Privacy Policy


This policy will:

· Provide guidelines for the collection, use, storage and disposal of personal information, including photos and videos, and health information at Ormond Community Kindergarten

· Ensure compliance with privacy legislation.

Refer to Quality Improvement and Accreditation System (QIAS), Quality Practices Guide 2005, Principles 2.1, 3.2, 5.1.

Policy statement

1. Values

Ormond Community Kindergarten is committed to:

· Responsible and secure collection and handling of personal information

· Protecting the privacy of each individual’s personal information

· Ensuring individuals are fully informed regarding the collection, storage, use and disposal of their personal information and their access to that information.

1. Scope

This policy applies to staff, parents/guardians, volunteers, students on placement and the committee of Ormond Community Kindergarten.

2. Background and legislation

Early childhood centres are obligated either by law, service agreement or licensing requirements to comply with the principles of privacy and health records legislation when collecting personal and health information about individuals.

The Health Records Act 2001 (Part 1, 7.1) and the Information Privacy Act 2000 (Part 1, 6.1) include a clause that overrides the requirements of these Acts if they conflict with other Acts or regulations already in place. For example, if there is a requirement under the Children’s Services Act 1996 or Children’s Services Regulations 2009 that is inconsistent with the requirements of the privacy legislation, centres are required to abide by the Children’s Services Act 1996 or the Children’s Services Regulations 2009.

Relevant legislation may include but is not limited to:

    • Children’s Services Regulations 2009 (CSR)
    • Children’s Services Act 1996 (CSA)
    • Health Records Act 2001
    • Information Privacy Act 2000
    • Privacy Act 1988
    • Freedom of Information Act 1982
    • Associations Incorporation Amendment Act 2009.

3. Definitions

Department of Education and Early Childhood Development (DEECD): The state government department responsible for the funding, licensing and regulation of children’s services in Victoria.

Freedom of Information Act: Legislation regarding access and correction of information requests.

Hand Book : : A document updated annually which contains a user friendly summary of all detailed procedures. By producing a simple, easy to read version of the policies/procedures parents are more likely to read and understand how Ormond Community Kindergarten works.

Health information: Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.

Health Records Act 2001: State legislation that regulates the management and privacy of health information handled by the public and private sector bodies in Victoria.

Information Privacy Act 2000: State legislation that protects personal information held by Victorian government agencies, statutory bodies, local councils and some organisations, such as early childhood services contracted to provide services for government.

Personal information: ‘Personal information’ (including images) means recorded information or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained.

Privacy: Keeping your own actions, conversations, information and movements free from public knowledge and attention.

Privacy Act: Commonwealth legislation that operates alongside state or territory Acts that makes provision for the collection, holding, use, correction, disclosure or transfer of personal information.

Privacy breach: An act or practice that interferes with the privacy of an individual by being contrary to, or inconsistent with, one or more of the information privacy principles or any relevant code of practice.

Public Records Act: Legislation regarding the management of public sector documents.

Sensitive information: Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political party, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, that is also personal information.

Unique identifier: An identifier (usually a number) assigned by an organisation to an individual in order to uniquely identify that individual for the purposes of the operations of the organisation.

4. Sources and related policies


    • DEECD, Record Keeping for Children’s Services
    • Health Services Commissioner
    • Victorian Privacy Commissioner
    • KPV Employer Management Manual 2006
    • Childcare Service Handbook

Centre policies

    • Communication
    • Complaints and grievances
    • Delivery and collection of children
    • Enrolment


The committee is responsible for:

    • All Staff and the director adhering to this policy
    • Ensuring the centre complies with the requirements of the privacy principles as outlined in the Health Records Act 2001, the Information Privacy Act 2000 and, where applicable, the Privacy Act 1988 by developing, reviewing and implementing processes and practices that identify:
    • What information the centre collects about whom and from whom
    • Why and how the centre collects, uses and discloses information
    • Who will have authorised access to the information
    • Risk areas in relation to collection, use, disclosure or disposal of personal and health information
    • Ensuring parents/guardians know why the information is being collected and how it will be managed
    • Providing adequate and appropriate secure storage for personal information collected by the service
    • Developing procedures that will protect personal information from unauthorised access

The director is responsible for:

    • Considering the appropriate use of images of children, ensuring they are culturally sensitive and treated with special care
    • Developing procedures to monitor compliance with the requirements of this policy
    • Ensuring all employees and committee members are provided with a copy of the policy, including the Information privacy collection statement (see Attachment 1)
    • Ensuring all parents/guardians are provided with the Information privacy collection statement. It is located in the handbook produced annually and distributed during enrolment. See Attachment 1.
    • A notice will be on the notice board informing parents/guardians that a copy of the full policy is available upon request or they may access the policy themselves which is located in the Ormond Community Kindergarten Policies and Procedures Manual, located in the foyer of the centre.
    • Establishing procedures to be implemented if parents/guardians request that their child’s image not be taken, published or recorded or when a child requests that their photo not be taken. This information is recorded on the blue and white enrolment form, when a child enrols at the centre.

