Privacy and Confidentiality Policy


This policy will provide guidelines:

  • for the collection, storage, use, disclosure and disposal of personal information, including photos, videos and health information at Ivanhoe Children's Community Cooperative
  • to ensure compliance with privacy legislation.

Policy statement


Ivanhoe Children's Community Cooperative is committed to:

  • responsible and secure collection and handling of personal information
  • protecting the privacy of each individual's personal information
  • ensuring individuals are fully informed regarding the collection, storage, use, disclosure and disposal of their personal information, and their access to that information.


This policy applies to the Approved Provider, Nominated Supervisor, Certified Supervisor, educators, staff, students on placement, volunteers, parents/guardians, children and others attending the programs and activities of Ivanhoe Children's Community Cooperative.

Background and legislation


Early childhood services are obligated by law, service agreements and licensing requirements to comply with the privacy and health records legislation when collecting personal and health information about individuals.

The Health Records Act 2001 (Part 1, 7.1) and the Privacy and Data Protection Act 2014 (Vic) (Part 1, 6 (1)) include a clause that overrides the requirements of these Acts if they conflict with other Acts or Regulations already in place. For example, if there is a requirement under the Education and Care Services National Law Act 2010 or the Education and Care Services National Regulations 2011 that is inconsistent with the requirements of the privacy legislation, services are required to abide by the Education and Care Services National Law Act 2010 and the Education and Care Services National Regulations 2011.

Legislation and standards

Relevant legislation and standards include but are not limited to:

  • Associations Incorporation Reform Act 2012 (Vic)
  • Education and Care Services National Law Act 2010
  • Education and Care Services National Regulations 2011: Regulations 181, 183
  • Freedom of Information Act 1982 (Vic)
  • Health Records Act 2001 (Vic)
  • National Quality Standard, Quality Area 7: Leadership and Service Management
  • Standard 7.3: Administrative systems enable the effective management of a quality service
  • Privacy and Data Protection Act 2014 (Vic)
  • Privacy Act 1988 (Cth)
  • Privacy Amendment (Enhancing Privacy Protection )Act 2012 (Cth)
  • Privacy Regulations 2013 (Cth)
  • Public Records Act 1973 (Vic)


The terms defined in this section relate specifically to this policy. For commonly used terms e.g. Approved Provider, Nominated Supervisor, Regulatory Authority etc. refer to theGeneral Definitions section of this manual.

Freedom of Information Act 1982: Legislation regarding access and correction of information requests.

Health information: Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.

Health Records Act2001: State legislation that regulates the management and privacy of health information handled by public and private sector bodies in Victoria.

Identifier/Unique identifier: A symbol or code (usually a number) assigned by an organisation to an individual to distinctively identify that individual while reducing privacy concerns by avoiding use of the person's name.

Personal information: Recorded information (including images) or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained.

Privacy and Data Protection Act 2014: State legislation that provides for responsible collection and handling of personal information in the Victorian public sector, including some organisations, such as early childhood services contracted to provide services for government. It provides remedies for interferences with the information privacy of an individual and establishes the Commissioner for Privacy and Data Protection.

Privacy Act 1988: Commonwealth legislation that operates alongside state or territory Acts and makes provision for the collection, holding, use, correction, disclosure or transfer of personal information. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) introduced from 12 March 2014 has made extensive amendments to the Privacy Act 1988. Organisations with a turnover of $3 million per annum or more must comply with these regulations.

Privacy breach:An act or practice that interferes with the privacy of an individual by being contrary to, or inconsistent with, one or more of the information Privacy Principles (refer to Attachment 2: Privacy principles in action) or the new Australian Privacy Principles  (Attachment 7) or any relevant code of practice.

Public Records Act 1973 (Vic): Legislation regarding the management of public sector documents.

Sensitive information: Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practices, or criminal record. This is also considered to be personal information.

