Privacy and Confidentiality Policy

Mandatory – Quality Area 7


This policy was adopted by the Approved Provider of Cherry Crescent Preschool onand was amended at the committee meeting dated 25/05/2020


This policy will provide guidelines:

  • for the collection, storage, use, disclosure and disposal of personal information, including photos, videos and health information at Cherry Crescent Preschool
  • to ensure compliance with privacy legislation.

Policy statement

1.   Values

Cherry Crescent Preschool is committed to:

  • responsible and secure collection and handling of personal information
  • protecting the privacy of each individual's personal information
  • ensuring individuals are fully informed regarding the collection, storage, use, disclosure and disposal of their personal information, and their access to that information.

2.   Scope

This policy applies to the Approved Provider or Persons with Management or Control, Nominated Supervisor, Persons in Day to Day Charge, educators, staff, students on placement, volunteers, parents/guardians, children and others attending the programs and activities of Cherry Crescent Preschool

3.   Background and legislation


Early childhood services are obligated by law, service agreements and licensing requirements to comply with the privacy and health records legislation when collecting personal and health information about individuals.

The Health Records Act 2001 (Part 1, 7.1) and the Privacy and Data Protection Act 2014 (Vic) (Part 1, 6 (1)) include a clause that overrides the requirements of these Acts if they conflict with other Acts or Regulations already in place. For example, if there is a requirement under the Education and Care Services National Law Act 2010 or the Education and Care Services National Regulations 2011 that is inconsistent with the requirements of the privacy legislation, services are required to abide by the Education and Care Services National Law Act 2010 and the Education and Care Services National Regulations 2011.

Legislation and standards

Relevant legislation and standards include but are not limited to:

  • Associations Incorporation Reform Act 2012 (Vic)
  • Education and Care Services National Law Act 2010
  • Education and Care Services National Regulations 2011: Regulations 181, 183
  • Freedom of Information Act 1982 (Vic)
  • Health Records Act 2001 (Vic)
  • National Quality Standard, Quality Area 7: Leadership and Service Management

-      Standard 7.3: Administrative systems enable the effective management of a quality service


  • Privacy and Data Protection Act 2014 (Vic)
  • Privacy Act 1988 (Cth)
  • Privacy Amendment (Enhancing Privacy Protection )Act 2012 (Cth)
  • Privacy Regulations 2013 (Cth)
  • Public Records Act 1973 (Vic)

4.   Definitions

The terms defined in this section relate specifically to this policy. For commonly used terms e.g. Approved Provider, Nominated Supervisor, Regulatory Authority etc. refer to the General Definitions section of this manual.

Freedom of Information Act 1982: Legislation regarding access and correction of information requests.

Health information: Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.

Health Records Act 2001: State legislation that regulates the management and privacy of health information handled by public and private sector bodies in Victoria.

Identifier/Unique identifier: A symbol or code (usually a number) assigned by an organisation to an individual to distinctively identify that individual while reducing privacy concerns by avoiding use of the person's name.

Personal information: Recorded information (including images) or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained.

Privacy and Data Protection Act 2014: State legislation that provides for responsible collection and handling of personal information in the Victorian public sector, including some organisations, such as early childhood services contracted to provide services for government. It provides remedies for interferences with the information privacy of an individual and establishes the Commissioner for Privacy and Data Protection.

Privacy Act 1988: Commonwealth legislation that operates alongside state or territory Acts and makes provision for the collection, holding, use, correction, disclosure or transfer of personal information. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) introduced from 12 March 2014 has made extensive amendments to the Privacy Act 1988. Organisations with a turnover of $3 million per annum or more must comply with these regulations.

Privacy breach:An act or practice that interferes with the privacy of an individual by being contrary to, or inconsistent with, one or more of the information Privacy Principles (refer to Attachment 2: Privacy principles in action) or the new Australian Privacy Principles  (Attachment 7) or any relevant code of practice.

Public Records Act 1973 (Vic): Legislation regarding the management of public sector documents.

Sensitive information: Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practices, or criminal record. This is also considered to be personal information.

