Privacy and Confidentiality Policy
Privacy is acknowledged as a fundamental human right. Babyccino Long Day Care has an ethical and legal responsibility to protect the privacy and confidentiality of children, individuals and families as outlined in the Early Childhood Code of Ethics, Education and Care Services National Regulations and the Privacy Act 1988 (Cth). The right to privacy of all children, their families, and educators and staff of the Service will be upheld and respected, whilst ensuring that all children have access to high quality early years care and education. All staff members will maintain confidentiality of personal and sensitive information to foster positive trusting relationships with families.
NATIONAL QUALITY STANDARD (NQS)
QUALITY AREA 7: GOVERNANCE AND LEADERSHIP | |||
|---|---|---|---|
7.1 | Governance | Governance supports the operation of a quality serSchemee | |
7.1.1 | Service philosophy and purposes | A statement of philosophy guides all aspects of the service’s operations. | |
7.1.2 | Management Systems | Systems are in place to manage risk and enable the effective management and operation of a quality service. | |
7.1.3 | Roles and Responsibilities | Roles and responsibilities are clearly defined and understood and support effective decision-making and operation of the service. | |
7.2 | Leadership | Effective leadership builds and promotes a positive organisational culture and professional learning community. | |
EDUCATION AND CARE SERVICES NATIONAL LAW AND NATIONAL REGULATIONS | ||||
|---|---|---|---|---|
168 | Education and care services must have policies and procedures | |||
170 | Policies and procedures to be followed | |||
171 | Policies and procedures to be kept available | |||
177 | Prescribed enrolment and other documents to be kept by approved provider | |||
181 | Confidentiality of records kept by approved provider | |||
183 | Storage of records and other documents | |||
184 | Storage of records after service approval transferred | |||
RELATED LEGISLATION
Child Care Subsidy Secretary’s Rules 2017 | Family Law Act 1975 |
A New Tax System (Family Assistance) Act 1999 | Child Care Subsidy Minister’s Rules 2017 |
Privacy Act 1988 (the Act) | |
Family Assistance Law – Incorporating all related legislation as identified within the Child Care Provider Handbook | |
RELATED POLICIES
CCS Account Policy CCS Governance Policy Dealing with Complaints Policy Enrolment Policy Family Communication Policy Governance Policy Interaction with Children, Family and Staff Policy | Management Committee Policy Orientation of Families Policy Payment of Fees Policy Record Keeping and Retention Policy Safe Use of Digital Technologies and Online Environments Policy Social Media Policy Writing Reviewing and Maintaining Policies Policy |
PURPOSE
To ensure that the confidentiality of information and files relating to the children, families, staff, and visitors using the Service is upheld at all times. We aim to protect the privacy and confidentiality of all information and records about individual children, families, educators, staff and management by ensuring continuous review and improvement of our current systems, storage, and methods of disposal of records. We will ensure that all records and information are held in a secure place and are only retrieved by or released to people who have a legal right to access this information. Our Service takes data integrity very seriously. We strive to ensure all records and data is protected from unauthorised access and that it is available to authorised persons when needed. This policy provides procedures to ensure data is stored, used and accessed in accordance with relevant policies and procedures- for example- Enrolment Policy, CCS Account Policy.
Our Service adopts and aligns with the National Model Code and guidelines for taking images or videos of children. (See Safe Use of Digital Technologies and Online Environments Policy.)
SCOPE
This policy applies to children, families, educators, staff, management, approved provider, nominated supervisor, students, volunteers and visitors of the Service.
IMPLEMENTATION
Under National Law, Section 263, Early Childhood Services are required to comply with Australian privacy law which includes the Privacy Act 1988 (the Act) aimed at protecting the privacy of individuals. Schedule 1 of the Privacy Act (1988) includes 13 Australian Privacy Principles (APPs) which all services are required to apply. The APPs set out the standards, rights and legal obligations in relation to collecting, handling, holding and accessing personal information.
