Privacy and Confidentiality Policy

Early childhood centres are obligated by law, centre agreements and licensing requirements to comply with the privacy and health records legislation when collecting personal and health information about individuals.

The Health Records Act 2001 (Part 1, 7.1) and the Privacy and Data Protection Act 2014 (Part 1, 6.1) include a clause that overrides the requirements of these Acts if they conflict with other Acts or Regulations already in place. For example, if there is a requirement under the Education and Care Centres National Legislation that is inconsistent with the requirements of the privacy legislation, centres are required to abide by the Education and Care Centres National Legislation.

This policy outlines our ongoing obligations in respect of how we manage Personal Information. The centre has adopted the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act) which governs the way in which we collect, use, disclose, store, secure and dispose of your Personal Information. A copy of the APPs may be obtained from the website of The Office of the Australian Information Commissioner at  

This policy applies to all CSIROCare employees, volunteers, students, parents/guardians who wish to enrol or already have enrolled their child at the centre and all other persons engaging in programs and activities of CSIROCare. 

  • Relevant records and documents are maintained and stored in accordance with Regulations 181 and 183 of the Education and Care Centres National Regulations 2011
  • A privacy statement (see Attachment 2) in included on all documentation that seeks any personal, sensitive or health information of an individual
  • Adequate and appropriate secure storage is provided, including electronic storage for personal information collected by the centre
  • Procedures are implemented that will protect personal information from unauthorised access
  • Educators ensure the appropriate use of images of children, including being aware of cultural sensitivities and the need for some images to be treated with special care
  • Written consent of the parents/guardian is obtained prior to their child/ren being photographed or videoed by educators 
  • Educators establish procedures to be implemented where a parent/guardian does not provide consent for their child’s image to be taken, published or recorded, or when a child requests that their photograph not be taken
  • Confidential records are disposed of via secure means after the required period of retainment has passed
  • Employees are informed of their responsibilities in relation to the collection, storage, use, disclosure and disposal of personal and health information


  • Privacy Principles in action
  • CSIROCare Privacy Statement

ATTACHMENT A. Privacy Principles in action

Collection of personal and health information 

The centre will only collect the information needed, and for which there is a purpose that is legitimate and related to the centre’s functions, activities and/or obligations. Personal information about individuals, either in relation to themselves or their children enrolled at the centre, will generally be collected via forms filled out by parents/guardians. Personal information about individuals relating to employment will also generally be collected via the completion of forms. Other information may be collected from job applications, face-to-face interviews and telephone calls.

Laws that require us to collect specific information

The Education and Care Centres National Law Act 2010 and the Education and Care Centres National Regulations 2011, Associations Incorporation Reform Act 2012 (Vic) and employment-related laws and agreements require us to collect specific information about individuals from time-to-time. 

Use of information

The centre will use personal information collected for the primary purpose of collection. The centre may also use this information for any secondary purposes directly related to the primary purpose of collection, to which the individual has consented, or could reasonably be expected to consent. 

Disclosure of personal information, including health information

Personal information may be disclosed in a number of circumstances including: 

  • anyone to whom the individual authorises the centre to disclose information
  • where required or authorised by law.

Disclosure of sensitive information 

Sensitive information will be used and disclosed only for the purpose for which it was collected or a directly related secondary purpose, unless the individual agrees otherwise, or where the use or disclosure of this sensitive information is allowed by law.

Storage and security of personal information 

In order to protect the personal information from misuse, loss, unauthorised access, modification or disclosure, the Approved Provider and employees will ensure that, in relation to personal information:

  • access will be limited to authorised employees, the Approved Provider or other individuals who require this information in order to fulfil their responsibilities and duties
  • information will not be left in areas that allow unauthorised access to that information
  • all materials will be physically stored in a secure cabinet or area
  • computerised records containing personal or health information will be stored safely and secured with a password for access 
  • there is security in transmission of the information via email, or telephone, as detailed below:
    • emails will only be sent to a person authorised to receive the information
    • telephone – limited and necessary personal information will be provided over the telephone to persons authorised to receive that information

Disposal of information

Personal information will not be stored any longer than necessary. In disposing of personal information, those with authorised access to the information will ensure that it is either shredded or destroyed in such a way that the information is no longer accessible.

Access to information and updating personal information

Under the privacy legislation, an individual has the right to:

  • request access to personal information that the centre holds about them
  • access this information
  • make corrections if they consider the data is not accurate, complete or up to date.

There are some exceptions set out in the Privacy and Data Protection Act 2014, where access may be denied in part or in total. Examples of some exemptions are where:

  • the request is frivolous or vexatious
  • providing access would have an unreasonable impact on the privacy of other individuals
  • providing access would pose a serious threat to the life or health of any person
  • the centre is involved in the detection, investigation or remedying of serious improper conduct and providing access would prejudice that.


Any queries or complaints about our Privacy and Confidentiality policy can be directed to:

The Centre Director at CSIROCare Clayton
Email: [email protected] 
Ph: 8521 2117              

ATTACHMENT B. CSIROCare Privacy Statement

Privacy Statement 

CSIROCare collects personal, sensitive and health information for the purpose of meeting the organisation’s legal operational requirements. All personal information is used only for the purpose for which it is gathered and is stored securely. Further information is included in our Privacy and Confidentiality Policy which can be accessed on our website or obtained from the centre.