NQS
QA4 |
4.2.2 |
Professional standards – Professional standards guide practice, interactions and relationships. |
QA5 |
5.1.2 |
Dignity and rights of the child – The dignity and rights of every child are maintained. |
QA7 |
7.1.2 |
Management systems – Systems are in place to manage risk and enable the effective management and operation of a quality service. |
National Regulations
Regs |
181 |
Confidentiality of records kept by approved provider |
|
181-184 |
Confidentiality and storage of records |
Aim
Privacy Statement
Our service recognises that every individual has the right to ensure their personal information is accurate and secure, and only used or disclosed to achieve the outcomes for which it was initially collected. Personal information will be managed openly and transparently in a way that protects an individual’s privacy and respects their rights under Australian privacy laws.
Related Policies
Educator and Management Policy
Record Keeping and Retention Policy
Social Media Policy
Implementation
Service practices in relation to the Collection, Disclosure, Storage and Use of personal information outlined in this Policy are consistent with the Australian Privacy Principles, and apply where relevant to the personal information of our children, families, staff and volunteers.
Our Privacy Notice and Disclosure Statement are at the end of this Policy.
Collection of personal information
We collect personal information if it is necessary for us to carry out Service operations or to comply with our legal obligations. This includes information to promote learning under the Early Years Learning Framework, and information required to comply with the National Education and Care Law and Regulations, Employment Laws, State/Territory Health Laws (eg immunisation requirements), and other Government laws.
Personal information includes name, address, date of birth, gender, family contact details, emergency contact details, authorised nominee details, parents’ occupations, cultural background, home language, religious beliefs, payment details, child care benefit information, immunisation records, medical information, medical management plans, photos of children and family members and information about children’s strengths, interests, preferences and needs, including special needs. Personal information also includes “government related identifiers” like Medicare numbers and Child Care Subsidy references.
In relation to enrolling children, the Approved Provider or Nominated Supervisor will:
- explain what personal information we need to collect, why we need to collect it, whether the information is required or authorised by Law and how it may be shared.
- advise families about our Privacy and Confidentiality Policy and how to access it.
- attach a copy of our Privacy Notice to our Enrolment Form and other forms we use to collect personal information.
- verbally advise children’s emergency contacts and authorised nominees that we have some of their personal information on file and explain the advice in the Privacy Notice.
- explain the advice in the Privacy Notice to individuals who provide personal information verbally (eg by phone).
We usually collect personal information directly from a parent or guardian either in writing or verbally, for example during enrolment, when completing waiting list applications, or as we establish a partnership with families in caring for and educating a child. We may also collect information through our website, social media page, Family Law court orders or agreements, special needs agencies and training courses.
We may occasionally request information from other organisations which you would reasonably agree is necessary for us to educate and care for a child. For example, we may request a copy of a child’s immunisation records where they are transferring to us from another Service, or where we request information about a child from a special needs educator or organisation. We will not request information without obtaining the consent of the individual (or parent) concerned.
In most cases, if we are unable to collect relevant personal information, we will be unable to enrol a child at the Service.
In relation to staff and volunteers, the Approved Provider or Nominated Supervisor will during the recruitment or engagement process:
- explain what personal information we need to collect, why we need to collect it, whether the information is required or authorised by Law and how it may be shared
- advise staff and volunteers about our Privacy and Confidentiality Policy and how to access it.
The Approved Provider or Nominated Supervisor will advise individuals about any unsolicited personal information we receive from other organisations and keep because it is directly related to our functions and activities (unless we are advised not to by a Government authority). The Approved Provider or Nominated Supervisor will destroy any unsolicited personal information that is not directly related to our Service operations unless it adversely impacts the health, safety and wellbeing of a child or children at the service. If this happens the Approved Provider or Nominated Supervisor will contact the appropriate Government authorities and take action as directed while protecting the confidentiality of the individuals concerned.
Use or disclosure of personal information
We will not use personal information for any purpose that is not reasonably needed for the proper or effective operation of the service. Personal information may be accessed by and exchanged with staff educating and caring for a child or by administrative staff.
We do not disclose your personal information to others unless you would have reasonably expected us to do this or we have your consent. For example, personal information may be disclosed to:
- emergency service personnel so they can provide medical treatment in an emergency
- special needs educators or inclusion support agencies
- volunteers, trainees and work experience students (with consent)
- trainers or presenters if children participate in special learning activities
- organisations related to the Service (eg other Services)
- another Service to which a child is transferring where you have consented to the transfer.
- the new operator of the Service if we sell our business and you have consented to the transfer of enrolment and other documents listed in Regulation 177 of the National Education and Care Regulations.