The Notifiable Data Breaches (NDB) scheme requires Early Childhood Services, Family Day Care Services, and Out of School Hours Care Services to provide notice to the Office of the Australian Information Commissioner (formerly known as the Privacy Commissioner) and affected individuals of any data breaches that are ‘likely’ to result in ‘serious harm’. Businesses that suspect an eligible data breach may have occurred, must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected. A breach of an Australian Privacy Principle is viewed as an ‘interference with the privacy of an individual’ and can lead to regulatory action and penalties.
(Source: OAIC Australian Privacy Principles)
Further information about the APPs is included in Appendix 1 of this policy.
THE APPROVED PROVIDER/NOMINATED SUPERVISOR/MANAGEMENT WILL:
• ensure that obligations under the Education and Care Services National Law and National Regulations are met
ensure the Service acts in accordance with the requirements of the Australian Privacy
Principles and Privacy Act 1988 by developing, reviewing, and implementing procedures
and practices that identify:
o the name and contact details of the Service
o what information the Service collects and the source of information
o why the information is collected
o who will have access to information
o collection, storage, use, disclosure, and disposal of personal information collected by the Service
o any law that requires the particular information to be collected
o adequate and appropriate storage for personal information collected by the Service
o protection of personal information from unauthorised access.
ensure educators, staff, students, visitors and volunteers have knowledge of and adhere to this policy and associated procedure, and provided with a copy if required
• require new employees to sign a Confidentiality Agreement as part of their induction and orientation
• advise students, volunteers and visitors of their role to maintain confidentiality during induction
• ensure families are aware of the Privacy and Confidentiality Policy
• provide staff and educators with relevant information regarding changes to Australian privacy law and Service policy
• ensure all relevant staff understand the requirements under Australia's privacy law and Notifiable Data Breaches (NDB) scheme
• maintain currency with the Australian Privacy Principles (this may include delegating a staff member to oversee all privacy-related activities to ensure compliance)
• ensure personal information is protected in accordance with our obligations under the
Privacy Act 1988 and Privacy Amendments (Enhancing Privacy Protection) Act 2012 and only authorised personnel have access to private and sensitive information
• ensure all records and documents are maintained and stored in accordance with Education and Care Service National Regulations (See Record Keeping and Retention Policy)
• regularly back up personal and sensitive data using approved secure cloud-based systems and service platform.
• appropriate device security measures, including password protection, device security settings and regular system updates.
• ensure families are notified of the time particular records are required to be retained as per Education and Care Services National Regulations [Reg. 183 (2)]
• ensure the appropriate and permitted use of images and videos of children, including obtaining written authorisation from parents and/or guardians of children who will be photographed or videoed by the Service. The authorisation is to state the purpose for which the images and videos are to be used for and details regarding their publication or sharing.
• ensure families are aware that the use of images or videos obtained from the Service, via OWNA, or other format are not to be shared by families on any device or social media platform. Families are not to share photographs or videos taken during special events for publishing on social media platform or sharing any other format.
• ensure personal electronic devices including phones, smartwatches or other devices that are able to take images or videos, are not in the possession of any person while providing education and care and working directly with children
ensure only devices that are issued by and registered with the Service are used to record and store images and videos of children
• develop procedures to ensure controls are in place over the storage, access and retention of children’s images and videos at the Service, including hardcopy and digital files
• deal with privacy complaints promptly and in a consistent manner, following the Service’s Dealing with Complaints Policy and procedures
• ensure families only have access to the files and records of their own children
• refer to individual family court orders for guidance regarding access, sharing and release of information where required
• upon request from a parent, provide documents or information relating to their child
• ensure information given to educators will be treated with respect and in a professional and confidential manner
• ensure only necessary information regarding the children’s day-to-day health and wellbeing is given to non-primary contact educators. For example, food allergy information.
• ensure individual child and staff files are stored in a locked and secure cabinet
• Digital records are stored on approved platforms with role-based access.
• ensure information relating to staff employment will remain confidential and available only to the people directly involved with making personnel decisions
• ensure that information shared with the Service by the family will be treated as confidential unless told otherwise
• ensure personal and sensitive information regarding the health and wellbeing of a child, family member or staff member is not shared with others unless consent has been provided, in writing, or provided the disclosure is required or authorised by law under relevant state/territory legislation (Reg. 177(4A)) Reference information sharing/disclosure as authorised or required by law, including child protection obligations (mandatory reporting), and relevant NSW legislation.
