Privacy Policy

Purpose

The purpose of this operational policy is to ensure our centre is clear about its privacy responsibilities under the Privacy Act 2020.

Position Statement

Our centre protects the privacy of children, their parents and whānau enrolled in our service, as well as persons employed by our service, and in so doing adheres to the Privacy Act 2020.

Privacy Officer are: Head Teacher/ Centre Manager and Centre Director

Issue Outline

The Privacy Act 2020 governs how organisations and businesses can collect, store, use and share children’s, parents’ and employees’ information.

The Privacy Act 2020 and the Privacy Principles ensure that every parent and employee knows – 

• when their information is being collected
• that their information is used and shared appropriately
• that their information is kept safe and secure
• that they can get access to their information

 

The Privacy Act 2020 sets out protections for individuals’ right to privacy, including the privacy of children attending our centre, and their families. As a licensed early childhood education centre receiving government subsidies, we are, however, required to collect some information in order to operate our service and meet government requirements for our sector.  Children, their families and staff are entitled to know what information is being collected and its purpose; and what information about them is being shared with and why.

Overview of the information privacy principles

The Privacy Act has 13 Information Privacy Principles (IPPs) which outline how personal information is collected, stored, accessed, corrected, used and disclosed: https://www.privacy.org.nz/privacy-act-2020/privacy-principles/

In summary, the IPPs are:

1. Only collect the information you need
2. Where possible, get the information directly from the person
3. Be clear about what the information will be used for
4. Use fair and reasonable ways of collecting information
5. Keep information safe
6. Let people access information about themselves
7. Correct information if the person thinks it is wrong
8. Make sure information is accurate before you use it
9. Only keep information as long as you need it
10. Only use the information for the purpose you collected it
11. Only share personal information if you have a good reason
12. Only send personal information overseas, if the agency outside of New Zealand, if there are similar safeguards to those in the Privacy Act.
13. Only use individual identifiers if it is clearly allowed.

Impacts of Policy on Staff, Parents, Children

This policy impacts on staff by ensuring they remain aware and vigilant when it comes to information that identifies any specific child or family attending our centre.

The policy impacts on families by ensuring they are aware that their privacy and that of their children will be protected.

This relates to personal information about a child and family collected on the centre’s enrolment form, which is shared with the Ministry of Education (MoE), who store it securely and treat it in accordance with the Privacy Act 2020. Information is disclosed to the MoE – 

• For funding allocation purposes
• For monitoring purposes
• To allow the assignment of a National Student number to an enrolled child
• To allow the Minister of Secretary of Education to exercise any of their other powers or responsibilities under the Education and Training Act 2020, and as permitted by Privacy Principles 10 and 11.

Identity verification documents that have been sighted for the purpose of a child’s enrolment will be noted as sighted. Copies of children’s identification documents will NOT be retained. Copies received by the centre will be securely destroyed.  

Note: Sharing information about an individual is often essential to their health, safety and wellbeing. In the event that information must be shared in the interest of safety and wellbeing of a child or young person, specific information sharing guidance must be followed: https://www.privacy.org.nz/publications/guidance-resources/information-sharing-guidance-child-welfare-family-violence/

The safety and wellbeing of a child or young person takes precedence, as per the Children’s Act 2014.

Record Keeping

Employees are required to provide identification, qualification and other documentation as part of the safety checking requirements, in accordance with the Children’s Act 2014. There is no explicit rule in the Privacy Act against making and retaining copies of passports, driver’s licence or birth certificates, but there is usually no reason for an employer to keep those copies once they have been able to confirm a person’s identity (information privacy principle 9). 

Employers should only ask for the information they need to determine an applicant’s suitability for the job. Part of the employment process is to check an applicant’s identity. A passport, driver’s licence or birth certificate is one way to verify that a person is who they say they are.

As part of the application process, the employer should let the applicant know (as required by information privacy principle 3):

• Why the employer is asking for particular information and what they will use it for
• Who will see the information
• Whether it is compulsory or optional to provide the information, and any consequences of not providing the information
• That the applicant may access information about themselves and ask for it to be corrected it if it is wrong.

Source: https://www.privacy.org.nz/privacy-act-2020/privacy-principles/ 

Records for each aspect of the safety check and risk assessment, along with the subsequent decision are placed on the Children’s Worker’s secure personnel file and will be retained for seven years from this date. (Legally, personnel files must be kept for at least six years and pay records (wages and time) seven years. Source: Employment Relations Act 2000 https://www.legislation.govt.nz/act/public/2000/0024/latest/DLM60375.html ). 

Any amendments arising out of three-yearly period checks will be added and retained in the personnel file. 