We may disclose personal information where we are permitted or obliged to do so by an Australian law. For example, personal information may be disclosed to:
- authorised officers when our service is assessed and rated under the National Education and Care Law and Regulations
- Government employees eg for Child Care Subsidy, Immunisation status, or employment related purposes
- software companies that provide child care management systems
- management companies we may engage to administer the Service
- software companies that provide tailored computer based educational tools for children
- lawyers in relation to a legal claim.
- officers carrying out an external dispute resolution process
- a debt collection company we use to recover outstanding fees
- authorities if we are taking action in relation to unlawful activity, serious misconduct, or to reduce or prevent a serious threat to life, health or safety.
We do not disclose personal information to any person or organisation overseas or for any direct marketing purposes.
Quality of personal information
The Approved Provider or Nominated Supervisor will take reasonable steps to ensure the personal information we collect, use and disclose is accurate, current and complete. Educators and staff will:
- view original sources of information if practical when information is collected.
- collect and record personal information in a consistent format, for example using templates for enrolment, incident, injury, trauma and illness and administration of medication.
- record the date personal information was collected or updated.
- update information in our physical or electronic records as soon as it’s provided.
In addition the Approved Provider or Nominated Supervisor will:
- regularly remind families via newsletters, emails or through displays on the Service notice board to update their personal information including emergency contact details and their child’s health information.
- ask parents to update their enrolment details annually, or whenever their circumstances change.
- verify the information is accurate, current and complete before disclosing it to any external organisation or person.
- ensure documentation about children and families is based on facts and free from prejudice
- check contact details for staff and volunteers are current, including next of kin, at least annually.
Security of personal information
The Approved Provider or Nominated Supervisor will take reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification or disclosure. These steps include:
- taking responsibility for the security of personal information and regularly checking the practices implemented to protect it. This will include management of access privileges to ensure only people who genuinely need to see personal information can access it.
- ensuring information technology systems have appropriate security measures including password protection, anti-virus and ‘malware’ software, and data backup systems.
- ensuring physical repositories of personal information are secure in a lockable filing cabinet or room which is locked when a Responsible Person is not present.
- ensuring all educators and staff are aware of their obligations in relation to the collection, use and disclosure of personal information, through activities like mentoring, staff meetings or on-line training courses.
- requiring all educators, staff, volunteers and work experience students to sign a ‘Confidentiality Statement’ acknowledging that personal information:
- can only be accessed if it is necessary for them to complete their job
- cannot be disclosed to other organisations (including colleges, RTOs) or discussed with individuals outside the service including personal family members unless they have written consent from the person (or parent) concerned.
- must be stored in compliance with service practices which safeguard its security.
- ensuring records which we don’t need to keep, including unsuccessful job applications and records which fall outside the record keeping timeframes under the National Education and Care Law and Regulations (refer to our Record Keeping and Retention Policy) are destroyed in a secure way as soon as possible by, for example, shredding, incinerating or permanently deleting electronic records including archived or back-up copies.
- making sure employees and other relevant persons only have access to the personal information required to do their job
- ‘de-identifying’ personal information which may come into the public domain. For example, removing identifying names or details from newsletters etc.
- ensuring staff comply with our Social Media Policy (for example by obtaining authorisation from a child’s parents before posting any photos of their child on the Service social media page, and not posting personal information on any social media page which could identify children or families.)
- ensuring confidential conversations with parents or with staff are conducted in a quiet area away from other children, parents and staff.
Breaches of Personal Information
The Approved Provider or Nominated Supervisor will implement the Service’s Data Breach Response Plan and notify individuals and the Australian Information Commissioner (the Commissioner) if personal information is lost (hard copies or electronic), accessed or intentionally/unintentionally disclosed without authorisation, and this is likely to cause one or more persons serious harm.
Data Breach Response Plan
Employees must notify the Approved Provider or Nominated Supervisor about a breach or suspected breach of personal data as soon as they suspect the breach or become aware a breach has occurred. The Approved Provider or Nominated Supervisor will:
- quickly assess the situation to decide whether or not there has been a breach. This assessment must be completed within 30 days but given the potential for serious harm to individuals, should be completed as soon as possible
- record the nature of any data breach, and the steps taken to immediately contain the breach where possible and ensure it does not happen again. If necessary they will contact external experts for advice and guidance, for example on cybercrime (hacking) and information technology security measures like access, authentication, encryption and audit logs
- notify the Commissioner and the individuals where there is a risk of serious harm after a data breach
- liaise with their insurer to determine whether the insurance policy covers data breaches and any steps they need to take
- evaluate the effectiveness of their response to the data breach and implement improvements to the Plan if required after all notifications, records and remedial action are taken.