• complete a Privacy Audit every 12 months or following a breach of data to ensure the Service meets lawful obligations, identifies areas for improvement and to detect potential areas of breach in privacy law
• follow the Privacy and Confidentiality Procedure and complete a Data Breach Response Record following any breaches in data at the Service
• ensure employees who have resigned acknowledge their commitment to refrain from accessing accounts or misusing sensitive and confidential information
• establish policies and procedures regarding the use of CCTV within the Service, including the obligation to inform families, staff and visitors about the purpose and storage of CCTV images and videos, ensuring data is kept secure and accessed by authorised persons
read and adhere to the Privacy and Confidentiality Policy at all times
• comply with the Service’s adoption of the National Model Code regarding taking images or recording videos of children whilst at the education and care service
• ensure documented information and photographs of children are kept secure but may be accessed at any time by the child’s parents or guardian
• ensure Service documentation and records remain at the Service
• inform management if they learn of images of enrolled children being shared on social media or by any other format by families or staff that have been obtained via the OWNA or other format; or photos taken during special events by the Service or families
• ensure parents or guardians only have access to the files and records of their own children (unless a court order prohibits access)
• treat private and confidential information with respect in a professional manner
• not discuss individual children with people other than the family of that child, except for the purposes of curriculum planning or group management. Communication in other settings must be approved by the family beforehand
• ensure that information shared with the service by the family will be treated as confidential unless told otherwise
• maintain individual and Service information and store documentation according to this policy at all times
• ensure personnel and sensitive information is not accessed by unauthorised persons
• not disclose or share information about an individual or Service, management, or other staff (unless authorised to do so by legislation)
• ensure passwords used to gain access to private and sensitive information are not shared with others
• ensure any media enquiries are directed to the approved provider or nominated supervisor.
FAMILIES WILL:
• be aware of the Privacy and Confidentiality Policy upon enrolment
• be aware of the Family Conduct Guidelines upon enrolment
• ensure all information provided to the Service is accurate and kept up to date
• be informed that access to documentation and personal information is limited to their own child/ren
• follow the Dealing with Complaints Policy regarding any complaints or concerns regarding privacy and confidentiality of private and sensitive information
share information relating to individual family court orders or parenting plans with the Service and
update these as required
• ensure they do not share data or personal information of other family members, children or staff members from the Service with anyone, including other families of the same Service
• not use or share images obtained from the Service, via the Services app, Facebook pages or other format
• not share photographs taken during special events for publishing on any social media or for sharing in any format
• respect that staff are prohibited to share information about other children, families or staff members without expressed written consent to whom the information relates to.
NATIONAL MODEL CODE
Our Service ensures that practices relating to privacy and confidentiality of personal digital data, including images and videos of children, adhere with the requirements outlined within the National Model Code (NMC). The approved provider will ensure all staff, educators, students, volunteers and where relevant visitors (including ECIP professionals) are aware of and adhere to the NMC.
This ensures that images and videos of children are:
• only taken on Service-issued electronic devices
• stored and secured using password protections systems
• accessed only by approved personal
• not stored or transferred to personal electronic devices (including SD cards, USB drives etc)
• personal information is de-identified or destroyed and removed from storage, in accordance with the Record Keeping and Retention Policy
Parents/Guardians are required to provide written authorisation for the use, storage and destruction of digital documentation, including images and videos. The approved provider will ensure images and videos are destroyed and removed from storage if a parent/guardian revokes their authorisation.
Australian Privacy Principles- Personal Information
Babyccino Long Day Care [ABN- 86 672 475 571] is committed to protecting personal information in accordance with our obligations under the Privacy Act 1988 and Privacy Amendments (Enhancing Privacy Protection) Act 2012.
Personal information includes a broad range of information, or an opinion, that could identify an individual. Sensitive information is personal information that includes information or an opinion about a range of personal information that has a higher level of privacy protection than other personal information.
(Source: OAIC-Australian Privacy Laws, Privacy Act 1988)
Personal information will be collected and held securely and confidentially about you and your child to assist our Service provide quality education and care to your child whilst promoting and maintaining a child safe environment for all stakeholders.