5.   Sources and related policies


  • Child Care Service Handbook 2017-18

  • Guidelines to the Information Privacy Principles:

  • ELAA Early Childhood Management Manual,
  • Office of the Health Complaints Commissioner:
  • Privacy Compliance Manual:
  • Australia Not-for-profit Law Guide (2017) Privacy Guide: A guide to compliance with privacy laws in Australia:
  • Office of the Victorian Information Commissioner:
  • Child Safe Environment Policy
  • Code of Conduct Policy
  • Complaints and Grievances Policy
  • Delivery and Collection of Children Policy
  • Enrolment and Orientation Policy
  • Information Technology Policy
  • Staffing Policy
  • Inclusion and Equity Policy
  • ensuring all records and documents are maintained and stored in accordance with Regulations 181 and 183 of the Education and Care Services National Regulations 2011
  • ensuring the service complies with the requirements of the Privacy Principles as outlined in the Health Records Act 2001, the Privacy and Data Protection Act 2014 (Vic) and, where applicable, the Privacy Act 1988 (Cth) and the Privacy Amendment (Enhancing Privacy Protection ) Act 2012 (Cth), by developing, reviewing and implementing processes and practices that identify:

Service policies


The Approved Provider and Persons with Management and Control is responsible for:

-           what information the service collects about individuals, and the source of the information

-           why and how the service collects, uses and discloses the information

-           who will have access to the information

-           risks in relation to the collection, storage, use, disclosure or disposal of and access to personal and health information collected by the service

  • ensuring parents/guardians know why the information is being collected and how it will be managed
  • providing adequate and appropriate secure storage for personal information collected by the service, including electronic storage
  • developing procedures that will protect personal information from unauthorised access
  • ensuring the appropriate use of images of children, including being aware of cultural sensitivities and the need for some images to be treated with special care
  • developing procedures to monitor compliance with the requirements of this policy
  • ensuring all employees and volunteers are provided with a copy of this policy, including the Privacy Statement of the service (refer to Attachment 4)
  • ensuring all parents/guardians are provided with the service’s Privacy Statement (refer to Attachment 4) and all relevant forms
  • informing parents/guardians that a copy of the complete policy is available on request
  • ensuring a copy of this policy, including the Privacy Statement, is prominently displayed at the service and available on request
  • establishing procedures to be implemented if parents/guardians request that their child’s image is nottobe taken, published or recorded, or when a child requests that their photo not be taken
  • develop a process to respond to a privacy breach in line with privacy principles (see sources)
  • assisting the Approved Provider to implement this policy
  • reading and acknowledging they have read the Privacy and Confidentiality Policy (refer to Attachment 3)
  • providing notice to children and parents/guardians when photos/video recordings are going to be taken at the service
  • ensuring educators and all staff are provided a copy of this policy and that they complete the Letter of acknowledgement and understanding (Attachment 3)
  • obtaining informed and voluntary consent of the parents/guardians of children who will be photographed or videoed.
  • reading and acknowledging they have read the Privacy and Confidentiality Policy (refer to Attachment 3)
  • recording information on children, which must be kept secure and may be requested and viewed by the child’s parents/guardians and representatives of the Department of Education and Training during an inspection visit
  • ensuring they are aware of their responsibilities in relation to the collection, storage, use, disclosure and disposal of personal and health information
  • implementing the requirements for the handling of personal and health information, as set out in this policy
  • respecting parents’ choices about their child being photographed or videoed, and children’s choices about being photographed or videoed.
  • providing accurate information when requested
  • maintaining the privacy of any personal or health information provided to them about other individuals, such as contact details
  • completing all permission forms and returning them to the service in a timely manner
  • being sensitive and respectful to other parent/guardians who do not want their child to be photographed or videoed
  • being sensitive and respectful of the privacy of other children and families in photographs/videos when using and disposing of these photographs/videos.

The Nominated Supervisor or Persons in Day to Day Charge is responsible for:

Educators and other staff are responsible for:

Parents/guardians are responsible for:

Volunteers and students, while at the service, are responsible for following this policy and its procedures.


In order to assess whether the values and purposes of the policy have been achieved, the Approved Provider of Cherry Crescent Preschool will:

  • regularly seek feedback from everyone affected by the policy regarding its effectiveness
  • monitor the implementation, compliance, complaints and incidents in relation to this policy
  • keep the policy up to date with current legislation, research, policy and best practice
  • revise the policy and procedures as part of the service’s policy review cycle, or as required
  • notify parents/guardians at least 14 days before making any changes to this policy or its procedures.