time to time.
How you may access personal information the service holds about you and seek its correction if necessary
Individuals may access personal information held about them and seek its correction if it is incomplete, inaccurate or out of date, by contacting the service in writing.
How you may complain about a breach of this Policy or the APP’s and how the service will deal with your complaint
Individuals are able to complain about a breach of the APP’s by the service by writing to the address set out below stating the nature of your complaint.
Upon receipt of your complaint the service will acknowledge receipt of the complaint in writing within 5 working days, respond to your complaint within a reasonable period of time, advise the Approved Provider of receipt of your complaint and the response provided to you.
Our contact information
If you have any questions, please contact us here.