Sources and related policies


Service policies

  • Child Safe Environment Policy
  • Code of Conduct Policy
  • Complaints and Grievances Policy
  • Delivery and Collection of Children Policy
  • Enrolment and Orientation Policy
  • Information Technology Policy
  • Staffing Policy
  • Inclusion and Equity Policy


The Approved Provider is responsible for:

  • ensuring all records and documents are maintained and stored in accordance with Regulations 181 and 183 of the Education and Care Services National Regulations 2011
  • ensuring the service complies with the requirements of the Privacy Principles as outlined in the Health Records Act 2001, the Privacy and Data Protection Act 2014 (Vic) and, where applicable, the Privacy Act 1988 (Cth) and the Privacy Amendment (Enhancing Privacy Protection ) Act 2012 (Cth), by developing, reviewing and implementing processes and practices that identify:
    • what information the service collects about individuals, and the source of the information
    • why and how the service collects, uses and discloses the information
    • who will have access to the information
    • risks in relation to the collection, storage, use, disclosure or disposal of and access to personal and health information collected by the service
  • ensuring parents/guardians know why the information is being collected and how it will be managed
  • providing adequate and appropriate secure storage for personal information collected by the service, including electronic storage
  • developing procedures that will protect personal information from unauthorised access
  • ensuring the appropriate use of images of children, including being aware of cultural sensitivities and the need for some images to be treated with special care
  • developing procedures to monitor compliance with the requirements of this policy
  • ensuring all employees and volunteers are provided with a copy of this policy, including the Privacy Statement of the service (refer to Attachment 4)
  • ensuring all parents/guardians are provided with the service’s Privacy Statement (refer to Attachment 4) and all relevant forms
  • informing parents/guardians that a copy of the complete policy is available on request
  • ensuring a copy of this policy, including the Privacy Statement, is prominently displayed at the service and available on request
  • establishing procedures to be implemented if parents/guardians request that their child’s image is nottobe taken, published or recorded, or when a child requests that their photo not be taken.

The Nominated Supervisor is responsible for:

  • assisting the Approved Provider to implement this policy
  • reading and acknowledging they have read the Privacy and Confidentiality Policy
  • providing notice to children and parents/guardians when photos/video recordings are going to be taken at the service
  • ensuring educators and all staff are provided a copy of this policy and that they complete the Letter of acknowledgement and understanding
  • obtaining informed and voluntary consent of the parents/guardians of children who will be photographed or videoed.

Certified Supervisors and other educators are responsible for:

  • reading and acknowledging they have read the Privacy and Confidentiality Policy
  • recording information on children, which must be kept secure and may be requested and viewed by the child’s parents/guardians and representatives of the Department of Education and Training during an inspection visit
  • ensuring they are aware of their responsibilities in relation to the collection, storage, use, disclosure and disposal of personal and health information
  • implementing the requirements for the handling of personal and health information, as set out in this policy
  • respecting parents’ choices about their child being photographed or videoed, and children’s choices about being photographed or videoed.

Parents/guardians are responsible for:

  • providing accurate information when requested
  • maintaining the privacy of any personal or health information provided to them about other individuals, such as contact details
  • completing all permission forms and returning them to the service in a timely manner
  • being sensitive and respectful to other parent/guardians who do not want their child to be photographed or videoed
  • being sensitive and respectful of the privacy of other children and families in photographs/videos when using and disposing of these photographs/videos.

Volunteers and students, while at the service, are responsible for following this policy and its procedures.


In order to assess whether the values and purposes of the policy have been achieved, the Approved Provider of Ivanhoe Children's Community Cooperative will:

  • regularly seek feedback from everyone affected by the policy regarding its effectiveness
  • monitor the implementation, compliance, complaints and incidents in relation to this policy
  • keep the policy up to date with current legislation, research, policy and best practice
  • revise the policy and procedures as part of the service’s policy review cycle, or as required
  • notify parents/guardians at least 14 days before making any changes to this policy or its procedures.



This policy was adopted by the Approved Provider of Ivanhoe Children's Community Cooperativeon 19th October 2016.

Review date:    19/10/2018