ECE privacy procedures

Application

These procedures apply to all University Members who work for or with the University’s ECE Centres/Kōhanga Reo, and to any volunteers, including whānau.

Purpose

These procedures support the University’s Privacy Framework, outlining specific privacy procedures and considerations relating to the management of personal information by the University’s ECE Centres/Kōhanga Reo.

Background

The University’s Privacy Framework includes a high-level Privacy Policy, privacy procedures relating to Disclosure, Personal Information Requests and Privacy Breach Management, and a set of Privacy Guidelines (or FAQs). All University Members are expected to manage personal information in accordance with the University’s Privacy Framework, which promotes the following concepts:

  • Data minimisation – limiting the amount of personal information the University collects and retains
  • Transparency – being open and honest about what information the University collects and how it will be used
  • Security – protecting the personal information the University holds from harm
  • Use limitation – making sure the University uses and discloses personal information only when necessary and with a lawful basis
  • Privacy rights – helping the University’s data subjects to exercise their privacy rights and maintain some control over their information.

Privacy is particularly important for ECE Centres/Kōhanga Reo, which collect and process personal information about vulnerable people – including tamariki and their whānau – and may have to use or share personal information in ways that could impact on individual trust. These procedures are intended to help ECE Centres/Kōhanga Reo to manage their specific regulatory and safety requirements in a way that protects and respects tamariki and whānau privacy.

ECE Procedures

ECE Centres/Kōhanga Reo must generally manage personal information in accordance with the University’s Privacy Policy and associated procedures, with the exception of the specific procedures set out below. In the event of any inconsistency between these ECE procedures and the University’s general Privacy Policy and associated procedures, the ECE procedures will prevail.

Governance

1. Each Centre Leader will act as the first line Privacy Officer for their centre/Kōhanga Reo. The ECE General Manager, with the support of the ECE Growth and Compliance Leader, will provide support, and a point of escalation, to Centre Leaders where required. The ECE General Manager will escalate significant privacy issues to the University Privacy Officer (General Counsel) where required.

Collection

2. ECE Centres/Kōhanga Reo must collect only the personal information they need to deliver services and meet their regulatory and other requirements. The types of personal information we collect about tamariki and their whānau are listed in the ECE Privacy Statement.

3. ECE Centres/Kōhanga Reo will generally collect personal information about tamariki  from their parents/guardians. If we need to collect personal information from another third party source – such as the Police – we should ask for the consent of the individual concerned before doing so.

4. ECE Centre/Kōhanga Reo staff, students, volunteers and contractors must read and understand the ECE Privacy Statement and be able to explain to parents/guardians or others why personal information is required, and how it may be used or shared.

5. ECE Centres/Kōhanga Reo must collect information in ways that are fair and not unreasonably intrusive. This requires us to consider:

  • The age of the person we’re collecting information from. The younger they are, the less they may understand about the consequences of giving us information or authorising us to collect it from someone else.
  • Cultural or religious sensitivities about sharing certain information. For example, gender differences could be more important for some cultures.
  • The power imbalance between a teacher and their tamariki, or between ECE staff and parents/guardians, which can have an impact on fairness.
  • The environment within which we’re collecting information. For example, we should not ask tamariki to reveal sensitive information in a classroom setting.

6. In some cases, ECE Centres/Kōhanga Reo must ask parents/guardians for their consent to collect or use personal information in certain ways. For example, we must obtain the written consent of parents/guardians in order to use photographs or videos footage of their tamariki for any public purposes, such as research, promotion, marketing, or sharing with parent/guardian class groups.

7. Parents/guardians or whānau must not be permitted to take photographs or video footage of tamariki at ECE Centres/Kōhanga Reo.

8. ECE Centres/Kōhanga Reo must use only centre devices to capture photographs or video footage of tamariki. If personal devices are used, photographs or videos must be promptly transferred to centre systems and deleted from those devices.

Use and disclosure

9. ECE Centres/Kōhanga Reo should generally use and disclose personal information only in the ways we outline in the ECE Privacy Statement. Any uses of information for new purposes, or disclosures to third parties not listed in the ECE Privacy Statement, must be approved by the ECE General Manager.

