Privacy Policy
Purpose
At Kids’ World Education Group (KWEG), we prioritize and respect the privacy rights of families, staff, and children. Privacy can hold different meanings for different individuals, and we are committed to ensuring that our interactions safeguard the dignity and security of those we serve. This includes avoiding actions or assumptions that could offend, embarrass, or endanger children or their families. Our policy aligns with the Privacy Act 2020, WorkSafe New Zealand guidelines, the Education (Early Childhood Services) Regulations 2008, Licensing Criteria for Centre-Based ECE Services, and NELP 1.1 to maintain a robust framework for privacy compliance.
This policy outlines how Kids’ World collects, uses, discloses and protects personal information. The primary goal of this policy is to emsure transparency, build trust with individuals (such as clients, employees and stakeholders), and protect the privacy of families and staff while complying with legal requirements such as with the Privacy Act 2020. It also aims to uphold the health, safety, and well-being of children by maintaining transparent and ethical practices throughout our operations.
Personal information is information about an identifiable individual (a natural person).
Scope
These procedures apply to all staff who work for or with the Kids’ World Education Group (KWEG), and to any volunteers, contractors, clients, whānau and all stakeholders.
Background
KWEG’s privacy policy includes a high-level confidentiality relating to Disclosure, Personal Information and requests and Procedures to prevent Privacy breaches. All KWEG staff are expected to manage personal information in accordance with this Privacy policy, which promotes the following concepts:
● Data minimisation – limiting the amount of personal information the Centre/ Organisation
collects and retains
● Transparency – being open and honest about what information the Centre/ Organisation
collects and how it will be used
● Security – protecting the personal information the Centre/ Organisation holds from harm.
● Use limitation – making sure the Centre/ Organisation uses and discloses personal information
only when necessary and with a lawful basis
● Privacy rights – helping the Centre/ Organisation’s data subjects to exercise their privacy rights
and maintain some control over their information.
Privacy is particularly important for all centres, which collect and process personal information about vulnerable people – including tamariki and their whānau – and may have to use or share personal information in ways that could impact on individual trust. These procedures are intended to help centres to manage their specific regulatory and obligations in a way that protects and respects the privacy of individuals’ personal information.
All centres must manage personal information in accordance with this Privacy Act 2020, this polic , and associated procedures.
Governance
● Each Centre Manager will act as the first line Privacy Officer for their centres. The General Manager, with the support of The Quality Assurance Manager will provide support, and a point of escalation, to Centre Managers where required.
● All Centre Managers and authorised staff must only collect personal information for a lawful
purpose conected with a function or an activityof the cnetre,and the collection of the infirmation is
necessary for that purpose. The types of personal information we collect about tamariki and their
whānau are listed in the Privacy Statement.
● All Centre Managers and authorised staff will directly collect personal information about tamariki from their parents/guardians. If we need to collect personal information from another third-party source – such as the Police – we should ask for the consent of the individual concerned before doing so.
● All centres staff, students, volunteers and contractors must read and understand the Privacy
Statement and be able to explain to parents/guardians or others why personal information is
required, and how it may be used or shared.
● All Centre Managers and authorised staff must collect information in ways that are fair and not
unreasonably intrusive. This requires us to consider:
○ The age of the person we’re collecting information from. The younger they are,
the less they may understand about the consequences of giving us information or
authorising us to collect it from someone else.
○ Cultural or religious sensitivities about sharing certain information. For example,
gender differences could be more important for some cultures.
○ The power imbalance between a teacher and their tamariki, or between centres
staff and parents/guardians, which can have an impact on fairness.
○ The environment within which we’re collecting information. For example, we
should not ask tamariki to reveal sensitive information in a classroom setting.
Staff must obtain the written consent of parents/guardians in order to use photographs or videos
footage of their tamariki for any public purposes, such as research, promotion, marketing, or sharing with parent/guardian class groups.
● Parents/guardians or whānau must not be permitted to take photographs or video footage of
tamariki at any centre.
● All staff must only use centre devices to capture photographs or video footage of tamariki. If
personal devices are used, photographs or videos must be promptly transferred to centre systems
and deleted from those devices.
● All staff must only use and disclose personal information in accordance with the Privacy Act, this
policy and the Privacy Statement. Any uses of information for new purposes, or disclosures to third
parties not listed in the Privacy Statement, must be approved by the General Manager
● All centres staff, students, volunteers, and contractors must confirm that the relevant
parent/guardian has provided written consent before using photographs, videos or other media
about their tamariki for any public purposes, such as research, promotion, marketing, or sharing
with parent/guardian class groups.
● All centres staff, students, volunteers and contractors must never disclose personal information,
including photographs or videos of tamariki, on social media platforms or other websites. For more
information on acceptable use of social media platforms and other technology, refer to the Social
Media policy.
