Privacy policy

Purpose

This Privacy Policy sets out the purpose, use, disclosure, and protection of personal information of individuals.

Explanation

This Policy sets out the information collected, purpose, security, retention, sharing and destruction standards.

Central Kids only collects and uses information for the purpose it was intended for.

Scope

This Policy applies to all kaimahi | employees, students, volunteers, and contractors.

Privacy Officer

The Privacy Officer for Central Kids is the General Manager Corporate Services. The deputy Privacy Officer is the Information Manager. The duties of the Privacy Officer are to:

  • be familiar with the privacy principles in the Privacy Act
  • work to make sure the organisation complies with the Privacy Act
  • deal with any complaints from the organisation's clients about possible privacy breaches
  • deal with requests for access to personal information, or correction of personal information
  • act as the organisation's liaison with the Office of the Privacy Commissioner
  • train other staff at the organisation to deal with privacy matters
  • advise their organisation on compliance with privacy requirements
  • advise their organisation on the potential privacy impacts of changes to the organisation's business practices
  • be familiar with any other legislation governing what the organisation can and cannot do with personal information
  • for all projects, complete a Brief Privacy Assessment, using the 1Place tool, to identify any privacy risks and whether a full Privacy impact Assessment is required.
Māori data sovereignty

Central Kids recognises the inherent right and interest of Māori to exercise control over Māori data.

Māori data refers to digital or digitizable information or knowledge that is about or from Māori people, the language, culture, resources, or environments.

Central Kids is accountable to the communities in which it operates, and will seek to engage in meaningful reciprocal relationships, where use of data and information we collect benefits mana whenua.

Purpose for collection of personal information

We only collect personal information required to conduct administration of early childhood and social services.

All kaimahi must understand their privileged position in access to information held about tamariki and whānau and uphold the principles of respect and confidentiality.

Collection of information from whānau

The Central Kids Privacy Statement states why we collect information and what we do with it. The Privacy Statement gives guidance on what information is collected, who we share information with and in what circumstances, and how to access information.

The Privacy Statement is:

  • shared with all whānau when they enrol in our services.
  • available on the Central Kids website.
Storage and security of information

Central Kids takes active steps to prevent loss, misuse, or disclosure of personal information. Only kaimahi | staff with the appropriate permissions can access information.

All kaimahi have individual log in credentials to access computers and software. Kaimahi must not share passwords with anyone or write them down.

All kaimahi are responsible for being security aware and laptops, tablets and phones must be stored to reduce the risk of them from being stolen, when not in use.

All kaimahi must ensure devices such as laptops, tablets or phones are password protected and not left unlocked so others can access them.

Central Kids recognises that flexible working, means sometimes kaimahi must take personal information home or transport it to locations in vehicles. Personal information must be stored securely for transport.

Personal information that has been temporarily taken home by kaimahi, must be stored in a secure location. It must not be stored in vehicles overnight.

Kaimahi will take practicable endeavours to minimise unnecessary use of personal information at home, and only transport or retain information that is actively being used for a clear purpose. No archiving should be stored at home or in temporary cases in cars.

Kaimahi will use good judgement to recognise phishing scams, and if in doubt, do not click the link.

Access to personal information

No kaimahi should intentionally access confidential information they do not have permission to view or access of information they are not entitled to as part of their job.

Adults, and/or parents/guardians of tamaiti who are enrolled with Central Kids who are parents have the right to ask for access to information held about them and their tamariki.

The Information Sharing Procedure must be followed when sharing personal information.

Central Kids will take reasonable steps to ensure personal information is accurate before it is used or disclosed.

If a request for information is urgent, this must be made clear by the requester and will be provided within a maximum of 5 working days. Standard requests for personal information will be provided within 20 working days.

Further time extensions can be communicated to the requester and must have a clear rationale.

The Privacy Officer must approve all information requests before it is shared with whānau.

We only share information with the full consent of the person, or the parent or guardian if related to tamaiti.

Information can be shared with adults or guardians for them to share with other agencies or parties directly.

Where there is a risk to a person, either an adult or tamaiti, information can be shared with emergency services without consent.

Access to personal information can be refused if sharing the information could pose a serious threat to the life, health, or safety of any individual, kaimahi or to the public.

Third party information that may be contained within personal records can be withheld if there is a risk of harm from sharing it.

We share information with:

  • parents and legal guardians when formally requested (in writing)
  • Ministry of Education and the Ministry of Social Development to obtain funding and meet regulated standards of reporting
  • Work and Income to support enrolled whānau to access their entitlements
  • Ministry of Education to engage specialist support for tamariki with additional needs
  • Oranga Tamariki for child protection concerns or when a mandatory request is made
  • Police, for safety checking of kaimahi | staff, volunteers, and students
  • Police, and law enforcement agencies either through mandatory demands, or voluntarily (where there is serious risk to health or safety)
  • internal referrals from early childhood services to Mātauranga Ake, for social support
  • internal referrals from Mātauranga Ake to early childhood services, to support enrolment
  • primary schools for management of their rolls, where parents or legal guardians have provided prior authority
  • third party education, health, and social service providers, to enable access to tamariki and
  • whānau wrap around support
  • family harm team and service providers to reduce the risk of harm and engage whānau in support.

We also share information with social housing providers, and private landlords, in our capacity as an agent for whānau seeking permanent housing.

We share tamariki and whānau stories and pānui to the public on Story Park, social media and via our website.