10. ECE Centre/Kōhanga Reo staff, students, volunteers and contractors must confirm that the relevant parent/guardian has provided written consent before using photographs, videos or other media about their tamariki for any public purposes, such as research, promotion, marketing, or sharing with parent/guardian class groups.

11. ECE Centres/Kōhanga Reo staff, students, volunteers and contractors must never disclose personal information, including photographs or videos of tamariki, on social media platforms or other websites. For more information on acceptable use of social media platforms and other technology, see the University IT Acceptable Use Policy.

12. ECE Centres/Kōhanga Reo must manage requests for information from government or law enforcement agencies, including Oranga Tamariki or the Police, in accordance with the Information Sharing Process set out at Appendix 1.

13. ECE Centres/Kōhanga Reo may proactively disclose personal information to certain government or law enforcement agencies if they believe this is necessary to ensure the safety of a tamaiti. Such disclosures should be managed in accordance with the Information Sharing Process at Appendix 1.

14. ECE Centres/Kōhanga Reo must manage requests from parents/guardians for personal information about their tamariki in accordance with paragraphs 14-17.

Access and Correction

15. All data subjects have the right to request a copy of personal information ECE Centres/Kōhanga Reo hold about them. This means parents/guardians, staff, volunteers, students and contractors can request a copy of personal information about themselves. These requests must be escalated to the Centre Leader, and managed in accordance with the University Personal Information Request Procedures.

16. The Privacy Act does not give parents/guardians an enforceable right to request a copy of the personal information we hold or create about their tamariki. In practice, we will share personal information about tamariki with their parents/guardians, both on request and proactively as part of our ongoing operations. However, we must always take into consideration the best interests of our tamariki. There may be circumstances in which it is not in the best interests of the tamaiti for us to release personal information to their parent/guardian (for example, where we have documented suspicions of child abuse or neglect). In these cases, we may refuse to release personal information to parents/guardians.

17. It should be noted that parents/guardians have access to a secure online learning profile which contains written and visual materials about their tamaiti’s experience while attending the ECE Centre/Kōhanga Reo.

Retention

18. Personal information must be retained in accordance with the University General Disposal Authority (GDA).

19. Where the GDA does not specify a retention period for a specific type of personal information, ECE Centres/Kōhanga Reo must ensure that the information is not retained for longer than we have a lawful purpose to use it. In some cases, the information we hold is subject to legislative retention requirements. For example, the Early Childhood Education Regulations 2008 require us to retain tamariki enrolment forms for 7 years.

Security

20. All ECE Centre/Kōhanga Reo staff, students, volunteers and contractors must take reasonable steps to protect the personal information we hold from loss, unauthorised access, use or disclosure, or any other misuse.

21. ECE Centre/Kōhanga Reo staff, students, volunteers and contractors must ensure that they access and use only the personal information they need to discharge their lawful functions.

22. Personal information must be stored securely, in lockable cabinets, or in the secure system of record for that type of information. Some employment information is stored by the University’s HR Services in their secure systems. 

23. Personnel files for ECE Centre/Kōhanga Reo staff, students, volunteers and contractors may only be directly accessed by the Centre Leader or Assistant Centre Leader. Where necessary, personal information about staff, students, volunteers and contractors may be made available to HR staff, authorised administrative staff, or third parties required to conduct audits, such as the Ministry of Education or Education Review Office.

24. Privacy breaches must be reported immediately to the Centre Leader. The Centre Leader must ensure that privacy breaches are managed in accordance with the University Privacy Breach Management Procedures. Complaints from parents/guardians or whānau about privacy issues should also be reported to the Centre Leader.

Definitions

The following definitions apply to this policy:

Parent/guardian means the adult/s who is responsible for the upbringing and care of the tamaiti. This could include the mother OR the father acting as a sole guardian, and anyone else the Family Court has appointed as a guardian. For more information on who could be a guardian, check the Ministry of Justice website.

Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses. For the purposes of these procedures, data subject includes tamariki, parents/guardians and whānau.

Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.

Privacy breach means an event (whether intentional or unintentional) in which personal information is lost or is accessed, altered, disclosed or destroyed without authorisation, or is at increased risk due to poor security safeguards, including but not limited to:

  • accidental disclosure of personal information to the wrong recipient;
  • employee browsing of personal information without a legitimate business reason;
  • an external attack on a University system; or
  • a lost or stolen University device or document

University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.

