Privacy Policy

Purpose

At Kids’ World Education Group (KWEG), we prioritize and respect the privacy rights of families, staff, and children. Privacy can hold different meanings for different individuals, and we are committed to ensuring that our interactions safeguard the dignity and security of those we serve. This includes avoiding actions or assumptions that could offend, embarrass, or endanger children or their families. Our policy aligns with the Privacy Act 2020, WorkSafe New Zealand guidelines, the Education (Early Childhood Services) Regulations 2008, Licensing Criteria for Centre-Based ECE Services, and NELP 1.1 to maintain a robust framework for privacy compliance.

The procedures support Kids World Education Group’s Privacy Framework, outlining specific privacy procedures and considerations relating to the management of personal information by KWEG centres.The primary goal of this policy is to protect the privacy of families and staff while ensuring full compliance with the Privacy Act 2020. It also aims to uphold the health,  safety, and well-being of children by maintaining transparent and ethical practices throughout our operations.

Scope

These procedures apply to all staff who work for or with the Kids’ World Education Group (KWEG), and to any volunteers, including whānau.

Background

KWEG’s privacy policy includes a high-level confidentiality relating to Disclosure, Personal Information and requests and Procedures to maintain Privacy breaches. All KWEG staff are expected to manage personal information in accordance with this Privacy policy, which promotes the following concepts:

● Data minimisation – limiting the amount of personal information the Centre/ Organisation collects and retains
● Transparency – being open and honest about what information the Centre/ Organisation collects and how it will be used
● Security – protecting the personal information the Centre/ Organisation holds from harm.
● Use limitation – making sure the Centre/ Organisation uses and discloses personal information only when necessary and with a lawful basis
● Privacy rights – helping the Centre/ Organisation’s data subjects to exercise their privacy rights and maintain some control over their information.

Privacy is particularly important for all centres, which collect and process personal information about vulnerable people – including tamariki and their whānau – and may have to use or share personal information in ways that could impact on individual trust. These procedures are intended to help All services / centres to manage their specific
regulatory and safety requirements in a way that protects and respects tamariki and whānau privacy.

All centres must generally manage personal information in accordance with this Privacy Policy and associated procedures, with the exception of the specific procedures set out below. In the event of any inconsistency between these centres procedures and the organisation’s general Privacy Policy and associated procedures,the centre’s procedures will prevail.

Governance

Each Centre Manager will act as the first line Privacy Officer for their centres. General Manager, with the support of Quality Assurance Manager provide support, and a point of escalation, to Centre Managers where required.
● All Centres must collect only the personal information they need to deliver services and meet their regulatory and other requirements. The types of personal information we collect about tamariki and their whānau are listed in the Privacy Statement.
● All centres will generally collect personal information about tamariki from their parents/guardians. If we need to collect personal information from another third-party source – such as the Police – we should ask for the consent of the individual concerned before doing so.
● All centres staff, students, volunteers and contractors must read and understand the Privacy Statement and be able to explain to parents/guardians or others why personal information is required, and how it may be used or shared.
● All centres must collect information in ways that are fair and not unreasonably intrusive. This requires us to consider:
● The age of the person we’re collecting information from. The younger they are, the less they may understand about the consequences of giving us information or authorising us to collect it from someone else.
● Cultural or religious sensitivities about sharing certain information. For example, gender differences could be more important for some cultures.
● The power imbalance between a teacher and their tamariki, or between centres staff and
parents/guardians, which can have an impact on fairness.

The environment within which we’re collecting information. For example, we should not ask tamariki to reveal sensitive information in a classroom setting.
● In some cases, centres must ask parents/guardians for their consent to collect or use personal information in certain ways. For example, we must obtain the written consent of parents/guardians in order to use photographs or videos footage of their tamariki for any public purposes, such as research, promotion, marketing, or sharing with parent/guardian class groups.
● Parents/guardians or whānau must not be permitted to take photographs or video footage of tamariki at All services / centres.
● All centres must use only centre devices to capture photographs or video footage of tamariki. If personal devices are used, photographs or videos must be promptly transferred to centre systems and deleted from those devices. All centres should generally use and disclose personal information only in the ways we outline in the Privacy Statement. Any uses of information for new purposes, or disclosures to third parties not listed in the Privacy Statement, must be approved by the General Manager.

● All centres staff, students, volunteers, and contractors must confirm that the relevant parent/guardian has provided written consent before using photographs, videos or other media about their tamariki for any public purposes, such as research, promotion, marketing, or sharing with parent/guardian class groups.
● All centres staff, students, volunteers and contractors must never disclose personal information, including photographs or videos of tamariki, on social media platforms or other websites. For more information on acceptable use of social media platforms and other technology,
● All centres must manage requests for information from government or law enforcement agencies, including Oranga Tamariki or the Police, in accordance with the Information Sharing Process set out at Appendix 1

Use & Disclosure

All centres may proactively disclose personal information to certain government or law enforcement agencies if they believe this is necessary to ensure the safety of a tamaiti. Such disclosures should be managed in accordance with the Information Sharing Process at Appendix 1.
● All centres must manage requests from parents/guardians for personal information about their tamariki.