● All Centre Managers and authorised staff must refer requests for information from government or law enforcement agencies, including Oranga Tamariki or the Police, to the General Manager.
Use & Disclosure
Kids’ World has the right to use and disclose information for legitimate business purposes, provided they comply with Privacy laws, or to comply with legal requirements.
Use of Personal Information-
● Use of Personal Information: Kids’ World staff can only use personal information for the
purpose it is collected unless the individual consents or another lawful reason applies (eg.
Preventing a serious threat to health and safety)
● Accuracy: Kids’ World staff must ensure information is up to date and accurate before
use
● For Disclosure of Personal Information
o Consent required
o Disclosure is generally only allowed with individual’s consent
o Limited circumstances
Information may be disclosed without consent ifo It is necessary to prevent serious threat to public health and safety
o It is required by law or law enforcement purposes
o It is directly related to the reason of collection.
Guidelines
For Children
● Information collected during enrolment and attendance is securely stored for seven years.
Computers are password-protected, and physical records are kept in locked filing cabinets. At the
time of enrolment, families provide consent for the use of children’s images for specific purposes,
including assessment, planning, evaluation, displays, advertising, website content, and Educa secure online platforms.
● The enrolment form includes a clear privacy statement detailing the purposes for which information will be used and any potential sharing of this information. If Oranga Tamariki requests information about a child currently or previously enrolled, a written request is required to verify the identity of the requester and ensure compliance with privacy standards.
For Staff
● Staff are expected to uphold privacy standards by avoiding the use of children’s images on personal social media platforms, such as Facebook. Professional boundaries must be maintained, and staff are discouraged from forming social media connections with parents.
● Photographic and video recordings of children, whether taken on personal or centre-owned devices, must be used strictly for professional purposes. This includes learning stories, planning, centre documentation, and Educa uploads. These recordings should never be used outside the scope of centre activities or without explicit consent.
For Parents
● Parents who wish to take photos during events like birthdays or farewells must do so under staff
supervision to ensure that no other children are identifiable in the images. Staff members may take
photos on behalf of parents in such cases. Video recordings by parents are not permitted to maintain the privacy of all children.
For Student Teachers
● Student teachers are required to sign the Student Teacher Policy, which outlines privacy
expectations. They must obtain signed parental consent before using children’s information or
images for assignments. A signed copy of the policy is retained in the office for accountability.
CCTV
● Certain KWEG sites are equipped with CCTV to enhance security, prevent crime, regulate access,
and support safety. Camera footage is securely stored at designated locations, and access is
restricted to management or authorised personnel. Any queries about CCTV use can be directed to
the Centre Manager.
● KWEG remains dedicated to fostering a safe, inclusive, and respectful environment. By adhering to robust privacy standards and regulatory requirements, we ensure the trust and confidence of the
children, families, and staff within our community.
Access & Correction
● Individuals have the right to access their personal information. This means parents/guardians, staff, volunteers, students and contractors can request a copy of personal information about themselves. These requests must be escalated to the General Manager
● Any requests from parents or guardians for the personal information their child(ren) must be
referred to the General Manager, who will consider whether the access is in the best interests of
the child, or whether there are other legal considerations before granting access.
● It should be noted that parents/guardians have access to a secure online learning profile which
contains written and visual materials about their tamaiti experience while attending the centre(s).
● Individuals have the right to request a correction to their personal information. They should provide evidence to confirm that they are the Individual to whom the personal information relates. If the correction is reasonable and Kids’ World is reasonably able to change the personal information, the correction will be made.
Retention
● Personal information must be retained in accordance with the regulations.
● All centre managers and authorised staff must ensure that the information is not retained for longer than we have a lawful purpose to use it. In some cases, the information we hold is subject to
legislative retention requirements. For example, children’s personal information should genrally be retained for 7 years to meet Ministry of Education funding audit requirements and other legal
obligations.
● Personal information can only be disposed by the General Manager.
Security
● All centres staff, students, volunteers and contractors must take reasonable steps to protect the
personal information we hold from loss, unauthorised access, use or disclosure, or any other misuse.
● All centres staff, students, volunteers and contractors must ensure that they access and use only
the personal information they need to discharge their lawful functions.
● Personal information must be stored securely, in lockable cabinets, or in the secure system of record for that type of information. Some employment information is stored by the Kids’ World HR Admin team in their secure systems.
● Personnel files for centres staff, students, volunteers and contractors may only be directly accessed by the Centre Manager or Area Manager/Senior management. Where necessary, personal
information about staff, students, volunteers and contractors may be made available to HR staff,
authorised administrative staff, or third parties required to conduct audits, such as the Ministry of
Education or Education Review Office.
● Privacy breaches must be reported immediately to the General Manager. The General Manager
must ensure that privacy breaches are managed in accordance with the policy. Complaints from
parents/guardians or whānau about privacy issues should also be reported to the General Manager.
