Gleneagle kindergarten centre gc logo

Privacy Policy

Privacy Policy

Privacy & Policy statement

Policy Statement

We are committed to protecting the privacy and confidentiality of individuals by
ensuring that sensitive information about individual children, families, team
members and management are kept in a secure place and are only accessed by, or
disclosed to, those people who need the information to fulfill their
responsibilities at the centre or have a legal right to know. 
This
Policy embodies this commitment and applies to personal information collected
by our service.  

 

Background and Guiding Principles

The following is required under the Education and Care Services National Regulations:

“Subdivision
4—Confidentiality and storage of records

·        
181 – Confidentiality of records kept by
approved provider

o      Information kept in a record must not be
divulged or communicated, directly or indirectly, to another person other than:

§       Where necessary for medical treatment of a
child

§       To a parent of a child

§       To the regulatory authority or authorised
officer

§       Expressly authorised, permitted or required
under any Act or law

§       With the written consent of the person who
provided the information.

We adhere to the requirements of the Information
Privacy Principles
contained within the Privacy Act and
the Guidelines for Federal and ACT Government Worldwide Websites, issued by the
Office of the Australian Information Commissioner and Privacy Commissioner.

“The Privacy Act defines ‘personal information’ as: Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

a.      Whether the information or opinion is true or not;
and

b.     Whether the information or opinion is recorded in a
material form or not.

 

The term ‘personal information’ encompasses a broad range of information.  A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. For example, the following are all types of personal information:

·        ‘sensitive information’ (includes information
or opinion about an individual’s racial or ethnic origin, political opinion,
religious beliefs, sexual orientation or criminal record, provided the
information or opinion otherwise meets the definition of personal information)

·        ‘health information’ (which is also ‘sensitive information’)

·        ‘credit information’

·        ‘employee record’ information (subject to
exemptions), and

·        ‘tax file number information’.

 

Common examples of personal information

1.      Information about a person’s private or family life.

·        A person’s name, signature, home address,
email address, telephone number, date of birth, medical records, bank account
details and employment details will generally constitute personal information.

2.      Information about a person’s working habits and practices.

·        A person’s employment details, such as work
address and contact details, salary, job title and work practices.

·        Certain business information — for example,
information about a loan taken out by a sole trader to purchase tools for their
business, or information about utility usage — may be personal information
about the sole trader.

3.      Commentary or opinion about a person.

·        In certain circumstances, a referee’s
comments about a job applicant’s career, performance, attitudes and aptitude is
‘personal information’ as it is information about that person. The
referee’s comments may also be personal information about the referee given
that they provide information about the referee’s views on a particular
subject. Likewise, a trustee’s opinion about a bankrupt’s affairs and conduct
can be personal information about both the bankrupt and the trustee.

·        An opinion about an individual’s attributes
that is based on other information about them, such as an opinion formed about
an individual’s gender and ethnicity, based on information such as their name
or their appearance. This will be personal information about the individual
even if it is not correct.

·        Information or opinion inferred about an
individual from their activities, such as their tastes and preferences from
online purchases they have made using a credit card, or from their web browsing
history.”[1]

 

“Why do ECEC services have to comply with privacy law?
Under Australia’s privacy law, ECEC services are deemed as health service
providers, which puts them in the category of an “Australian Privacy Principle
(APP) Entity”. Under Australian law, all APP entities are bound by the Act and
must comply with it.

 

Your responsibilities
In order to comply with the Privacy Act, ECEC services are required to follow
the Australian Privacy Principles (APPs), which are contained in schedule 1 of
the Privacy Act 1988 (Privacy Act).

 

The APPs outline how ECEC services (and other relevant businesses) must handle, use and
manage the personal information of their clients. In particular, the principles
cover how personal information can be used and disclosed (including overseas),
keeping personal information secure, and the open and transparent management of
personal information including having a privacy policy.  

 

The new law introduces a Notifiable Data Breaches (NDB) scheme that requires all businesses
regulated by the Privacy Act (including ECEC services) to provide notice to the
Office of the Australian Information Commissioner (formerly
known as the Privacy Commissioner) and affected individuals of any data
breaches (ie. data leaks) that are “likely” to result in “serious harm. ”[2]

 

“What should you do if you become aware of a serious data breach?
When a business/organisation becomes aware of reasonable grounds to believe an
eligible data breach has occurred, they are obligated to promptly notify
individuals at likely risk of serious harm. The
Office of the Australian
Information Commissioner
must also be notified as soon
as practicable through a statement about the eligible data breach. You can
find out more about the Notifiable Data Breaches scheme, and the mandatory
notification process
here.

 

Definition of eligible data breach

An eligible data breach arises when the following three criteria are
satisfied:

·        there is unauthorised access to or
unauthorised disclosure of personal information, or a loss of personal
information, that an entity holds

·        this is likely to result in serious
harm to one or more individuals and

·        the entity has not been able to
prevent the likely risk of serious harm with remedial action

 

If there is a possible data breach the service must seek further information from the
Office of the Australian Information Commissioner, details can be found at
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches#key-points 

 

Where notifiable data breach has been determined the service must use the Notifiable
Data Breach Form located at
https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

“An entity must take all reasonable steps to complete the assessment
within 30 calendar days after the day the entity became aware of the
grounds (or information) that caused it to suspect an eligible data breach (s
26WH(2)).

 

The Commissioner expects that wherever possible entities treat 30 days
as a maximum time limit for completing an assessment, and endeavour to complete
the assessment in a much shorter timeframe, as the risk of serious harm to
individuals often increases with time.

Where an entity cannot reasonably complete an assessment within 30 days,
the Commissioner recommends that it should document this, so that it is able
demonstrate:

·        that all reasonable steps have been
taken to complete the assessment within 30 days

·        the reasons for the delay

·        that the assessment was reasonable
and expeditious
[3]

Procedures and Responsibilities

Leadership, management and staff are required to work together to ensure the
confidentiality and correct use of personal information collected for the
purpose of operation an education and care service.

Legislation, Recognised Authorities and Sources

·        “Guide to the National Quality Framework” Australian Children’s Education & Care Quality Authority Oct 2023

·        Education and Care Services National Law Act 2010 (version Nov 2023)

·        Education and Care Services National Regulations (version Oct 2023)

o   168 Education and care service must have policies and
procedures

o   170 Policies and procedures to be followed

o   171 Policies and procedures to be kept available

o   172 Notification of change in policies or procedures
affecting ability of family to utilise service

o   181 Confidentiality of records kept by approved
provider

o   183 Storage of records and other documents

·        National Quality Standards

o   1.3.3 Information for families

o   2.2.2 Health practices and procedures

o   2.2.3 Child protection

o   4.2 Professionalism

o   QA6 Collaborative partnerships with families and
communities

o   QA7 Governance and Leadership

·        Office of the Australian Information Commissioner (OAIC) – Australian Government https://www.oaic.gov.au/

·        ACSC Australian Cyber Security Centre https://www.cyber.gov.au/

·        “Responding to data breaches – four key steps” Office of the Australian Information Commissioner (accessed on-line Feb 2024) https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-3-responding-to-data-breaches-four-key-steps