Privacy Policy

1. RATIONALE

This Privacy Policy applies to Early Education and Care Services conducted by Sydney Catholic Early Childhood Services (SCECS) and sets out how SCECS and each individual service manages personal information provided to or collected by it, whether in its Central office or Sydney Catholic Schools (SCS) Information & Technology systems (For which a Service Agreement between SCECS and Sydney Catholic School Ltd as Trustee for Sydney Catholic School Trust is held), or in any of the individual services for which it has governance responsibility.

SCECS collects personal information of parents, guardians, children, employees and stakeholders for the primary purpose of providing early childhood education and care services. In some circumstances, we may be required by law to provide personal information to another organisation. The personal information will only be used for the purpose or related purpose, for which it was collected.

SCECS is committed to managing collected personal information, storage, use and disclose, as well as disposal, to a high standard of diligence and care, in accordance with both State and Commonwealth Legislation in line with the Australian Privacy Principles.

2. GUIDING PRINCIPLES

2.1 SCECS is bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth). In relation to health records, SCECS is also bound by the NSW Health Privacy Principles which are contained in the Health Records and Information Privacy Act 2002 (NSW)

2.2 SCECS may, from time to time, review and update this Privacy Policy to take account of new laws and technology, to reflect changes to SCECS operations and practices, and to ensure that it remains appropriate to the changing Early Childhood Education and Care environment of the individual services governed by SCECS.

3. PROCEDURES

3.1 Personal Information

3.1.1 The type of information individual services and SCECS collect and hold includes (but is not limited to) personal information, including health and other sensitive information, about:

Children and parents and / or guardians (hereafter referred to as parents) before, during and after the course of a child's enrolment at the service, including:

  • name, contact details, emergency contact details, authorised nominee contact details and permissions, date of birth, gender, language and cultural background, country of birth and religion,
  • parents' occupation/ study/ employment, proof of identity, language and cultural background,
  • customer reference number (CRN) for both the child and one parent,
  • birth certificate, visa and immunisation history statement or equivalent,
  • health and medical information and dietary requirements (e.g. details of additional needs/ disability and/ or allergies, anaphylaxis, diabetes, epilepsy/ seizures, medical action plans, risk minimisation plans, medical reports, therapist and specialist reports, regular medication, medical procedures and names of doctors and dentist),
  • complaint records,
  • observations, learning programs, assessment of learning, developmental summaries, inclusion support plans and transition to school statements,
  • photos, images, artwork, videos, artwork and transcripts at the service for the purpose of children's learning and developmental records,
  • information about referrals from and to government welfare agencies,
  • welfare or wellbeing counselling reports and family violence intervention orders,
  • national disability insurance scheme (NDIS), health care card, health fund details and Medicare numbers,
  • any court orders, parenting orders or parenting plans,
  • Services Australia customer reference number and tax file numbers,
  • bank account and credit card details,
  • when visiting our websites with the use of cookies.

Job applicants, staff members, students, volunteers and contractors, including:

  • name, contact details (including next of kin), date of birth, religion and cultural background,
  • information on job application,
  • ID documentation such as drivers licence, passport, visa's,
  • qualifications and professional development history,bank account details, tax file number, salary and payment information,  including superannuation details,
  • medical information (e.g. details of immunisation, disability and / or allergies and medical certificates),
  • criminal history checks,
  • court orders,
  • workers compensation, modified duties and claim information,
  • working with children checks,
  • complaint records and investigation reports,
  • leave details,
  • photos and videos at service events,
  • workplace surveillance information,
  • work emails and private emails (when using work email address) and Internet browsing history,
  • other people who come into contact with the service,
  • electronic portals (e.g. PHRIS, Deputy)
  • when visiting our websites with the use of cookies.

4.1.2 Personal information parents and children provide: services will generally collect personal information held about a child /en by way of, but not limited to,

  • SCECS enrolment forms,
  • SCECS forms,
  • learning and development records, including photos, images, artwork, videos and transcripts,
  • electronic portals (e.g. Storypark Manage, Storypark, surveys),
  • face-to-face meetings and interviews,
  • emails and telephone calls,
  • on occasion, people other than parents and children provide personal information,such as health or medical professional and government agency.

4.1.3 Personal Information provided by other people: in some circumstances services may be provided with personal information about a child / ren from a third party,for example a report provided by a medical professional or a government agency.

