Among the many other regulations and laws that Early Childhood Education and Care (ECEC) services are required to comply with, ECEC services also need to comply with Australia's privacy law, known as the Privacy Act 1988 (the Act).
Why do ECEC services have to comply with privacy law?
Under Australia's privacy law, ECEC services are deemed as health service providers, which puts them in the category of an “Australian Privacy Principle (APP) Entity”. Under Australian law, all APP entities are bound by the Act and must comply with it.
Under Australia's privacy law, ECEC services are deemed as health service providers, which puts them in the category of an “Australian Privacy Principle (APP) Entity”. Under Australian law, all APP entities are bound by the Act and must comply with it.
Your responsibilities
In order to comply with the Privacy Act, ECEC services are required to follow the Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act).
In order to comply with the Privacy Act, ECEC services are required to follow the Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act).
The APPs outline how ECEC services (and other relevant businesses) must handle, use and manage the personal information of their clients. The guidelines are not prescriptive, as each APP entity needs to consider how the principles apply to their own situation (in terms of operations, data management, IT platforms, etc).
In particular, the principles cover how personal information can be used and disclosed (including overseas), keeping personal information secure, and the open and transparent management of personal information including having a privacy policy.
You can review the Australian Privacy Principles here. We recommend that you read and understand these principles if you are not yet familiar with them.
New requirements under the Privacy Act as of February 2018
The Privacy Act was amended in February 2017, with the changes due to take effect on February 22, 2018.
The Privacy Act was amended in February 2017, with the changes due to take effect on February 22, 2018.
The new law introduces a Notifiable Data Breaches (NDB) scheme that requires all businesses regulated by the Privacy Act (including ECEC services) to provide notice to the Office of the Australian Information Commissioner (formerly known as the Privacy Commissioner) and affected individuals of any data breaches (ie. data leaks) that are “likely” to result in “serious harm.”
Businesses that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.
A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to $360,000 for individuals or $1.8 million for organisations.
What should you do if you become aware of a serious data breach?
When a business/organisation becomes aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Office of the Australian Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
When a business/organisation becomes aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm. The Office of the Australian Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach.
You can find out more about the Notifiable Data Breaches scheme, and the mandatory notification process here.
Recent example of a data breach - Australian Red Cross Blood Service
Our legal experts at Meridian Lawyers have provided us with an interesting case study, which we recommend you read.
Our legal experts at Meridian Lawyers have provided us with an interesting case study, which we recommend you read.
The case study focuses on the recent leak of information from the Australian Red Cross Blood Service - in September 2016 the personal details of approximately 550,000 prospective blood donors were accidentally released.
The data breach in this case was caused by a human error on the part of the third party provider, without the authorisation or direct involvement of the Blood Service. The Commissioner did not hold the Blood Service responsible for the disclosure itself. However, the Blood Service was still held responsible for breaching the Privacy Act.
You can read the case study here.
How to make sure your ECEC service complies with Australian privacy law
Against this background, ACA remains committed to ensuring that all of our members understand their rights and obligations under the Privacy Act.
Against this background, ACA remains committed to ensuring that all of our members understand their rights and obligations under the Privacy Act.
We encourage you to:
- share this information with relevant staff
- make sure all relevant staff understand the requirements under Australia's privacy law
- introduce a privacy policy to ensure that your businesses practices comply with the Australian Privacy Principles.
This may include delegating a staff member to oversee all privacy-related activities to ensure compliance.
You can read the guidance on how to develop your own privacy policy here.