Personal information our Service may request regarding enrolled children:
Child’s name
Gender
Date of birth
Address
Birth Certificate
Religion
Language spoken at home
Emergency contact details and persons authorised to collect individual children
Children’s health requirements
Immunisation records- (Immunisation History Statement)
Developmental records and summaries
External agency information
Custodial arrangements or parenting orders
Incident reports
Medication reports
Child Care Subsidy information
Medical records
Permission forms – including permission to take and publish photographs, video, work samples
Doctor’s contact information
Centrelink Customer Reference number (CRN)
Dietary requirements
Personal information our Service may request regarding parents and guardians
Parent/s full name
Guardian/s full name
Address
Phone number (mobile & work)
Email address
Bank account or credit card detail for payments
Centrelink Customer Reference number (CRN)
Custody arrangements or parental agreement
Personal information our Service may request regarding staff, students and volunteers
Personal details
Tax information
Banking details
Working contract
Emergency contact details
Medical details
Working with Children Check verification
Educational Qualifications
Medical history
Resume
Superannuation details
Child Protection qualifications
First Aid, Asthma and Anaphylaxis certificates
Professional Development certificates
PRODA related documents such as RA number and related background checks
METHOD OF COLLECTION
Information is generally collected using standard forms at the time of enrolment or employment
Additional information may be provided to the Service through email, surveys, telephone calls or other written communication. Information may be collected online through the use of software such as CCS software or program software.
HOW WE PROTECT YOUR PERSONAL INFORMATION
To protect your personal and sensitive information, we maintain physical, technical and administrative safeguards as follows:
• all hard copies of information are stored in children’s individual files or staff individual files in a locked cupboard
• all computers used to store personal information are password protected. Each staff member will be provided with a unique username and password for access to CCS software and program software. Staff will be advised not to share usernames and passwords.
• access to personal and sensitive information is restricted to key personal only
• security software is installed on all computers and updated automatically when patches are released
• data is regularly backed up on external drive and/or through a cloud storage solution
• any notifiable breach to data is reported
all staff are aware of the importance of confidentiality and maintaining the privacy and security of all information
• procedures are in place to ensure information is communicated to intended recipients only, example invoices and payment enquiries
ACCESS TO PERSONAL AND SENSITIVE INFORMATION
Personal and sensitive information about staff, families and children will be stored securely at all times. Families who have access to enrolment or program information online will be provided with a unique username and password. Families will be advised not to share username and passwords or photos shared within Facebook or other apps.
The approved provider will ensure that information kept in a child’s record is not divulged or communicated through direct or indirect means to another person other than:
• the extent necessary for the education and care or medical treatment of the child to whom the information relates
• a parent of the child to whom the information relates, except in the case of information kept in a staff record
• the regulatory authority or an authorised officer
• as expressly authorised, permitted or required to be given by or under any Act or law
• with the written consent of the person who provided the information (written consent may be withdrawn at any time).
Education and Care National Regulations (Reg. 177) specifically state personal information relating to the individuals listed below must not be disclosed or shared with a parent of a child enrolled at the Service without prior written consent of the person to whom the personal or sensitive information relates to:
o a parent of a child
o a person who is an emergency contact
o a person who is an authorised nominee
o a person who is authorised to consent to medical treatment
o a person who is authorised to authorise an educator to take a child outside the Service
o a person who is authorised to authorise transport
Individuals may withdraw their consent in writing prior to personal information being disclosed.
DISCLOSING PERSONAL AND SENSITIVE INFORMATION
Our Service will only disclose personal or sensitive information to:
a third-party provider with parent permission (for example CCS software provider)
Child Protection Agency- Office of the Children’s Guardian and Regulatory Authority as per
our Child Protection and Child Safe Environment Policiesas part of the purchase of our business asset with parental permission
authorised officers (for example public health officer)
the regulatory authority or an authorised officer
as expressly authorised, permitted or required to be given by or required to be given by or
under any Act or Lawwith the written consent of the person who provided the information (written consent may
be withdrawn at any time).
If the Service is transferred to a new approved provider, any records and documents will be transferred to the new approved provider following written consent from parents/guardians regarding the transfer and sharing of records and documents.