4.1.4 Exception in relation to employee records: under the Privacy Act 1988 (Cth)and Health Records and Information Privacy Act 2002 (NSW), the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result,this Privacy Policy does not apply to a service's treatment of an employee record, where the treatment is directly related to a current or former employment relationship.

4.2 Use of Personal Information

4.2.1 A service will use personal information it collects from parents for the primary purpose of collection, and for secondary purposes that are related to the primary purpose and reasonably expected by parents, or to which they have consented.

4.2.2 Children and parents: in relation to personal information of children and parents, a service's primary purpose of collection is to enable the service to provide an education and leisure learning program for the child / ren. This includes satisfying the needs of the parents, the needs of the child / ren and the needs of SCECS, and the service throughout the whole period the child is enrolled.

4.2.3 Purposes for which SCECS and a service use personal information include:

  • to inform parents of their child's education and leisure learning program, spiritual, social and physical wellbeing, including medical treatment, through correspondence, learning & developmental records and newsletters,
  • day-to-day administration, operational processes and management of the service,
  • processing payments and assessing eligibility for funding support or other benefits,
  • marketing and promotional activities for the service,
  • conducting research,
  • partnerships with third parties,
  • managing and resolving complaints or issues,
  • managing risks,to satisfy the legal or regulatory obligations of SCECS and the service and to allow the service to discharge its duty of care.

4.2.4 In some cases, where a service requests personal information about a child or parent, if the information requested is not provided, the service may not be able to enrol or continue the enrolment of the child, or permit the child to take part in a particular activity / incursion /excursion.

4.2.5 Job applicants, staff members and contractors: in relation to personal information of job applicants, staff members and contractors, SECS primary purpose of collection is to assess and (if successful) to engage the applicant, staff member or contractor, whichever the case may be.

4.2.6 Purposes for which SCECS uses the personal information of job applicants, staff members and contractors include:

  • administering the individual's employment or contract,
  • insurance,
  • marketing for the service,
  • satisfying SCECS legal obligations, for example in relation to child protection legislation.

4.2.7 Volunteers: SCECS also obtain personal information about volunteers who assist the service in its functions or conduct associated activities, to enable the service and the volunteers to work together and meet regulatory requirements.

4.2.8 Marketing: SCECS regards marketing to be an important part of ensuring that the service promotes its high quality education and leisure environment in which children and staff thrive. Service publications, such as newsletters, which include personal information,may be used for marketing purposes.

4.2.9 Exceptions in relation to related services: The Privacy Act allows each service, to share personal (but not sensitive) information with the other services conducted by SCECS. Other services may then only use this personal information for the purpose for which it was originally collected by SCECS or the service. This allows services to transfer information between them, for example, when a child transfers from an OSHC service to a vacation care service, or there is an outstanding debt.

4.3 Disclosure of Personal Information

4.3.1 A service may disclose personal information, including sensitive information held about a child/ren to:

  • other services, and educators of those services, governed by SCECS,
  • commonwealth and state government departments and authorised agencies,
  • SCS for transition to school purposes and / or liaison of consistent strategies and practices for children with additional needs,
  • people providing support to the service including medical practitioners and health therapists and professionals,
  • regulatory authorities, including Australian Children's Education & Care Quality(ACECQA) and the Early Childhood Education Directorate - NSW Department of Education,
  • organisations providing administrative and funding to the service including the Commonwealth Inclusion Development Fund, Department of Education, Skills and Employment - Child Care Subsidy (CCS / ACCS), Storypark Manage and Paychoice,
  • recipients of service publications, such as newsletters,
  • third party products or services e.g. educational technology service providers, such as storypark,
  • parents,
  • anyone parents authorise the service to disclose information to,
  • anyone to whom the services or SCECS are required to disclose information by law.

4.3.2 The service may use online or 'cloud' service providers to store personal information and to provide facilities to the service that involve the use of personal information, such as email, education and leisure applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored on a cloud service provider's servers which may be situated outside Australia.

An example of such a cloud service provider is Google. Google provides the 'G Suite for Education' (G Suite) including Gmail, and stores and processes limited personal information for this purpose. Service personnel, SCECS and their service providers may have the ability to access, monitor, use or disclose emails, communications, documents and administrative data for the purposes ensuring the proper use of the G Suite.

4.4 Sensitive Information

4.4.1 In referring to 'sensitive information', the service means information about an individual relating to their racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices, criminal record, health information and biometric information.

4.4.2 Sensitive information will be used and disclosed only for the purpose for which it was provided, or a directly related secondary purpose, unless a parent agrees otherwise or the use or disclosure of the sensitive information is allowed by law.

