POLICY GOAL

To protect the privacy of families and ensure compliance with the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APP’s) by ensuring that personal and sensitive information (which includes health information) about individual children and families is only collected, held, used and disclosed in accordance with this policy and the Privacy Act.

This policy is in addition to the Privacy of Digital Records and the Retention of Records Policy which set out the service’s responsibility to maintain confidentiality in areas not specifically covered by the Privacy Act (for example in relation to colleagues or management of the service), and obligations under the Education and Care Services National Regulations.

RATIONALE

This policy exists to ensure that our service takes reasonable steps to comply with the Privacy Act and the APP’s.

As a necessary part of the provision of education and care to children, the service regularly collects, holds, and uses both personal information and sensitive information (including health information) about children or their families.

Reasonable steps to implement practices, procedures and systems to ensure compliance with the Privacy Act and the APP’s

The Privacy Act requires the service to take reasonable steps to implement practices, procedures and systems that will ensure compliance with the Privacy Act and the APP’s and to ensure that it is able to deal with any privacy inquiries and complaints

In satisfaction of this requirement, the service will:

  1. Ensure that all staff of the service and parents of children enrolled with the service are aware of the content of this policy by upon employment/orientation and at least annually and have access to this policy at all times. Information related to this policy may also be communicated using other means such as newsletters, noticeboards and written or electronic communication methods
  2. Recognise the potential for privacy breaches as a major risk and will continually, consider, identify and manage privacy risks at each stage of the information lifecycle, including the stages of collection of information, use, disclosure, storage, destruction or de-identification. An annual review of how data is collected, stored and destroyed will occur and a risk management approach will be used to identify modifications
  3. Implement security systems for protecting personal and sensitive information from misuse, interference and loss and from unauthorised access, modification or disclosure. This may include the use of locked locations or passwords to protect electronic data.
  4. Supervise staff who have access to personal and sensitive information and will provide mentoring and advice in relation to this policy and the APP’s.
  5. Ensure visitors are supervised and monitored in order to ensure compliance with this policy.
  6. Develop and adopt a Data Breach Response Plan;
  7. Review the adequacy and currency of this policy and the privacy practices and procedures of the service on a regular basis and this policy will be updated to reflect any amendments or improvements required; and
  8. Ensure this policy is available at all times to any person who requests it, free of charge, as soon as reasonably practicable after the request is made.
  9. Ensure a copy of this policy is included in the family orientation documentation

What is personal and sensitive information?

In this policy, the words ‘personal information’ have the meaning given to them in the Privacy Act, which is: “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

In this policy, the words ‘sensitive information’ have the meaning given to them in the Privacy Act which is:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual orientation or practices; or

(ix) criminal record;

that is also personal information; or

(b) health information about an individual; or

(c) genetic information about an individual that is not otherwise health information; or

(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

(e) biometric templates.

The Privacy Act imposes greater restrictions on the collection, holding, use or disclosure of sensitive information than it does on non-sensitive personal information.

Families will generally expect that their sensitive information will be given a higher level of protection by the service. For this reason, great care must be taken to protect the privacy of sensitive information such as health information, financial information, information about race or religion or disabilities.

Kinds of personal and sensitive information collected and held by the service

As a necessary part of providing an education and care service, the service collects and holds personal and sensitive information (including health and financial information) about children and their families by completion of a variety of forms and records on the enrolment of a child with the service, and ongoing as education and care is delivered.

This includes information required on child enrolment forms including:

  1. Language used in the child’s home;
  2. The name, address and contact details (telephone numbers and email addresses) of: (a) each known parent of the child; (b) any person who is to be notified of an emergency involving the child if any parent cannot be immediately contacted; (c) any person who is an authorised nominee under Regulation 160; (d) any person who is authorised to consent to medical treatment of, or to authorise administration of medication to the child; and (e) persons who are authorised to provide written authorisation for an educator to take the child outside the education and care service premises; such as on an excursion
  3. Details of any court orders, parenting orders or parenting plans relating to a child;
  4. Details of any other court orders provided to the service relating to a child’s residence or contact with a parent or other person;
  5. Gender of the child;
  6. Language used in the child’s home;
  7. Cultural background of the child and, if applicable, the child’s parents;
  8. Any special considerations for the child, for example, any cultural, religious or dietary requirements or additional needs;
  9. Authorisations required by National Regulations 161 (consent to medical treatment, transport and regular outings);
  10. Health information required by National Regulation 162 including: (a) the name, address and telephone number of the child’s registered medical practitioner or medical service; (b) if available, the child’s Medicare number; (c) details of any specific healthcare needs of the child including any medical condition and allergies including whether the child has been diagnosed as at risk of anaphylaxis; (d) any medical management plan, anaphylaxis medical management plan or risk minimisation plan to be followed with respect to specific healthcare need, medical condition or allergy; (e) details of any dietary restrictions for the child; and (f) if the approved provider of staff member has sighted the health record for the child, a notation to that effect;
  11. Information relating to the child’s immunisation or relevant exemptions;
  12. Records and documentation of child assessments or evaluations for delivery of education program;
  13. Incident, injury, trauma and illness records;
  14. Medication records;
  15. Children’s attendance records (including the date and time each child arrives and departs);
  16. Any other records collected and stored for the direct purpose of delivering education and care; and
  17. Any communication methods shared by the family or authorised contacts including, but not limited to email, Facebook and other social media platforms.

Information about Staff

As a necessary part of providing an education and care service and ensuring the health, safety and wellbeing of staff, students and volunteers, the service collects and holds personal and sensitive information (including health and financial information) about staff by completion of a variety of forms and records, including those required under Regulation 145, 146, 147, 148, 149, 150, 151 and 152. Other records which may be collected and stored including, but are not limited to:

  1. Immunisation status
  2. Bank details for payment of wages
  3. Person details, change of name details, contact details and next of kin details
  4. Health and some relevant medical information
  5. Photo identification and working with children documentation

How the service collects and holds personal and sensitive information

Information may be collected electronically or in paper form from a family member or authorised contact in an enrolment form and a range of other associated service forms. Information may be stored in the following ways:

  • Entered into a third-party software such as a Child Care Subsidy System package which communicates directly with the Australian Government for the purpose of administrating the Child Care Subsidy.
  • Entered into databases or files on a service computer
  • Stored in paper form in locked filing cabinets, cupboards or in rooms with a lockable door.

Information about staff details may be collected, prior to employment, at the time of employment and during employment both electronically and in paper form. Information may be stored in the following ways:

  • Entered into a third-party software with password protection such as a Child Care Subsidy System package which communicates directly with the Australian Government for the purpose of administrating the Child Care Subsidy
  • Entered into third-part software with password protection for the purposes of payroll
  • Entered into databases or files on a service computer
  • Stored in paper form in locked filing cabinets, cupboards or in rooms with a lockable door.

The purposes for which personal information is collected, held, used and disclosed

The service collects, uses and discloses personal information directly from parents and staff for the purposes of:

  • registering and maintaining the enrolment of children with the service [including an electronic database of customers of the service];
  • compliance with the requirements of the Education and Care Services National Law (National Law) and Education and Care Services National Regulations (National Regulations), National Quality Standards, Family Assistance Law and where applicable relevant Child Safety Legislation;
  • effective management and administration of the service;
  • the provision of education and care services to children enrolled with the service;
  • the organisation and management of events and activities;
  • performing the functions of an approved education and care service in accordance with all laws;
  • providing information to the Australian Government or the Government of the State or Territory in which the service is situated including child protection agencies as requested or by the service’s own volition if thought appropriate for the purposes of compliance with all laws;
  • compliance with Australian Tax and Superannuation laws;
  • delivering a safe workplace under the Workplace Health and Safety Regulations;
  • the provision of payments for employment purposes;
  • ensuring compliance with relevant State laws in relation to working with children checks;
  • sharing of information with families at the service which may also market the service through social media or web-based programs, newspapers or magazines, only with written permission from families upon enrolment;

