Dragonfly's Early Learning Logo


Dragonfly’s Early Learning

41-45 Springfield Ave Coolum Beach QLD 4573 Australia

P: 07 5471 6500

E: info@dragonflys.com.au

Policy Statement

We are committed to protecting the privacy and confidentiality of individuals by ensuring that sensitive information about individual children, families, team members and management are kept in a secure place and are only accessed by, or disclosed to, those people who need the information to fulfil their responsibilities at the centre or have a legal right to know. This Policy embodies this commitment and applies to personal information collected by our service.

Background and Guiding Principles

The following is required under the Education and Care Services National Regulations:
“Subdivision 4—Confidentiality and storage of records”

Information kept in a record must not be divulged or communicated, directly or indirectly, to another person other than:

We adhere to the requirements of the Information Privacy Principles contained within the Privacy Act and the Guidelines for Federal and ACT Government Worldwide Websites, issued by the Office of the Australian Information Commissioner and Privacy Commissioner.
“The Privacy Act defines ‘personal information’ as:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable

a. Whether the information or opinion is true or not; and

b. Whether the information or opinion is recorded in a material form or not.

The term ‘personal information’ encompasses a broad range of information. A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act.
For example, the following are all types of personal information:
Common examples of personal information:
1. Information about a person’s private or family life.
2. Information about a person’s working habits and practices.
3. Commentary or opinion about a person.

“Why do ECEC services have to comply with privacy law?

Under Australia’s privacy law, ECEC services are deemed as health service providers, which puts them in the category of an “Australian Privacy Principle (APP) Entity”. Under Australian law, all APP entities are bound by the Act and must comply with it.
Your responsibilities In order to comply with the Privacy Act, ECEC services are required to follow the Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act).
The APPs outline how ECEC services (and other relevant businesses) must handle, use and manage the personal information of their clients. In particular, the principles cover how personal information can be used and disclosed (including overseas), keeping personal information secure, and the open and transparent management of personal information including having a privacy policy.
The new law introduces a Notifiable Data Breaches (NDB) scheme that requires all businesses regulated by the Privacy Act (including ECEC services) to provide notice to the Office of the Australian Information Commissioner (formerly known as the Privacy Commissioner) and affected individuals of any data breaches (ie. data leaks) that are “likely” to result in “serious harm.” ​

“What should you do if you become aware of a serious data breach?”

When a business/organisation becomes aware of reasonable grounds to believe an eligible data breach has occurred, they are obligated to promptly notify individuals at likely risk of serious harm.
The Office of the Australian Information Commissioner must also be notified as soon as practicable through a statement about the eligible data breach. You can find out more about the Notifiable Data Breaches scheme, and the mandatory notification process here.

Definition of eligible data breach

An eligible data breach arises when the following three criteria are satisfied:
If there is a possible data breach the service must seek further information from the Office of the Australian Information Commissioner, details can be found here.
Where notifiable data breach has been determined the service must use the Notifiable Data Breach Form.
“An entity must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach (s 26WH(2)). ​
The Commissioner expects that wherever possible entities treat 30 days as a maximum time limit for completing an assessment, and endeavour to complete the assessment in a much shorter timeframe, as the risk of serious harm to individuals often increases with time.
Where an entity cannot reasonably complete an assessment within 30 days, the Commissioner recommends that it should document this, so that it is able demonstrate:

“Responding to Data Breaches – four key steps”

“Protecting your business from a cyber-attack”

Procedures and Responsibilities

Leadership, management and staff are required to work together to ensure the confidentiality and correct use of personal information collected for the purpose of operation an education and care service.
Leadership and Management Responsibilities, including Approved Providers, Nominated Supervisors and Responsible Persons will:

Only collect information:

Educators and Other Team Members will:

Families are asked to:



The Failure of any person to comply with this policy in its entirety may lead to:

Related Policies and Forms

Legislation, Recognised Authorities and Sources