Serious harm
The Approved Provider or Nominated Supervisor will decide whether serious harm of a physical, psychological, emotional, financial or reputational nature is likely once fully informed about the type and extent of the breach. They will consider the type and sensitivity of the information, the type of security protecting the information if any (eg encryption) and how likely it is the information will be used to cause harm to individuals. Examples of the kinds of information that may increase the risk of serious harm include sensitive information like an individual’s health records, documents commonly used for identity fraud eg Medicare card, birth certificates and financial information.
The Approved Provider or Nominated Supervisor will also consider how long the personal information has been accessible because serious harm is more likely the longer it has been since the data breach.
Where a data breach occurs, there may be not always be a risk of serious harm. This may be the situation, for example, if a trustworthy person or organisation who has received personal information in error confirms they have not copied, and have permanently deleted the information, or where expert advice states it’s unlikely encrypted data can be accessed.
Where they are satisfied there is no risk of serious harm, the Approved Provider or Nominated Supervisor are not required to notify individuals or the Commissioner about the breach. They may choose to advise the individuals concerned about the breach and the action taken. The Approved Provider or Nominated Supervisor will however appropriate keep records about the breach.
Notifying the Commissioner
Where there is a risk of serious harm after a data breach, the Approved Provider or Nominated Supervisor will prepare a Statement for the Commissioner which includes the name and contact details of the Approved Provider or Nominated Supervisor, a description of the data breach (including date occurred and detected and who obtained information), the type of information involved (why it may cause serious harm), and the steps individuals at risk of serious harm should take in response to the breach (eg steps to request new Medicare card or credit card). The Approved Provider or Nominated Supervisor will get specialist advice about the recommended steps if required. They may use the Notifiable Data Breach Form available online from the Office of the Australian Information Commissioner to notify the Commissioner.
Notifying Individuals
Where there is a risk of serious harm after a data breach, the Approved Provider or Nominated Supervisor will notify individuals about the breach as soon as possible using the most appropriate communication methods for the individuals concerned eg a telephone call, SMS, physical mail, social media post, or in-person conversation. The information provided is the same as that required for the Commissioner. It might also explain steps the Service has taken to reduce the risk of harm to individuals. The Approved Provider or Nominated Supervisor may notify everyone whose personal information was part of the breach or only those individuals at risk of serious harm. If this is not possible or practical, they may publish a copy of the Statement, for example on their website or Facebook page, and take steps to ensure individuals at risk of serious harm see the publication.
Access to personal information
Individuals may request access to their (or their child’s) personal information and may request the correction of any errors. These requests may be made to the Nominated Supervisor or authorised company representative by telephoning, emailing or post to the centre location directly using the listed contact details.
Personal information will be provided as soon as possible, and no later than 30 days from a request. We will provide the information in the form requested, for example by email, phone, in person, hard copy or electronic record unless it is unreasonable or impractical to do this for example due to the volume or nature of the information.
The Approved Provider or Nominated Supervisor will always verify a person’s identity before providing access to the information, and ensure someone remains with the individual to ensure information is not changed or removed without our knowledge.
There is no charge for making a request to access the information. However, we may charge a reasonable cost for staff, postage and material expenses if the information is not readily available and retrieving the information takes a lot of time. We will advise you of the cost and get your agreement before we proceed.
There may be rare occasions when we are unable to provide access because we believe:
- giving access would be unlawful, the information relates to unlawful activity or serious misconduct, or it may prejudice the activities of a law enforcement body.
- there is a serious threat to life, health or safety.
- giving access would unreasonably affect the privacy of others.
- the request is frivolous or vexatious, for example to harass staff.
- the information relates to legal proceedings (eg unfair dismissal claim) between the Service and the individual.
- giving access would reveal sensitive information about a commercial decision.
We may, however, provide the information in an alternative way for example by:
- deleting any personal information which cannot be provided
- providing a summary of the information
- giving access to the information in an alternative format
- allowing the individual to inspect a hard copy of the information and letting them take notes.
We will advise you promptly if we are unable to provide access to the information, or access in the format requested. The advice will include the reasons for the refusal to provide the information (unless it is unreasonable to do this) and information about how to access our grievance procedure.
Correction of personal information
Individuals have a right to request the correction of any errors in their personal information. These requests may be made to the Nominated Supervisor or authorised company representative by telephoning, emailing or post to the centre location directly using the listed contact details.
The Approved Provider or Nominated Supervisor will take reasonable steps to correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading as soon as it is available. The Approved Provider or Nominated Supervisor will:
- take reasonable steps to ensure information supplied by an individual is correct.
- verify the identity of an individual requesting the correction of personal information.
- notify other organisations about the correction if this is relevant, reasonable or practical.
- advise the individual about the correction to their information if they are not aware.