Disclosure of personal information

The service discloses personal information to:

  • Australian Government for the purposes of the Family Assistance Law and to regulatory authorities of the service and their authorised officers;
  • Where appropriate, child protection agencies;
  • to staff or medical practitioners or other health care or emergency service professionals to the extent necessary for the education and care or medical treatment of the child to whom the information relates;
  • the Australian Taxation Office and application Superannuation organisations in relation to employment at the service;
  • Authorised Officers under the Education and Care Services National Law and Regulations

We will not disclose identifying personal information to third parties for the purposes of marketing products or services to you.

Disclosure of personal information to persons not in Australia or an external territory

Information will not be directly or purposefully disclosed to persons not in Australia. Information man be shared on social media or other external platforms, but would only be done so with written permission by the parent of the child or the staff member.

Quality of personal information

The service must ensure that the personal and sensitive information it collects and holds is accurate, up to date, and complete. Families and staff are asked to update details in writing when their circumstance change.

Security of personal information

In accordance with National Regulation 183, records and documents of the service must be stored in a safe and secure place.

The service takes reasonable steps to protect all information it holds from misuse and loss and from unauthorised access, modification or disclosure. The service applies a range of technologies (including access control passwords and procedures differentiated according to the authority of the service staff member, network firewalls, encryption and physical security of paper records) to protect the privacy of children, families and the staff at the service.

In accordance with National Regulation 183 the Service will keep records and documentation for the following periods:

(a) if the record relates to an incident, illness, injury or trauma suffered by a child while being educated and cared for by the service, until the child is aged 25 years;

(b) if the record relates to an incident, illness, injury or trauma suffered by a child that may have occurred following an incident while being educated and cared for by the service, until the child is aged 25 years;

(c) if the record relates to the death of a child while being educated and cared for by the service or that may have occurred as a result of an incident while being educated and cared for, until the end of 7 years after the death;

(d) in the case of any other record relating to a child enrolled at the education and care service, until the end of 3 years after the last date on which the child was educated and cared for by the service;

(e) if the record relates to the approved provider, until the end of 3 years after the last date on which the approved provider operated the service;

(f) if the record relates to a nominated supervisor or staff member of the service, until the end of 3 years after the last date on which the nominated supervisor or staff member provided education and care on behalf of the service; and

(g) in the case of any other record, until the end of 3 years after the date on which the record is made.

In accordance with National Regulation 183, records and documents of the service must be stored in a safe and secure place.

The service takes reasonable steps to protect all information it holds from misuse and loss and from unauthorised access, modification or disclosure. The service applies a range of technologies (including access control passwords and procedures differentiated according to the authority of the service staff member, network firewalls, encryption and physical security of paper records) to protect the privacy of children, families and the staff at the service.

In accordance with National Regulation 183 the Service will keep records and documentation for the following periods:

The service will destroy or permanently unidentify any personal or sensitive information which is no longer needed for its intended purposes after expiry of the timescales for the keeping of records in accordance with the National Law and National Regulations from time to time.

How you may access personal information the service holds about you and seek its correction if necessary

Individuals may access personal information held about them and seek its correction if it is incomplete, inaccurate or out of date, by contacting the service in writing.

How you may complain about a breach of this Policy or the APP’s and how the service will deal with your complaint

Individuals are able to complain about a breach of the APP’s by the service by writing to the address set out below stating the nature of your complaint.

Upon receipt of your complaint the service will acknowledge receipt of the complaint in writing within 5 working days, respond to your complaint within a reasonable period of time, advise the Approved Provider of receipt of your complaint and the response provided to you.

Who we are

Our website address is: https://www.soel.wa.edu.au

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Our contact information

If you have any questions, please contact us at social@soel.wa.edu.au