The staff are responsible for:

    • Ensuring they are aware of their responsibilities in relation to the collection, use, storage and disposal of health and personal information
    • Implementing the requirements for the handling of personal and health information as set out in this policy
    • Obtaining informed and voluntary consent of the parents/guardians of the children who will be photographed or videoed (refer to blue and white enrolment form for parent’s wishes)
    • Respecting children’s choices about having their photo taken or being videoed
    • Providing notice to children and parents/guardians when photos or recordings are going to occur
    • Recording information on children, which must be kept secure and may be requested and viewed by the child’s parents/guardians and representatives of the DEECD during an inspection visit.

The parents/guardians are responsible for:

    • Providing accurate information when requested
    • Maintaining the privacy of any personal or health information provided to them about other individuals, such as contact details
    • Being sensitive and respectful to the requests by parent/guardians not wanting their child to be photographed
    • Completing all permission forms and returning them to the centre in a timely manner.


In order to assess whether the policy has achieved the values and purposes, the Ormond Community Kindergarten committee will be responsible for:

    • Monitoring the privacy policy and procedures, assessing whether satisfactory compliance has been achieved
    • Conducting a survey, if required, in relation to this policy or incorporating relevant questions within the general parents’/guardians’ survey
    • Taking into consideration feedback on the policy from staff, parents/guardians and committee members.
    • Keeping up to date on current legislation and research in relation to privacy issues.


Attachment 1: Privacy Policy Collection Statement

Attachment 2: Privacy principles in Action

Attachment 3: Additional background information

Attachment 1

Ormond Community Kindergarten

Privacy Policy Collection Statement:

We believe your privacy is important.

Ormond Community Kindergarten has developed a Privacy policy that illustrates how we collect, use, disclose, manage and transfer personal information, including health information. This policy is available on request.

To ensure ongoing funding and licensing, our centre is required to comply with the requirements of either a service agreement and/or privacy legislation in relation to the collection and use of personal information. If we need to collect health information, we are subject to the Health Records Act 2001.

Purpose for which information is collected

The reasons for which we generally collect personal information are given in the table below.

Personal information and health information collected in relation to:

Primary purpose for which information will be used:

Children and parents/guardians

  • To enable us to provide for the education and care of the child attending the centre
  • To manage and administer the service as required.


  • For the management of the centre
  • To comply with relevant legislation requirements

Job applicants, employees, contractors, volunteers and students

  • To assess and (if necessary) to engage employees, contractors, volunteers or students
  • To administer the individual’s employment, contracts or placement of students and volunteers

Note: Be aware that under relevant privacy legislation, other uses and disclosures of personal information may be permitted, as set out in that legislation.

Disclosure of personal information, including health information

We may disclose some personal information, including health information, held about an individual to:

  • Government departments or agencies as part of our legal and funding obligations
  • Local government authorities in relation to enrolment details for planning purposes
  • Organisations providing services related to employee entitlements and employment
  • Anyone to whom the individual authorises us to disclose information.

Laws that require us to collect specific information

The Children’s Services Regulations 2009, Children’s Services Act 1996, Associations Incorporation Amendment Act 2009 and employment-related laws and agreements require us to collect specific information. Failure to provide the required information could affect:

  • A child’s enrolment at the centre
  • An employee’s employment
  • The ability to function as an incorporated association.

Access to information

Individuals about whom we hold personal or health information are able to gain access to this information in accordance with applicable legislation. The procedure for doing this is set out in our Privacy policy, which is available on request.

For information on the Privacy policy, please refer to the copy on the noticeboard in the centre foyer or contact the committee.

Attachment 2:

Privacy principles in action:

1.Collection processes (Privacy principle 1)

1.1 Type of personal and health information to be collected

The centre will only collect the information needed, and for which there is a purpose, that is legitimate and related to the centre’s functions or obligations.

