Polykids - Privacy
The purpose of this operational policy is to ensure our centre is clear about its privacy responsibilities under the Privacy Act 2020. This policy ensures all personal information about children, families and staff is protected.
Legislative: Privacy Act 2020
Licensing criteria: Reg. 47, GMA10; GMA11
National guidelines: Te Whariki - Belonging: Goal 2; Individuals experience an environment where they know they have a place.
Our centre protects the privacy of children and their families enrolled in our service, and staff employed by our service, and in so doing adheres to the Privacy Act 2020
The Privacy Act 2020 sets out protections for individual's right to privacy, including the privacy of children attending our centre, and their families. As a licensed early childhood education centre receiving government subsidies, we are, however, required to collect some information in order to operate our service and meet government requirements for our sector. Children, their families and staff are entitled to know what information is being collected and its purpose; and who information about them is being shared with and why.
Overview of the information privacy principles
The Privacy Act has 13 Information Privacy Principles (IPPs) which outline how personal information is collected, stored, accessed, used and disclosed. The IPPs can be read here: https://privacy.org.nz/responsibilities/your-obligations/
In summary, the Information privacy principles are:
1. Only collect the information you need.
2. Where possible, get the information directly from the person.
3. Be clear about what the information will be used for
4. Use fair and reasonable ways of collecting information.
5. Keep information safe.
6. Let people access information about themselves.
7. Correct information or provide a statement of correction if the person thinks it is wrong.
8. Make sure information is accurate before you use it.
9. Only keep information as long as you need it.
10. Only use the information for the purpose you collected it.
11. Only share personal information if you have a good reason such as when:
- you have the permission of the person the information is about.
- another law requires you to disclose it.
- it is one of the purposes for which you got the information.
- it is necessary to uphold or enforce the law.
- it is necessary for court proceedings.
- you disclose it in a form that does not identify the person it’s about.
12. Only send personal information overseas if the organisation outside of New Zealand meets the criteria outlined in Privacy Principle 12.
13. Only use individual identifiers (such as NSN number) where it is necessary.
Preventing Privacy Breaches
Our centre undertakes a regular annual Privacy Impact Assessments (see the OPC's website) and robust staff induction/training on privacy issues.
Managing Privacy Breaches
All staff are required to report potential privacy breaches that they become aware of as soon as possible to the Privacy Officer/Te Kaihāpai.
Where a potential privacy breach has been discovered, the centre privacy officer will take immediate steps to contain and assess the situation on an urgent basis.
A privacy breach, in relation to personal information held by an agency, —
(i) unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information
(ii) an action that prevents the agency from accessing the information on either a temporary or permanent basis
(b) x includes any of the things listed in paragraph (a)(i) or an action under paragraph (a)(ii), whether or not it:
(i) was caused by a person inside or outside the agency; or
(ii) is attributable in whole or in part to any action by the agency; or
The centre will undertake an initial investigation to determine what has happened and take steps to stop it from continuing and/or becoming worse.
Certain privacy breaches also must be 'notified' both to the Privacy Commissioner and to the people affected. The Centre is in breach of the Privacy Act and liable for a fine if it does not adhere to these requirements.
For more information about which breaches need to be notified, when, and to who, refer to the Privacy Commissioner's website (see https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/) and to sections 112-122 of the Privacy Act.
If the breach has or is likely to cause serious harm to affected individuals, the centre will notify the breach to the Privacy Commissioner and the affected individual(s) as soon as practicable after becoming aware of the breach. When determining whether the breach is likely to cause serious harm, the following factors will be considered:
- The actions have been taken to reduce the risk of harm following the breach.
- Whether the personal information is sensitive in nature (information about children)
- The nature of the harm that may be caused to affected individuals.
- The person or body that has obtained or may obtain personal information because of the breach (if known)
- Whether the personal information is protected by a security measure
- Any other relevant matters.
Notifying breaches can be complex and care will be taken. Failure to notify and failure to follow the Privacy Act requirements is an offence. Reference to the Privacy Commissioner's website and/or seeking legal advice is therefore a step that may be taken by the Privacy Officer from time-to-time.
Dealing with information requests
Parents have a right to access and correct the information about them and their child that the Centre holds, with only some limited exceptions. All privacy information requests should be forwarded to and dealt with promptly by the Centre's privacy officer, in accordance with all the process and other requirements under the Privacy Act.
Parents and guardians need to be aware that under the Education Act and the Licensing Criteria for ECE services, any government official may request and access any information held by the centre about any child or parent. The following links provide parents with information about the privacy policies of the Ministry of Education
Further information about dealing with information requests is available on the Privacy Commissioner's website.
Storing and disposing of records
The Ministry of Education requires that all enrolment and attendance information collected about children and their families is retained by the centre for seven years. This includes health information about the child. Our centre stores this information so that it is retrievable but is otherwise stored securely and safely with controlled access.
When information is no longer required, it is destroyed so that it cannot be retrieved.
Procedures for when parents/guardians separate and guidance specific to dealing with children's information
Unless otherwise specified by Court Guardianship Order, the centre recognises the role of both parents of the child where applicable in relation to information requests about the child, whether parents have separated or remain together. Only when the centre is made aware that the Court orders a specific guardianship or custody order, by provision of a copy of that written order to the centre, will the centre act on such an order and refer any requests for information to the legal guardian named by the Court.
It should be noted that it is not this centre’s role to become engaged in matters of dispute between parents.
Implications and/or Risks
Following this policy helps to ensure we are meeting our privacy obligations and protecting the privacy of children, their families and our staff. It significantly reduces the risk of harm caused by privacy breaches, losing trust with parents, and maintaining our reputation.
The implementation of this policy occurs at the time new staff are inducted into the centre and periodically through reference and discussion in staff meetings. The implementation of privacy procedures is monitored by the Privacy Officer.