Key relevant documents

Document management and control

Owner: Jo Waugh
Content manager: Tegan O'Rourke
Prepared by: Tegan O'Rourke
Approved by: Paul Divers
Date approved: 10 November 2022
Review date: November 2023

Appendix 1: Information Sharing Guidelines

In some cases, ECE Centres/Kōhanga Reo may be requested to, or decide to, share personal information about tamariki with government agencies.

Where such disclosures are required or permitted by another law (such as sections 15 or 66 of the Oranga Tamariki Act), these will not breach the Privacy Act. Where no other law applies, then we must ensure that an exception to principle 11 of the Privacy Act (which relates to disclosure) applies to permit us to share the information.

Responding to requests for information from government agencies

ECE Centres/Kōhanga Reo may receive requests for information about tamariki from various government agencies, including the Police, the Ministry of Education, or Oranga Tamariki. These requests must be managed in accordance with the following steps.

  1. Escalate the request – Requests for information from government agencies must be escalated to the Centre Leader or, if appropriate, the ECE General Manager. 
  2. Verify that the request is genuine – Ensure that the request has been received in writing from a valid agency email address or on agency letterhead. If in doubt, contact the agency using publicly available phone number to verify the request.
  3. Confirm the legal basis for the request – Ensure that the request states the specific legislative provision it is being made under. For Oranga Tamariki, this will usually be section 66 of the Oranga Tamariki Act. If there is no legislative basis for the request, then the ECE Centre/Kōhanga Reo will need to ensure the disclosure is permitted by the Privacy Act (see below).
  4. Clarify the request – Before making a decision on a request, we need to be clear about:
    a. The scope of the request – how much information is the requester asking for, about whom, in relation to what time period, etc?
    b. The purpose for the request – is it made as part of a child welfare concern or investigation, or as part of legal proceedings?
  5. Limit the scope of the disclosure – Remember, we should only ever disclose the minimum amount of personal information required to meet the purposes of the request. Always ensure that information provided is objective, impartial and factual, and that the information is not hearsay.

Proactive disclosures of information to government agencies

Remember, ECE Centres/Kōhanga Reo can always disclose personal information to third parties in the ways we outlined in the ECE Privacy Statement. However, situations may arise in which we believe it is necessary to disclose information in ways that our tamariki, parents/guardians or whānau might not expect.

Reporting suspected abuse

Section 15 of the Oranga Tamariki Act states that, if we believes that a child or young person has been, or is likely to be, harmed, ill-treated, abused, (whether physically, emotionally, or sexually), neglected, or deprived, or if we have concerns about the well-being of a child or young person, we may report the matter to Oranga Tamariki or the Police.

Sharing other safety concerns

In cases where section 15 of the Oranga Tamariki Act will not apply – for example where we need to disclose information to a member of a tamaiti’s whānau – principle 11 of the Privacy Act permits us to disclose personal information if we believe on reasonable grounds that it is necessary to prevent or lessen a serious threat to health or safety. 

To rely on this exception, we need to:

  • be satisfied that a serious threat exists; and
  • believe on reasonable grounds that disclosure is necessary to prevent or lessen that serious threat.

 To decide if a threat is serious, the Privacy Act requires us to consider:

  1. The likelihood of the threat occurring – is there a good chance this thing will happen?
  2. The severity of the consequences if the threat occurs – if it happens, how bad will it be?
  3. The time at which the threat might occur – how soon could this happen? 

We also need to make sure we disclose personal information to a person or agency that can actually do something about the threat. This might be the Police, a member of a tamaiti’s whānau, a healthcare provider, or an emergency healthcare provider. We cannot use this exception to disclose information to the media or any other person or agency that does not have a role in protecting people or the person concerned.

Remember, we should only ever disclose the minimum amount of personal information required to assist with preventing or lessening the threat.

Keep a record of all disclosures

In the event of a complaint to the Privacy Commissioner, we must be able to demonstrate that we had a reasonable basis to believe we could disclose personal information at the time we disclosed it. This means we must keep a record of all disclosures made under this procedure, which includes the following information:

  1. Date of the disclosure
  2. Details of the person or agency to which the information was disclosed
  3. Copy of the request
  4. Record of reasons for disclosing the information
  5. Copy of any advice received about the disclosure
  6. Record of what information was disclosed