The type of information collected and held includes (but is not limited to) personal information, including health information, regarding:

    • Children and parents/guardians before and during the child’s attendance at a centre (this information is collected in order to provide and/or administer services to children and parents/guardians)
    • Job applicants, employees, members, volunteers and contractors (this information is collected in order to manage the relationship and fulfil our legal obligations)
    • Contact details of other parties with which the centre deals.
    • The centre will collect information on the following identifiers:
      • Information required to access the kindergarten fee subsidy for eligible families (refer to centre’s Fee policy)
      • Tax file number for all employees related to the deduction and forwarding of tax to the Australian Tax Office -failure to provide this would result in maximum tax being deducted

1.2 Collection of health and personal information

Personal information about individuals, either in relation to themselves or their children enrolled at the centre, will generally be collected via forms filled out by parents/guardians. Other information may be collected from job applications, face-to-face interviews and telephone calls.

Individuals from whom we collect personal information will be provided with a copy of the centre’s Information privacy collection statement (Attachment 1). If the reason for collecting the information varies from the collection statement, the statement will be amended to incorporate the area required, while still complying with the privacy principle requirements of Health Privacy Principle 1.4 (Health Records Act 2001) and Information Privacy Principle 1.3 (Information Privacy Act 2000).

When the centre receives personal information from a source other than the individual or the parents/guardians, the person receiving the information will notify the individual or the parents/guardians of the child to whom the information relates of the receipt of this information. The centre will advise that individual that they have a right to request access to the information.

Access will be granted in accordance with the relevant legislation. Please note that the legislation allows the centre to deny access in accordance with the limited reasons for denial that are contained in the legislation (Privacy Principle 6.1).1.3 Anonymity (Privacy principle 8)

Wherever it is lawful and practicable, individuals will have the option of not identifying themselves when entering transactions with our centre.

2. Use and disclosure of personal information (Privacy principle 2)

2.1 Use of information

The centre will use the personal information collected for the primary purpose (refer to the table below) of the collection of such information. We may also use this information for any secondary purposes that are related to the primary purpose of collection and can be reasonably expected, or to which the individual concerned has consented. The following table identifies whose personal information will be collected, the primary purpose for collection and some examples of how this information will be used.

Personal information and health information collected in relation to:

Primary purpose of collection:

Examples of how the centre will use personal information, including sensitive and health information, include:

Children and parents/guardians

To enable us to provide for the education and care of the child attending the centre.

In relation to photos, videos, publications and media and for recording, communicating and promoting the centre and children’s activities (refer to blue and white enrolment form for permission for – Photographs and videos)

  • Day-to-day administration
  • Provision of a place for their child in the centre
  • Duty rosters
  • Looking after children’s educational, care and safety needs
  • For correspondence with parents/guardians relating to their child’s attendance
  • To satisfy the centre’s legal obligations and to allow it to discharge its duty of care
  • Displays in the centre
  • Newsletters
  • External media, including websites

Committee members

For the management of the centre

  • For communication with and between committee members, employees and members of the association
  • To satisfy the centre’s legal obligations

Job applicants, employees, contractors, volunteers and students

To assess and (if necessary) to engage the applicant, employees, contractor, volunteers or students, as the case may be.

To administer the employment, contract or placement.

  • Administering the individual’s employment, contract or placement, as the case may be
  • Health and safety
  • Insurance purposes
  • Satisfying the centre’s legal obligations; for example, in relation to the Children’s Services Act 1996 and the Children’s Services Regulations 2009
  • Listing the names and qualifications of staff on material provided to prospective users.

2.2 Disclosure of personal information, including health information

We may disclose some personal information held about an individual to:

    • Government departments or agencies as part of our legal and funding obligations
    • Local government authorities in relation to enrolment details for planning purposes
    • Organisations providing services related to staff entitlements and employment
    • Insurance providers in relation to specific claims
    • Law enforcement agencies
    • Health organisations and/or families in circumstances where the person requires urgent medical assistance and is incapable of giving permission
    • Anyone to whom the individual authorises the centre to disclose information.

2.3 Disclosure of sensitive information (Privacy principle 10)

Sensitive information will be used and disclosed only for the purpose for which it was collected or a directly related secondary purpose, unless the individual agrees otherwise, or the use or disclosure of the sensitive information is allowed by law.

