What ERO found

Most services in this evaluation were managing their privacy responsibilities well or very well. However, ERO’s focus on privacy led to nearly half of the services improving their practices. Minor compliance issues were easily fixed, meaning that by the end of their review they were compliant. This finding suggests that services not in the sample should review their privacy practices.

In about a quarter of services staff were not in a strong position to ensure they met their responsibilities around the privacy of children’s information. They did not have explicit knowledge of the privacy principles, and leaders had not provided clear, up-to-date policies to guide their practice. Most had not encountered any major privacy issues, but they did not have the knowledge or guidance to support them to act appropriately to minimise risk.

Understanding of the privacy principles

Most services had some staff that knew about their responsibilities around collecting, storing, using, sharing and disposing of information about children. This knowledge was not shared across all staff in some services.

Leaders in some services could state the privacy principles or their service’s privacy policy, but did not understand what this meant for their practice.

Where service staff were managing children’s privacy well a range of methods were used to make sure they knew what to do. Induction processes, workshops, discussion of practices and risks at staff meetings, staff handbooks, and passing on notices from government agencies were all used to keep staff up-to-date with their responsibilities. Some services also discussed the implications for their practice when they were reviewing policies and procedures.

In home-based services, visiting teachers gave advice to educators about what information could be recorded and shared, how to store information safely, and what could not be stored, displayed or shared.

In some Playcentres, parents felt that privacy responsibilities did not apply to their context and information about all the children was available to all the parents.

Privacy policies

Where privacy responsibilities were managed well, services had a privacy policy and procedures to guide staff about how to collect, store, share and dispose of information.

Comprehensive privacy policies covered the collection, storage, use, disclosure and disposal of information. They guided staff in:

  • thinking about the reason for gathering information before collecting it, and informing parents about how the information would be used
  • ensuring records were up to date (especially around custody matters and who was approved to collect the child) and supporting parents or guardians to correct personal information
  • storing and disposing of records appropriately
  • dealing with requests for information and sharing information with external agencies
  • dealing with complaints about breaches of privacy
  • Identifying privacy risks and ways to minimise risk.

In these early childhood services, other service policies (such as child protection and cyber policies) were also consistent with the Privacy Act and principles.

Some Playcentres were not aware of changes in membership, and new members were not always informed of the Association’s privacy policy and what that meant for them. Policies were not always updated to reflect changes in membership.

Actions for maintaining privacy of children’s information

Most services were keeping physical records of children’s information secure. Management of physical records was more commonly an issue than management of digital records.1

Physical records

In the services managing privacy well, policies were clear about how long different types of information should be kept before being destroyed. Clear processes were in place for disposing of information safely. For example, hard copy information was burnt, or shredded by the privacy officer or a secure document destruction company.

Services that were not keeping physical records securely stored files on open shelves or in unlocked cabinets. Some cabinets were kept locked, but the key was clearly visible. In some cases, daily medication or accident records showed several children on the same page. Parents were able to see information about other children when reading about their own child.

In a few services, policies did not provide guidance about records disposal. They did not know how they should dispose of print records and had kept them all.

Privacy officers

Most services had a privacy officer. Many of the services that were part of a kindergarten or Playcentre association or part of a larger organisation met their obligations by having one privacy officer responsible for privacy matters across the association or organisation.

A central privacy officer is acceptable where there is a clear process for other staff to contact the privacy officer and where all other staff have had basic training in privacy law.2

ERO found that in some services with an association or organisation level privacy officer, staff did not know who the privacy officer was; or when, why or how to contact them. Staff members in these services generally had a poor awareness overall of the privacy principles.

Knowing what to do when parents/guardians are separated

While clear procedures guided service staff with what to do if non-custodial parents tried to collect children, staff at many services were unsure of how and what information to share with a non-custodial parent.

Many did not know about the guidance from the Ministry of Education around this.3

Monitoring and reviewing privacy practices

Many services did not monitor whether their practices aligned with the privacy principles or Privacy Act, or with their own guidelines. They could not be sure they were doing what they needed to do, and sometimes their practices did not reflect their policies.

Some services had a regular cycle of reviewing their privacy procedures, while others had done this because privacy was the focus of ERO’s review. Some services consulted parents as part of the review process. Many had not reviewed their privacy policies or procedures in several years.

Review processes did not always include a regular review of what permissions had been given by parents, or allow parents an opportunity to change these if they wanted.