Early Childhood Services are required to comply with Australia's privacy law, known as the Privacy Act 1988 (the Act).
In order to comply with the Privacy Act, ECEC services are required to follow the Australian Privacy Principles (APPs), which are contained in Schedule 1 of the Privacy Act 1988 (Privacy Act).
In particular, the principles cover how personal information can be used and disclosed (including overseas), keeping personal information secure, and the open and transparent management of personal information including having a privacy policy.
The principles cover:
- the open and transparent management of personal information including having a privacy policy
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure
- right for individuals to access and correct their personal information
The APPs place more stringent obligations on APP entities when they handle ‘sensitive information’. Sensitive information is a type of personal information and includes information about an individual's:
- health (including predictive genetic information)
- racial or ethnic origin
- political opinions
- membership of a political association, professional or trade association or trade union
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices
- criminal record
- biometric information that is to be used for certain purposes
- biometric templates.
The Australian Privacy Principless outline how Earcly Childhood Educational Services must handle, use and manage the personal information of their clients.
New requirements under the Privacy Act as of February 2018
The Privacy Act was amended in February 2017, with the changes due to take effect on February 22, 2018.
The new law introduces a Notifiable Data Breaches (NDB) scheme that requires all businesses regulated by the Privacy Act (including Early Childhood Educational Services) to provide notice to the Office of the Australian Information Commissioner (formerly known as the Privacy Commissioner) and affected individuals of any data breaches (ie. data leaks) that are “likely” to result in “serious harm.”
Businesses that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.
A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to $360,000 for individuals or $1.8 million for organisations.
Early Childhood Services are encouraged to:
- share this information with relevant staff
- make sure all relevant staff understand the requirements under Australia's privacy law
- introduce a privacy policy to ensure that your businesses practices comply with the Australian Privacy Principles (this may include delegating a staff member to oversee all privacy-related activities to ensure compliance).
For more information please read the Privacy Act 1988, Schedule 1.
References:
- Australian Childcare Alliance - Changes To Australia's Privacy Laws
- Office Of The Australian Information Commission - Austrlian Privacy Principles
- Privacy Act 1988