3. Management and security of information

3.1 Storage and security of personal information (Privacy principle 4)

In order to protect the personal information from misuse, loss, unauthorised access, modification or disclosure, the committee and staff will ensure that in relation to personal information:

    • Access will be limited to staff /licensee representatives or other committee members who require this information in order to fulfil their responsibilities and duties
    • It will not be left in areas that allow for unauthorised access
    • The physical storage of all materials will be in a secure cabinet or area
    • Computerised records containing personal or health information will require password access
    • There is security in transmission:

1. Emails will only be sent to a person authorised to receive this material

2. Faxes will only be sent to a secure fax, which does not allow unauthorised access

3. Telephone-limited personal information will be provided over the telephone to persons authorised to receive that information

4. Transfer of information interstate and overseas will only occur with the permission of the person concerned or their parents/guardians.

4. Data quality (Privacy principle 3)

The centre will endeavour to ensure that the personal information it holds is accurate, complete, up to date and relevant to its functions or activities.

5. Disposal of information

Personal information will not be stored any longer than necessary.

In disposing of personal information, those with authorised access to the information will ensure that it is either shredded or destroyed in such a way that no one can access the information.

6. Access to personal information (Privacy principle 6)

6.1 Access to information and updating personal information

Individuals have the right to ask for access to personal information the centre holds about them without providing a reason for requesting access.

Under the privacy legislation, an individual has the right to:

    • Request access to personal information that the centre holds about them
    • Access this information
    • Make corrections if they consider the data is not accurate, complete or up to date.

There are some exceptions set out in the Acts where access may be denied in part or in total. Examples of some of the exemptions are where:

    • The request is frivolous or vexatious
    • Providing access would have an unreasonable impact on the privacy of other individuals
    • Providing access would pose a serious threat to the life or health of any person
    • The centre is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.

6.2 Process for considering access requests

A person may seek access, to view or update their personal/health information:

    • If it relates to their child, by contacting the teacher/coordinator
    • For all other requests, by contacting the secretary of the committee.
    • Personal information may be accessed in the following way:
    • View and inspect information
    • Take notes
    • Obtain a copy.

Individuals requiring access to, or updating of, personal information should nominate the type of access required and specify, if possible, what information is required. There is no legal requirement to provide a reason for the request. A visible form of identification must also be provided to the person receiving the request, if the person making the request is not known to them. The details of ID provided, the request and the date received will be recorded and each request will be acknowledged (by telephone) within fourteen days, but preferably within two working days. Requests will be complied with within thirty days. However, there could be a delay in responding if the timeline occurs over a period when the centre is closed.

Committee and employees will provide access in line with the privacy legislation. If the requested information is not given, the reasons for denied access will be given in writing to the person requesting the information.

In accordance with the legislation the centre reserves the right to charge for information provided in order to cover the costs involved in providing the information

Attachment 3

Additional background information:

Centres need to ensure their processes for the collection, use, storage and disposal of health and personal information meet the requirements of the appropriate privacy legislation and Health Records Act 2001.

Examples of practices impacted by the privacy legislation are:

    • Attendance records: Limit the information to what is required in the Children’s Services Regulations 2009. This regulation requires details of the date, child’s full name, times of arrival and departure, signatures of the person delivering and collecting the child (CSR r29). Contact details may be kept in a sealed envelope at the back of the attendance book or separate folder for evacuation/emergency purposes.
    • Medication records and accident, injury and illness records: Access to health and personal information about a child is to be accessible only to parents/guardians of the child and to authorised persons who require the information in order to carry out their duties. An example of good practice is the use of a ring binder that contains a separate section for each child. A medication sheet and accident, injury and illness sheet for recording details required by the Children’s Services Regulations 2009 would be included in each section. Parents/guardians would then have access only to the sheets from their child’s section. Completed entries can then be removed and stored securely. Be aware that great care needs to be taken when using a ring binder to ensure that entries and information are not lost or mislaid.
    • Handling and storage of information: Limited space can often be an issue in early childhood centres, and both employees and the committee need to have access to secure storage for personal and health information. It is important that confidential information remains at the centre at all times and that folders/files are not accessible to unauthorised staff; for example, if left open on an unattended desk.
    • Computerised records: It is important that computerised records containing personal or health information can only be accessed with a password. If you are password-protecting files relating to the centre, a procedure needs to be put in place to ensure that the password is accessible to an authorised person who may need to take over the role. The procedure should not rely on a handover from teacher to teacher or treasurer to treasurer, as they may not be available to do this; for example, if ill.
    • Forms: Enrolment application forms and any forms used to collect personal or health information should have the centre’s collection statement attached to them.
    • Information collected for which you do not have an immediate use: A centre should only collect the information it needs and for which it has a specific purpose. Centres should not collect information that has no immediate use, even though it may be useful in the future.