Guidelines

For Children
● Information collected during enrolment and attendance is securely stored for seven years. Computers are password-protected, and physical records are kept in locked filing cabinets. At the time of enrolment, families provide consent for the use of children’s images for specific purposes, including assessment, planning, evaluation, displays, advertising, website content, and Educa secure online platforms.
● The enrolment form includes a clear privacy statement detailing the purposes for which information will be used and any potential sharing of this information. If Oranga Tamariki requests information about a child currently or previously enrolled, a written request is required to verify the identity of the requester and ensure compliance with privacy standards.

For Staff
● Staff are expected to uphold privacy standards by avoiding the use of children’s images on personal social media platforms, such as Facebook. Professional boundaries must be maintained, and staff are discouraged from forming social media connections with parents.
● Photographic and video recordings of children, whether taken on personal or centre-owned devices, must be used strictly for professional purposes. This includes learning stories, planning, centre documentation, and Educa uploads. These recordings should never be used outside the scope of centre activities or without explicit consent.

For Parents
● Parents who wish to take photos during events like birthdays or farewells must do so under staff supervision to ensure that no other children are identifiable in the images. Staff members may take photos on behalf of parents in such cases. Video recordings by parents are not permitted to maintain the privacy of all children.

For Student Teachers
● Student teachers are required to sign the Student Teacher Policy, which outlines privacy expectations. They must obtain signed parental consent before using children’s information or images for assignments. A signed copy of the policy is retained in the office for accountability.

CCTV
● Certain KWEG sites are equipped with CCTV to enhance security, prevent crime, regulate access, and support safety. Camera footage is securely stored at designated locations, and access is restricted to management or authorised personnel. Any queries about CCTV use can be directed to the Centre Manager.
● KWEG remains dedicated to fostering a safe, inclusive, and respectful environment. By adhering to robust privacy standards and regulatory requirements, we ensure the trust and confidence of the children, families, and staff within our community.

Access & Correction

● All data subjects have the right to request a copy of personal information centres hold about them. This means parents/guardians, staff, volunteers, students and contractors can request a copy of personal information about themselves. These requests must be escalated to the Centre Manager, and Quality Assurance Manager.
● The Privacy Act does not give parents/guardians an enforceable right to request a copy of the personal information we hold or create about their tamariki. In practice, we will share personal information about tamariki with their parents/guardians, both on request and proactively as part of our ongoing operations. However, we must always take into consideration the best interests of our tamariki. There may be circumstances in which it is not in the best interests of the tamaiti for us to release personal information to their parent/guardian (for example, where we have documented suspicions of child abuse or neglect). In these cases, we may refuse to release personal information to parents/guardians.
● It should be noted that parents/guardians have access to a secure online learning profile which contains written and visual materials about their tamaiti’s experience while attending the centre(s).

Retention

● Personal information must be retained in accordance with the regulations.
● Where the Regulation does not specify a retention period for a specific type of personal information, All centres must ensure that the information is not retained for longer than we have a lawful purpose to use it. In some cases, the information we hold is subject to legislative retention requirements. For example, the Early Childhood Education Regulations 2008 require us to retain tamariki enrolment forms for 7 years.
● All centres staff, students, volunteers and contractors must take reasonable steps to protect the personal information we hold from loss, unauthorised access, use or disclosure, or any other misuse.
● All centres staff, students, volunteers and contractors must ensure that they access and use only the personal information they need to discharge their lawful functions.
● Personal information must be stored securely, in lockable cabinets, or in the secure system of record for that type of information. Some employment information is stored by the Kids’ World HR Admin team in their secure systems.
● Personnel files for centres staff, students, volunteers and contractors may only be directly accessed by the Centre Manager or Area Manager/Senior management. Where necessary, personal information about staff, students, volunteers and contractors may be made available to HR staff, authorised administrative staff, or third parties required to conduct audits, such as the Ministry of Education or Education Review Office.
● Privacy breaches must be reported immediately to the Centre Manager. The Centre Manager must ensure that privacy breaches are managed in accordance with the policy. Complaints from parents/guardians or whānau about privacy issues should also be reported to the Centre Manager.
● The Centre Manager will update all these complaints to the Quality assurance Manager and general Manager.

The following definitions apply to this document:
Parent/guardian means the adult/s who is responsible for the upbringing and care of the tamaiti. This could include the mother OR the father acting as a sole guardian, and anyone else the Family Court has appointed as a guardian. For more information on who could be a guardian, check this Ministry of Justice link.
Data subject means any natural person about whom the organisation collects and holds personal information and includes students, staff members, contractors, and friends, and visitors to the websites. For the purposes of these procedures, data subjects include tamariki, parents/guardians and whānau.

Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other
correspondence, and opinions about the data subject.

Privacy breach means an event (whether intentional or unintentional) in which personal information is lost or is accessed, altered, disclosed or destroyed without authorisation, or is at increased risk due to poor security safeguards, including but not limited to:
● accidental disclosure of personal information to the wrong recipient;
● employee browsing of personal information without a legitimate business reason;
● an external attack on a system; or
● a lost or stolen KWEG device or document

Kids’ World KWEG member includes staff members, office’ staff and senior management and contractors working for and on behalf of the KWEG and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the centre.

Key Relevant Documents

● Privacy Act 2020
● Education (Early Childhood Service) Regulations 2008
● Health and Safety in Employment Act 1992
● Children’s Act 2014
● Oranga Tamariki Act 1989

Appendix 1: Information Sharing Guidelines

In some cases, centres may be requested to, or decide to, share personal information about tamariki with government agencies.

Where such disclosures are required or permitted by another law (such as sections 15 or 66 of the Oranga Tamariki Act), these will not breach the Privacy Act. Where no other law applies, then we must ensure that an exception to principle 11 of the Privacy Act (which relates to disclosure) applies to permit us to share the information.

Responding to Requests for Information from Government Agencies

All centres may receive requests for information about tamariki from various government agencies, including the Police, the Ministry of Education, or Oranga Tamariki. These requests must be managed in accordance with the following steps.

Escalate the request
Requests for information from government agencies must be escalated to the Centre Manager or, if appropriate, the QAM or General Manager.

Verify that the request is genuine
Ensure that the request has been received in writing from a valid agency email address or on agency letterhead. If in doubt, contact the agency using a publicly available phone number to verify the request.

Confirm the legal basis for the request
Ensure that the request states the specific legislative provision it is being made under. For Oranga Tamariki, this will usually be section 66 of the Oranga Tamariki Act. If there is no legislative basis for the request, then the All services / centres will need to ensure the disclosure is permitted by the Privacy Act (see below).

Clarify the request
Before making a decision on a request, we need to be clear about:
The scope of the request – how much information is the requester asking for, about whom, in relation to what time period, etc?
The purpose for the request – is it made as part of a child welfare concern or investigation, or as part of legal proceedings?

Limit the scope of the disclosure
Remember, we should only ever disclose the minimum amount of personal information required to meet the purposes of the request. Always ensure that information provided is objective, impartial and factual, and that the information is not hearsay.

Proactive disclosures of information to government agencies
Remember, centres can always disclose personal information to third parties in the ways we outlined in the centres Privacy Statement. However, situations may arise in which we believe it is necessary to disclose information in ways that our tamariki, parents/guardians or whānau might not expect.

Reporting suspected abuse
Section 15 of the Oranga Tamariki Act states that, if we believe that a child or young person has been, or is likely to be, harmed, ill-treated, abused, (whether physically, emotionally, or sexually), neglected, or deprived, or if we have concerns about the well-being of a child or young person, we may report the matter to Oranga Tamariki or the Police.

Sharing other safety concerns
In cases where section 15 of the Oranga Tamariki Act will not apply – for example where we need to disclose information to a member of a tamaiti’s whānau – principle 11 of the Privacy Act permits us to disclose personal information if we believe on reasonable grounds that it is necessary to prevent or lessen a serious threat to health or safety.

To rely on this exception, we need to:
● be satisfied that a serious threat exists; and
● believe on reasonable grounds that disclosure is necessary to prevent or lessen that serious threat.

To decide if a threat is serious, the Privacy Act requires us to consider:
● The likelihood of the threat occurring – is there a good chance this thing will happen?
● The severity of the consequences if the threat occurs – if it happens, how bad will it be?
● The time at which the threat might occur – how soon could this happen?

We also need to make sure we disclose personal information to a person or agency that can actually do something about the threat. This might be the Police, a member of a tamaiti’s whānau, a healthcare provider, or an emergency healthcare provider. We cannot use this exception to disclose information to the media or any other person or agency that does not have a role in protecting people or the person concerned.

Remember, we should only ever disclose the minimum amount of personal information required to assist with preventing or lessening the threat.

Keep a record of all disclosures

In the event of a complaint to the Privacy Commissioner, we must be able to demonstrate that we had a reasonable basis to believe we could disclose personal information at the time we disclosed it. This means we must keep a record of all disclosures made under this procedure, which includes the following information:
● Date of the disclosure
● Details of the person or agency to which the information was disclosed
● Copy of the request
● Record of reasons for disclosing the information
● Copy of any advice received about the disclosure
● Record of what information was disclosed

Contact us now for a tour of our centre.
We are taking enrolments now. Book your tour Now!
BOOK NOW

© Copyright 2025 Lots of Hugs Childcare. All rights reserved. | Privacy Policy

Contact Us