Tiny Smiles Early Learning Centre
Privacy Policy
Introduction
This policy describes why and how we collect, use, share, store and give access to information about employees, individuals and personal data, and provides information about employees and individuals’ rights.
It applies to information and data provided to us by the individuals, by third parties or collected by us.
We may use the information / personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
If you have any further questions in relation to this policy, please contact our Privacy Officer. (contact details below)
This policy explains how we handle personal information and manages their responsibilities with the Privacy Act 2020.
Understanding the privacy principles
We will endeavour to ensure all staff understand their responsibilities around collecting, storing, using, sharing and disposing of information about children. Training will occur via induction processes, and discussion of practices and risks at staff meetings. Parents, visitors and students will be informed about privacy matters through enrolment and induction. We will remind them if taking photos only to take photos of their own child during in the centre, during celebrations and on trips.
The privacy principles are:
Only collect personal information if it is for a lawful purpose connected with the organisations. functions and necessary for that purpose
Personal information should be collected directly from the person it is about.
Be open about why you are collecting personal information and what you will do with it.
When collecting information about a person, we must do so in a way that is fair and legal.
Ensure safeguards are in place that are reasonable to prevent loss, misuse, or disclosure of personal information.
People have a right to ask for access to their own personal information.
A person has a right to ask us to correct information about them if they think it is wrong.
We must check before using or disclosing personal information that it is accurate, up to date, complete, relevant, and not misleading.
We must not keep personal information for longer than it is required for the purpose it may lawfully be used.
We can only use personal information for the purpose it was collected.
We may only disclose personal information when: disclosure is one of the purposes for which the organisation got the information, the person concerned authorises the disclosure, the information is to be used in a way that does not identify the person concerned, disclosure is necessary to avoid endangering someone’s health or safety or disclosure is necessary to uphold or enforce the law.
Personal information may only be disclosed to another organisation outside NZ if it meets the criteria around cross-border disclosure.
We can only use unique identifiers when it is necessary.
Personal Information / personal data
Personal information is about an identifiable person (employees, contractors, client, customers, visitors).
This may include information about names, financial information, home address, email addresses, job titles, personal phone numbers, health, health history, visual image, voice recording, location.
Collection of Personal Information
The personal information we collect may be provided in forms filled out by individuals, (for example job application forms and enrolment forms) face to face meetings, email messages, telephone conversations, use of our websites, engaging with our social media, voice recording (voicemail) and via security and monitoring equipment (eg, cameras).
We may collect information via third parties if we are appropriately authorised to receive that information.
We only collect information which is necessary for a lawful purpose connected with operation of the company, as required by law or where the individual has agreed to the collection of the information for another identified purpose.
Identified Purposes
We will collect, use and where appropriate disclose personal information.
to comply with legal requirements such as IRD and Ministry of Education
or purposes limited to those that are related to the provision of services by the company
and purposes which individuals agree to.
Such purposes include the following:
To deliver services to clients
Promotion of services
For security and risk management purposes (premises and information and communication technology security) detecting and deterring criminal behavior / misconduct, detecting, and deterring suspicious, inappropriate or unauthorised use of premises / equipment monitoring the safety and security of our staff, our customers and our sites.
As part of a formal employment investigation process.
For health and safety purposes (location, monitoring compliance with health and safety policies, health and safety investigation processes for subsequent training purposes.
Analysing and evaluating efficiency and productivity and quality assurance To assess and implement policies, practices and monitor and ensure compliance.
To maintain up to date records
To respond to emergencies, including communication with emergency contacts, hospitals and or medical practitioners
To complete the payroll
To contact individuals
Transfer and disclosure of personal information
We will not disclose personal information to other organisations except where: use or disclosure is permitted by this policy.
the individuals give consent; or
such disclosure is otherwise required or permitted by law, regulation, rule [or professional standard].
An organisation or individual is engaged on behalf of the company to provide services to the company (for example payroll, occupational health services, ICT services, data storage providers). The company will only use service providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by the company and in accordance with our privacy guidelines and not to keep, use or disclose personal information we provide to them for any unauthorised purposes.
Transfer of information outside New Zealand
We may transfer personal data where necessary for administrative purposes to overseas facilities or contractors to process or back-up our information or to provide certain services to us. Where service providers and contractors are not be New Zealand entities or regulated by the Privacy Act, we will ensure that the entities are subject to privacy laws that provide the same level of protection as New Zealand’s.
Security, Storage and Retention of information
We will take all reasonable steps to keep secure any personal information which we hold whether electronically or in hard-copy, and to keep this information accurate and up to date.
The company requires our employees and contractors to respect the confidentiality of any personal information held by the company and only to access and use the information in accordance with this policy and their authority to do so.
The company regularly reviews the appropriateness of the security, confidentiality, and privacy measures we have in place to keep the data we hold secure.
Records containing personal information collected are retained for as long as is necessary for the purpose for which it was collected. Some information is subject to retention periods required by law. After such time, personal information and records will be securely destroyed.
All family/enrolment documentation will be kept in a lockable filing cabinet. Any documents awaiting processing/signatures will be kept in a manilla folder when stored in the Centre office. All staff files are kept in a lockable filing cabinet at Tiny Smiles. Any duplicates or copies no longer required will be shredded. Passwords to service computers will only be given to those who need them and will not be shared. We will monitor to ensure photos in general communications and social media meets enrolment consents. We have a process in place for disposing and shredding of physical records when no longer required to be retained.
Access to information.
We will provide access to personal information on request by an individual except in the limited circumstances in which it is permitted to withhold the information.
We will use its best efforts to ensure that the personal information that is held / used on an on-going basis is accurate, complete and up to date.
Individuals have the right to correct inaccurate information held by the company. Requests for access must be made to the Privacy Officer.
Breach of Privacy
The company views any breach of privacy as a serious matter which will be investigated.
From 1 December 2020, organisations need to notify the Privacy Commissioner and any affected people when they become aware of a privacy breach that poses a risk of serious harm. Serious harm means that it has caused or may cause loss, damage injury etc., it has adversely affected (or may adversely affect) the rights and interests of the individual or has resulted in (or may result in) significant humiliation, loss of dignity or injury to feelings.
There are some grounds which permit the company not to notify the affected individual in the event of a breach, or to delay that notification.
Concerns about personal information
If an individual has concerns about how we are handling personal information, please contact the Privacy Officer.
If an individual is not satisfied with the company’s handling of the concern, if the individual has requested access to information which has been declined, or believes that [the company] has been in breach of its obligations under the Privacy Act 2020 the individual may make a complaint to the Office of the Privacy Commissioner (https://www.privacy.org.nz/about-us/contact/).
Privacy Officer Contact Details for our Service:
Mel Partington
06 757 2289
Melissa@tinysmiles.nz
Read more about our Record Management + Retention here.