Reminder - Changes to Privacy Law for ECEC services

As you may be aware, Early Childhood Education and Care (ECEC) services are required to comply with Australia's privacy law, known as the Privacy Act 1988 (the Act).

Privacy Laws

Why do ECEC services have to comply with privacy law?
Under Australia's privacy law, ECEC services are deemed as health service providers, which puts them in the category of an “Australian Privacy Principle (APP) Entity”. Under Australian law, all APP entities are bound by the Act and must comply with it.

Your responsibilities
In order to comply with the Privacy Act, ECEC services are required to follow the Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act).

The APPs outline how ECEC services (and other relevant businesses) must handle, use and manage the personal information of their clients. The guidelines are not prescriptive, as each APP entity needs to consider how the principles apply to their own situation (in terms of operations, data management, IT platforms, etc).

In particular, the principles cover how personal information can be used and disclosed (including overseas), keeping personal information secure, and the open and transparent management of personal information including having a privacy policy. 

New requirements under the Privacy Act as of 22 February 2018
The Privacy Act was amended in February 2017, with the changes due to take effect on February 22, 2018. 

The new law introduces a Notifiable Data Breaches (NDB) scheme that requires all businesses regulated by the Privacy Act (including ECEC services) to provide notice to the Office of the Australian Information Commissioner (formerly known as the Privacy Commissioner) and affected individuals of any data breaches (ie. data leaks) that are “likely” to result in “serious harm.”

Businesses that suspect an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected.

A failure to notify that is found to constitute a serious interference with privacy under the Privacy Act may result in a fine of up to $360,000 for individuals or $1.8 million for organisations.

Read our blog article here for more information about how to comply with this new privacy law.