The following definitions apply to this document:
Parent/guardian means the adult/s who is responsible for the upbringing and care of the tamaiti. This could include the mother OR the father acting as a sole guardian, and anyone else the Family Court has appointed as a guardian. For more information on who could be a guardian, check this Ministry of Justice link.
Personal information means information about identifiable individual. This means any information that can directly identify a person. It does not matter how information is stored or collected- it could be written, verbal, digital, visual or any other format.
Privacy breach means an event (whether intentional or unintentional) in which personal information is lost or is accessed, altered, disclosed or destroyed without authorisation, or is at increased risk due to poor security safeguards, including but not limited to:
● accidental disclosure of personal information to the wrong recipient;
● employee browsing of personal information without a legitimate business reason;
● an external attack on a system; or
● a lost or stolen KWEG device or document
Key Relevant Documents
● Privacy Act 2020
● Education (Early Childhood Service) Regulations 2008
● Health and Safety in Employment Act 1992
● Children’s Act 2014
● Oranga Tamariki Act 1989
Appendix 1: Information Sharing Guidelines
In some cases, centres may be requested to, or decide to, share personal information about tamariki with government agencies. Where such disclosures are required or permitted by another law (such as sections 15 or 66 of the Oranga Tamariki Act), these will not breach the Privacy Act. Where no other law applies, then we must ensure that an exception to principle 11 of the Privacy Act (which relates to disclosure) applies to permit us to share the information.
Responding to Requests for Information from Government Agencies
All centres may receive requests for information about tamariki from various government agencies, including the Police, the Ministry of Education, or Oranga Tamariki. These requests must be managed in accordance with the following steps.
Escalate the request
Requests for information from government agencies must be escalated to the Centre Manager or, if
appropriate, the QAM or General Manager
Verify that the request is genuine
Ensure that the request has been received in writing from a valid agency email address or on agency letterhead. If in doubt, contact the agency using a publicly available phone number to verify the request.
Confirm the legal basis for the request
Ensure that the request states the specific legislative provision it is being made under. For Oranga Tamariki, this will usually be section 66 of the Oranga Tamariki Act. If there is no legislative basis for the request, then the All services / centres will need to ensure the disclosure is permitted by the Privacy Act (see below).
Clarify the request
Before making a decision on a request, we need to be clear about:
The scope of the request – how much information is the requester asking for, about whom, in relation to what time period, etc?
The purpose for the request – is it made as part of a child welfare concern or investigation, or as part of legal proceedings?
Limit the scope of the disclosure
Remember, we should only ever disclose the minimum amount of personal information required to meet the purposes of the request. Always ensure that information provided is objective, impartial and factual, and that the information is not hearsay.
Proactive disclosures of information to government agencies
Remember, centres can always disclose personal information to third parties in the ways we outlined in the centres Privacy Statement. However, situations may arise in which we believe it is necessary to disclose information in ways that our tamariki, parents/guardians or whānau might not expect.
Reporting suspected abuse
Section 15 of the Oranga Tamariki Act states that, if we believe that a child or young person has been, or is likely to be, harmed, ill-treated, abused, (whether physically, emotionally, or sexually), neglected, or deprived, or if we have concerns about the well-being of a child or young person, we may report the matter to Oranga Tamariki or the Police.
Sharing other safety concerns
In cases where section 15 of the Oranga Tamariki Act will not apply – for example where we need to disclose information to a member of a tamaiti’s whānau – principle 11 of the Privacy Act permits us to disclose personal information if we believe on reasonable grounds that it is necessary to prevent or lessen a serious threat to health or safety.
To rely on this exception, we need to:
● be satisfied that a serious threat exists; and
● believe on reasonable grounds that disclosure is necessary to prevent or lessen that serious threat.
To decide if a threat is serious, the Privacy Act requires us to consider:
● The likelihood of the threat occurring – is there a good chance this thing will happen?
● The severity of the consequences if the threat occurs – if it happens, how bad will it be?
● The time at which the threat might occur – how soon could this happen?
We also need to make sure we disclose personal information to a person or agency that can actually do something about the threat. This might be the Police, a member of a tamaiti’s whānau, a healthcare provider, or an emergency healthcare provider. We cannot use this exception to disclose information to the media or any other person or agency that does not have a role in protecting people or the person concerned.
Remember, we should only ever disclose the minimum amount of personal information required to assist with preventing or lessening the threat.
Keep a record of all disclosures
In the event of a complaint to the Privacy Commissioner, we must be able to demonstrate that we had a reasonable basis to believe we could disclose personal information at the time we disclosed it. This means we must keep a record of all disclosures made under this procedure, which includes the following information:
● Date of the disclosure
● Details of the person or agency to which the information was disclosed
● Copy of the request
● Record of reasons for disclosing the information
● Copy of any advice received about the disclosure
● Record of what information was disclosed