COMPLAINTS AND GRIEVANCES
If a parent, family member, child, employee or volunteer has a complaint or concern about our Service, or they believe there has been a data breach of the Australian Privacy Principles, they are requested to contact the approved provider so reasonable steps to investigate the complaint can be made and a response provided. [See: Dealing with Complaints Policy]
If there are further concerns about how the matter has been handled, please contact the Office of Australian Information Commissioner (OAIC) to lodge a complaint in writing. Lodge a privacy complaint.
For any other general concerns, please contact the approved provider directly on:
BREACH OF POLICY
Staff members or educators who fail to adhere to this policy may be in breach of their terms of employment, staff members who engage in unauthorised disclosure of confidential or sensitive personal information may face disciplinary action. Visitors or volunteers who fail to comply to this policy may face termination of their engagement.
CONTINUOUS IMPROVEMENT/REFLECTION
Our Privacy and Confidentiality Policy will be updated and reviewed annually or earlier if there are changes to legislation, ACECQA guidance or any incident related to our policy. Feedback will be requested from children, families, staff, educators and management and notification of any change to policies will be made to families within 14 days.
CHILDCARE CENTRE DESKTOP- RELATED RESOURCES
Confidentiality Agreement Data Breach Response Plan Record Data Security Procedure and Checklist | Privacy Audit Privacy and Confidentiality Procedure Privacy Law Compliance Procedure |
SOURCES
Australian Children’s Education & Care Quality Authority. (2025). Guide to the National Quality Framework
Australian Children’s Education & Care Quality Authority. (2024). National Model Code for Early Childhood Education and Care.
Australian Government Department of Education. Child Care Provider Handbook (2024) https://www.education.gov.au/early-childhood/resources/child-care-provider-handbook
Australian Government Office of the Australian Information Commission – Australian Privacy Principles: https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles
Early Childhood Australia Code of Ethics. (2016).
Education and Care Services National Law Act 2010. (Amended 2023).
Education and Care Services National Regulations. (Amended 2023).
Privacy Act 1988.
REVIEW
POLICY REVIEWED BY | Akankshya Luitel | Nominated Supervisor | 28/01/2026 |
POLICY REVIEWED | JANUARY 2026 | NEXT REVIEW DATE | JANUARY 2027 |
VERSION NUMBER | V28.01.26 | ||
MODIFICATIONS |
• new section added – National Model Code • added reference to new mandatory policy- Safe Use of Digital Technologies and Online Environments Policy • minor edits within policy • sources checked for currency and updated as required | ||
POLICY REVIEWED | PREVIOUS MODIFICATIONS | NEXT REVIEW DATE | |
JANUARY 2026 |
• additional information added: National Model Code for Early Childhood Education and Care • sources checked and updated as required | JANUARY 2027 | |
APPENDIX - 1
The Australian Privacy Principals (APPs) outline:
The open and transparent management of personal information, including having a privacy policy
• An individual having the option of transacting anonymously or using a pseudonym where practicable
• The collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
• How personal information can be used and disclosed (including overseas)
• Maintaining the quality of personal information
• Keeping personal information secure
• Right for individuals to access and correct their personal information
The APPs place more stringent obligations on APP entities when they handle ‘sensitive information’.
Sensitive information is a type of personal information and includes information about an individual's:
• Health (including predictive genetic information)
• Racial or ethnic origin
• Political opinions
• Membership of a political association, professional or trade association or trade union
• Religious beliefs or affiliations
• Philosophical beliefs
• Sexual orientation or practices
• Criminal record
• Biometric information that is to be used for certain purposes
• Biometric templates
Australian Privacy Principles (APPs)
APP 1 – Open and transparent management of personal information
Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
APP 2 – Anonymity and Pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
APP 3 – Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 – Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
APP 5 – Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters.
APP 6 – Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
APP 7 – Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 – Cross-order disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
APP 9 – Adoption, use or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier or use or disclose a government related identifier of an individual.
APP 10 – Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 – Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 – Access to personal information
Outlines an APP entity’s obligations when an individual request to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 – Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
Source: Australian Government Office of the Australian Information Commissioner (OAIC)
https://www.oaic.gov.au/privacy/