- if immediately unable to correct an individual’s personal information, explain what additional information or explanation is required and/or why we cannot immediately act on the information provided.
- if unable to correct the information, include reasons for this (for example we believe it’s current) and inform the individual about our grievance procedure and their right to include a statement with the information saying they believe it to be inaccurate, out-of-date, incomplete, irrelevant or misleading.
- correct the information, or include a statement if requested, as soon as possible.
We will not charge you for making a request to correct their personal information or for including a statement with your personal information.
Complaints
If you believe we have breached Privacy Laws or our Privacy Policy may lodge a complaint with the Approved Provider or Nominated Supervisor by telephoning, emailing or post to the centre location directly using the listed contact details. The Approved Provider or Nominated Supervisor will follow the Service’s grievance procedure to investigate the complaint. Individuals who are unhappy with the outcome of the investigation may raise their complaint with the Office Australian Information Commissioner
www.oaic.gov.au GPO Box 5218 Sydney NSW 2001 or GPO Box 2999 Canberra ACT 2601, phone 1300 363 992 or email
enquiries@oaic.gov.au
Sources
National Quality Standard
Education and Care Services National Regulations
Privacy Act 1988 (includes Australian Privacy Principles)
United Nations Convention on the Rights of the Child
Review
The policy will be reviewed annually by:
- Management
- Employees
- Families
- Interested Parties
Reviewed: Feb 2021 Date for next review: Feb 2025
Disclosure Statement
We will not use personal information for any purpose that is not reasonably needed for the proper or effective operation of the service. Personal information may be accessed by and exchanged with staff educating and caring for a child or by administrative staff.
We do not disclose your personal information to others unless you would have reasonably expected us to do this or we have your consent. For example, personal information may be disclosed to:
- emergency service personnel where this is necessary to provide medical treatment in an emergency
- special needs educators or inclusion support agencies
- volunteers, trainees and work experience students (with consent)
- trainers or presenters if children participate in special learning activities
- organisations related to the Service (eg other Services)
- another Service to which a child is transferring where you have consented to the transfer.
- the new operator of the Service if we sell our business and you have consented to the transfer of enrolment and other documents listed in Regulation 177 of the National Education and Care Regulations.
We may disclose personal information where we are permitted or obliged to do so by an Australian law. For example, personal information may be disclosed to:
- authorised officers when our service is assessed and rated under the National Education and Care Law and Regulations
- Government employees eg for Child Care Subsidy, Immunisation status, or employment related purposes
- software companies that provide child care management systems
- management companies we may engage to administer the Service
- software companies that provide tailored computer based educational tools for children
- lawyers in relation to a legal claim.
- officers carrying out an external dispute resolution process
- a debt collection company we use to recover outstanding fees
- authorities if we are taking action in relation to unlawful activity, serious misconduct, or to reduce or prevent a serious threat to life, health or safety.
Privacy Notice
Personal information will be managed openly and transparently in a way that protects an individual’s privacy and respects their rights under Australian privacy laws.
We only collect or use personal information if this is needed to education and care to children at the service, or to comply with our legal obligations. We will take reasonable steps to make sure you know we have your personal information, how we got it and how we’ll handle it.
We collect most personal information directly from a parent or guardian. We may also collect information through our website, social media page, Family Law court orders or agreements, special needs agencies and training courses. We may occasionally request information from other organisations which you would reasonably agree is necessary for us to educate and care for a child.
The information collected includes information required under the National Education and Care Law and Regulations or needed to promote learning under the Early Years Learning Framework. This includes name, address, date of birth, gender, family contact details, emergency contact details, authorised nominee details, parents’ occupations, cultural background, home language, religious beliefs, payment details, child care benefit information, Medicare number, , immunisation records, medical information and medical management plans, photos of children and information about children’s strengths, interests, preferences and needs, including special needs.
We do not disclose personal information to others unless you would reasonably expect us to do this, we have your consent or we are complying with an Australian law.
We aim to keep the personal information we hold accurate, up-to-date and complete. This enables us to provide high quality education and care while ensuring the health and safety of children, and it is also important that we can contact you in the event of an emergency.
We have systems and practices in place to ensure personal information is secure and can only be accessed by those who need the information or may legally access it.
You have the right to access your personal information. There are some circumstances under Australian privacy laws where we may not be able to give you access. We will tell you if this is the case. There is generally no cost for accessing your information. We will tell you if there is a charge before providing access.
Our Privacy Officer for privacy matters, including complaints, may be made to the Nominated Supervisor or Approved Provider by telephoning, emailing or post to the centre location directly using the listed contact details. We will provide a copy of any updates to our Privacy and Confidentiality Policy via email and via the Parent Portal.