Records of private information will be kept in accordance with Privacy Act 2020 requirements: 

Source: https://www.privacy.org.nz/privacy-act-2020/privacy-principles/

Main mandatory information employers must keep on file about each of their employees: 

• employee name, postal address and age (if under 20 years old)
• a signed employment agreement covering specific information  (and any accompanying role description) and any variations
• type of employment agreement — collective or individual
• offer letter, if there is no signed employment agreement yet
• visa showing eligibility to work in NZ, if relevant
• an employee-completed Tax code declaration (IR330)
• details of agreed wage payment method, e.g. ‘by cash’ or a bank account — legally, all wages must be paid in NZ cash unless agreed otherwise in writing, e.g. in the employment agreement
• employment start date
• annual leave and holidays entitlement anniversary dates — the annual leave anniversary date can differ from the anniversary of the start date due to closedown periods.

Source: https://www.business.govt.nz/

Managing Privacy Breaches

All staff are required to report potential privacy breaches that they become aware of as soon as possible to the Head Teacher/ Centre Manager/ Centre Director.

Where a potential privacy breach has been discovered, the centre privacy officer will take immediate steps to contain and assess the situation on an urgent basis.

A privacy breach, in relation to personal information held by an agency,— Means –  unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or an action that prevents the agency from accessing the information on either a temporary or permanent basis; and includes any of the things listed in paragraph (a)(i) or an action under paragraph (a)(ii), whether or not it –  was caused by a person inside or outside the agency; or is attributable in whole or in part to any action by the agency; or is ongoing.

The centre will undertake an initial investigation to determine what has happened and take steps to stop it from continuing and/or becoming worse. 

If a privacy breach has occurred that either has caused or is likely to cause anyone serious harm, the Privacy Commissioner and any affected people must be notified as soon as is practically possible.

For more information about which breaches need to be notified, when, and to who, refer to the Privacy Commissioner’s website (see https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/) and to sections 112-122 of the Privacy Act.

In summary:

When determining whether the breach is likely to cause serious harm, the following factors will be considered:

• The actions have been taken to reduce the risk of harm following the breach
• Whether the personal information is sensitive in nature (information about children)
• The nature of the harm that may be caused to affected individuals
• The person or body that has obtained or may obtain personal information as a result of the breach (if known)
• Whether the personal information is protected by a security measure
• Any other relevant matters.

Notifying breaches can be complex and care will be taken.  Failure to notify and failure to follow the Privacy Act requirements is an offence.  Reference to the Privacy Commissioner’s website and/or seeking legal advice is therefore a step that may be taken by the Privacy Officer from time-to-time.

Dealing with information requests

Parents have a right to access and correct the information about them and their child that the Centre holds, with only some limited exceptions.  All privacy information requests should be forwarded to and dealt with promptly by the Centre’s Head Teacher/ Centre Manager/ Centre Director, in accordance with all the process and other requirements under the Privacy Act. 

Parents and guardians need to be aware that under the Education Act and the Licensing Criteria for ECE services, any government official may request and access any information held by the centre about any child or parent.  The following link provides parents with information about the privacy policies of the Ministry of Education:

• https://services.education.govt.nz/eli/overview/about-eli/

Further information about dealing with information requests is available on the Privacy Commissioner’s website.

Storing and disposing of children’s records

The Ministry of Education requires that all enrolment and attendance information collected about children and their families is retained by the centre for seven years.  This includes health information about the child, e.g. immunisation information.  Our centre stores this information so that it is retrievable but is otherwise stored securely and safely with controlled access.

When information is no longer required, it is destroyed so that it cannot be retrieved.

Procedures for when parents/guardians separate and guidance specific to dealing with children’s information

Unless otherwise specified by Court Guardianship Order, the centre recognises the role of both parents of the child where applicable in relation to information requests about the child, whether parents have separated or remain together.  Only when the centre is made aware that the Court orders a specific guardianship or custody order, by provision of a copy of that written order to the centre, will the centre act on such an order and refer any requests for information to the legal guardian named by the Court.

It should be noted that it is not this centre’s role to become engaged in matters of dispute between parents.

Implications and/or Risks

Following this policy helps to ensure we are meeting our privacy obligations and protecting the privacy of children, their families and our staff. It significantly reduces the risk of harm caused by privacy breaches, losing trust with parents and maintaining our reputation.

Alignment with Other Policies

This policy aligns with:

• Child Protection Policy
• Safety Checking Policy and Risk Assessment Procedure
• Relevant Background (including Legislation/Regulation/Licensing references)
• Privacy Act 2020: https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html 
• More information

More information about the Privacy Act and useful resources can be found here on the Privacy Commissioner’s website: https://www.privacy.org.nz/.