Where a person requests access to their, or their tamaiti, personal information and access is refused, the reason for refusal must be made clear.

Database and storage

Central Kids uses the following software to store information:

Discover, is the cloud based childcare management system used by Central Kids. This system contains name, address, date of birth and a running record of whānau and tamariki engagement. It also contains billing information. It is owned by xplor. Their Privacy Policy is set out here: www.xplortechnologies.com/nz/privacy-policy

Storypark is the cloud based whānau communication and engagement app used by Central Kids. It contains tamariki details, stories, whānau contact details and kaiako communications to whānau. Their Privacy Policy is set out here: https://main.storypark.com/privacy-policy

Recordbase is the cloud-based client management system used by Mātauranga Ake. It contains whānau contact details, and a running record of all interactions. Their Privacy Policy is set out here: www.recordbase.co.nz/privacy-policy

BambooHR is the Human Resources Information System that stores all kaimahi information. This database is located on the Central Kids server. IMS is the payroll software used and is stored on the Central Kids server.

Office 365 is used to store information. This includes information related to kaimahi | staff and enrolled whānau/tamariki mokopuna. The Microsoft Privacy Statement is set out here: https://privacy.microsoft.com/en-ca/privacystatement

Central Kids website does not store confidential information.

PowerBI is the Microsoft dashboard that Central Kids uses to present visual data and information for managers use, and it draws information from the above software systems.

Security

Hard copies of personal information must be stored in a locked cabinet or cupboard when not in use.

Regular updating of operating systems to ensure the most current cyber security protections, by completing a full shutdown of laptops at least monthly, or more frequently where indicated.

Use of two factor authentication for key systems.

Proactive technology asset management to ensure appropriate lifecycle of hardware, and maintenance of optimised security features.

Information in our cloud based software is stored in encrypted files, and only kaimahi | staff with the approved permissions access it.

Information is also held on local Central Kids Server Hardware. The Hardware Environment is proactively supported, updated, managed and all stored data is backed-up. This is facilitated by SkyPoint Technologies Ltd.

Hard copy information is securely stored onsite in Central Kids offices. Central Kids operates a clear desk policy.

Central Kids will only use secure Wi-Fi to access personal information.

Kaimahi who are authorised to work from home must have appropriate hardware and security provisions in place to mitigate possible security breach.

Hardware must be assessed, and recommendations confirmed by SkyPoint, our IT provider and signed off by Central Kids. Any remote work must adhere to Central Kids standard guidelines.

Kaimahi will not use public unsecured Wi-Fi to conduct any Central Kids business.

Correction of personal information

A person can ask for information to be corrected if they think it is wrong.

If Central Kids does not agree that the information needs correcting, the person can provide a statement of correction to be held in the Central Kids records.

Security cameras

Some Central Kids services have security cameras. The cameras are in place for security purposes only.

The footage recorded through cameras will not be shared for purposes other than security management, such as investigating break-ins, theft, vandalism or addressing allegations against kaimahi.

Retention

Central Kids does not retain information for longer than is required by law.

We keep hard copies of personal information for a maximum period of seven years.

Archiving will be sent to a Central Kids’ central storage facility in February each year. Only information for the current year or current enrolments will be maintained at the service.

Destruction and disposal

After seven years of retention, Central Kids will safely and responsibly destroy held personal information.

Hard copy information is destroyed by secure document destruction and disposal. Secure document destruction and disposal means that documentation is to be shredded in a timely manner. For larger quantities of destruction and disposal, a professional document destruction company may be used.

Cloud and server-based information must be destroyed by the vendor, as per the agreed process between Central Kids and the vendor.

Data stored on the Central Kids Server will be securely wiped by Central Kids or when instructed by SkyPoint, our technology partner.

Central Kids requires all out-of-use hardware to returned to SkyPoint Technologies to be securely wiped clean prior to disposal.

Privacy breach

If a privacy breach occurs, respond as quickly as possible to minimise harm to the affected people and organisation.

If the breach is related to Central Kids stored data, contact SkyPoint Technologies advising them of the concern to ensure all appropriate security protocols are checked and in place.

Follow the Privacy Breach Procedure.

Notifiable events

A privacy breach is notifiable to the Privacy Commission within 72 hours if it is reasonable to believe it has caused serious harm to an affected individual (or individuals) or is likely to do so.

If assessment of impact is still occurring, notification should occur proactively to err on the side of caution.

A notifiable event to the Privacy Commission must also be reported to the Regulatory body for the service, which is Ministry of Education or Ministry of Social Development.

The person/s impacted by the breach must be informed as soon as practicably possible. Investigations relating to teachers are notifiable to the teaching council.

References
  • Education and Training Act 2008.
  • Privacy Act 2020.
  • Childrens Act 2014.
  • Family Court Act 1980.
  • Oranga Tamariki Act 1989.
  • Family Violence Act 2018.
  • Charities Act 2005.
Standards

Privacy Act 2020 and associated codes of practice

Linked policies and procedures
  • Early Childhood Enrolment Procedure.
  • Mātauranga Ake Intake Procedure.
  • Information Sharing Guideline.
  • Privacy Breach Procedure.
  • Protection of Tamariki Policy.
  • Protected Disclosures Policy.
  • Human Resources Policy.
  • Delegations of Authority Policy.
Policy review

Central Kids may amend and vary its policies from time to time at Central Kids discretion and employees are required to observe such amended policies.