4.5 Management and Security of Personal Information

4.5.1 SCECS and service staff are required to respect the confidentiality of children and parents' personal information and the privacy of individuals.

4.5.2 Each service has steps in place to protect the personal information the serviceholds from misuse, interference, loss, unauthorised access, modification or disclosure. These include secure storage of paper records and password protected access to computerised records.

4.5.3 SCECS and its services also store personal information on digital information management and storage platforms called Storypark Manage, Storypark and 'G suite'. Access to personal information may be granted to children and parents to allow them to update personal information online. Children and parents privacy and information access rights remain the same regardless of where or how the information is stored.

4.5.4 Personal information will be restricted and only accessible by persons authorised by SCECS.

4.6 Access to and Correction of Personal Information

4.6.1 Under the Privacy Act 1988 (Cth) and Health Records and Information Privacy Act 2002 (NSW), a child and parent has the right to obtain access to any personal information which SCECS or a service holds about them and to advise SCECS and the service of any perceived inaccuracy. Children and parents will generally be able to access and update their personal information. There are some exceptions to these rights set out in the applicable legislation.

4.6.2 To make a request to access or update any personal information SCECS or a service holds about a parent or a child, a parent may contact the service Director /Coordinator or the Privacy Officer SECS Administration scecs@syd.catholic.edu.au in writing. The service may require the parent to verify their identity and specify what information is required. The service may charge a fee to cover the cost of verifying an application and locating, retrieving, reviewing and copying the material requested. If the information sought is extensive, the service will advise the likely cost in advance. If the service cannot provide access to the requested information, the service will provide the parent with a written notice explaining the reasons for refusal.

4.7 Consent and Right of Access to the Personal Information of Children

4.7.1 SECS respects every parent's right to make decisions concerning their child's education and leisure learning program. Generally, a service will refer any requests for consent and notices in relation to the personal information of a child to that child's parents. A service will treat consent given by parents as consent given on behalf of the child, and notice to parents will act as notice given to the child.

4.7.2 As mentioned above, parents may seek access to personal information held by a service or SCECS about them or their child, by contacting the Service's Director/Coordinator or Privacy Officer SCECS Administration. However, there will be occasions when access is denied. Such occasions would include, but is not limited to the following circumstances,

  • where release of the information would have an unreasonable impact on the privacy and safety of others,
  • where the release may result in a breach of a service's duty of care to the child,
  • where there is an existing or anticipated legal proceeding,
  • where it could prejudice an investigation being conducted by a law enforcement body.

4.8 Data Breaches

4.8.1 A data breach can occur when personal information is lost or subjected to unauthorised access, modification, use or disclosure. Data breaches can give rise to a range of actual or potential harm to individuals, agencies or organisations.

4.8.2 In the event of any suspected or actual data breach, the matter will be investigated to determine,

  • The nature of the breach,
  • The number of people impacted,
  • The extent to which an individual or group may be harmed by the breach,
  • Remedial action to minimise or prevent impact,
  • Review of systems to minimise the possibility of future similar breach.

4.9 Enquiries and Complaints

4.9.1 For further information about the way SCECS or a service manages the personal information it holds, or to complain about an alleged breach of the Australian Privacy Principles by the service, please contact the service's Director / Coordinator or the Privacy Officer SCECS Administration on 02 9568 8628 or by email to scecs@syd.catholic.edu.au.The service and SCECS will investigate any complaint and will notify the parent of the decision in relation to the complaint as soon as is practicable.

If you are not satisfied with the response provided, you may refer your complaint to the Office of the Australian Information Commissioner on 1300 363 992 or by email to enquiries@oaic.gov.au.

5. RESOURCES/REFERENCES

6. APPENDICES

  • SCECS Standard Collection Notice (as part of QK Enrol process)
  • SCECS Employee Collection Notice
  • SCECS Data Breach Management and Action Plan

7. MONITORING, EVALUATION AND REVIEW

This policy will be monitored to ensure compliance with legislative requirements and unless deemed necessary through the identification of gaps, the service will review this policy every three years.

In accordance with R. 172 of the Education and Care Services National Regulations, the service will ensure that families of children enrolled in the service are notified at least 14 days before making any change to a policy or procedure that may have significant impact on the provision of education and care to any child enrolled at the service; a family's ability to utilise the service; the fees charged or the way in which fees are collected.

The authorisation and amendment history for this document must be listed in the following table: