1. Introduction

Excellent Kids Montessori Early Learning (“the service”, “we”, “us”, “our”) is committed to protecting the privacy and confidentiality of all individuals who interact with our centre. This policy explains how we collect, use, store, and disclose personal information in accordance with the Privacy Act 1988 (Cth) (including the Australian Privacy Principles), the National Quality Framework (NQF), the Education and Care Services National Regulations, and the terms outlined in our Confidentiality Deed.

​

This policy is for general public information and applies to families, children, educators, visitors, job applicants, and other stakeholders.

​

Children's Privacy Rights

We recognise that children have a right to privacy consistent with their developmental capacity. We will only collect, use, or share a child's personal information (including photos, observations, and work samples) with parental consent unless required by law (e.g., child protection reporting). As a child grows, we will involve them in decisions about their information where appropriate.

 

2. What Personal Information We Collect (Including for URL Ascertainment)

Plain Language Explanation – Why we need your email address:

​

To give you secure online access to your child's learning stories, photos, enrolment details, and government subsidy information, we create a unique web link (URL) that is sent to your email address. This requires us to collect and store your email address as a digital identifier. Without it, you cannot access our secure parent portal.

​

To provide early childhood education and care, and to meet our legal obligations (including verifying identities for online portals, government systems, and digital enrolment records), we collect the following personal information sufficient to ascertain a URL (i.e., to verify a unique digital identity, email address, or web-based contact point):

​

For Parents, Guardians, and Emergency Contacts:

· Full name and preferred contact name

· Email address (primary method for ascertaining a URL / digital identity)

· Residential address

· Phone numbers (mobile, home, work)

· Centrelink Customer Reference Number (CRN)

· Medicare number (where relevant for CCS or immunisation)

· Custody arrangements or parenting orders (to determine authorised online access)

· Digital consent records (for photos, videos, online learning journals)

​

​

For Children Enrolled:

· Full name, former name, date and place of birth

· Email address of parent/guardian (used to issue a unique URL for secure parent portal access)

· Immunisation status and Medicare number

· Medical conditions, allergies, additional needs

· Dietary requirements, cultural or religious considerations

· Languages spoken at home

· Photographs, videos, and samples of work (uploaded to secure URL-linked portfolios)

· Birth certificate extract (where required for enrolment verification)

​

For Staff, Volunteers, and Job Candidates:

· Name, contact details (including email), qualifications, working with children check

· Performance management records (confidential, internal use)

· Information from referees (with consent)

​

Why we collect email addresses and URL identifiers: Your email address is used to generate a unique web link (URL) for secure access to our parent portal, online learning stories, enrolment updates, and government services such as the Child Care Subsidy system. Without a valid email address or digital identifier, we may be unable to provide you with full online access to your child's records.

 

3. What Is Confidential Information (Based on Our Confidentiality Deed)

Confidential, personal, and sensitive information includes but is not limited to:

1. Information about families and children – verbal, written, or electronic: contact details, medical/developmental needs, family structure, date of birth, culture, religion, languages.

2. Information about other employees – qualifications, medical conditions, performance appraisals.

3. Business operations – budgets, supplier lists, strategies, policies, procedures, pricing.

4. Intellectual property – programs, observations, behaviour guidance plans, resources, artwork, reports created by staff during employment.

5. Information supplied by or relating to any other person associated with the service.

6. Information with actual or potential value (financial or otherwise) to the service.

7. Any copies, summaries, or notes of the above.

Confidential information does NOT include:

· Information that becomes public knowledge without any fault of the employee.

· After termination, information that has become part of an employee's general skill, knowledge, and experience.

 

4. How We Collect Personal Information

We collect personal information:

· Directly from you – via enrolment forms, digital forms, email, phone, or in-person conversations.

· Through our website and parent portal – when you access a unique URL sent to your email address (e.g., for logging in to view child updates).

· From third parties with consent – e.g., previous early learning centres, regulatory authorities, or health professionals.

· Indirectly – only where it is unreasonable or impracticable to collect directly (e.g., from a referring agency).

Photographs, videos, and work samples are collected at the centre. Emergency contact details are collected from parents/guardians.

 

5. Use of Personal Information

We use your personal information for the primary purpose of providing early childhood education and care, including:

​

· Managing enrolment and waitlists

· Documenting children's learning (via secure URL-linked portfolios)

· Communicating with you via email, SMS, or parent portal

· Meeting regulatory requirements (e.g., National Regulations, child protection)

· Advocating for child well-being, protection, and development

· Direct marketing (with opt-out available – see Section 9)

​

We will not use your information for purposes unrelated to the service without your consent, unless authorised or required by law.

 

6. Disclosure of Personal Information

We will only disclose your personal information for the purpose it was collected or a reasonably expected or related secondary purpose.

​

We may disclose personal information to:

​

· Third-party service providers (e.g., IT support for parent portal, legal advisors) – these providers are contractually bound to comply with Australian Privacy Principles.

· Regulatory authorities – as required by law (see Section 6.1 below).

· Child protection or family support agencies where we reasonably believe a child is at risk of significant harm.

· A purchaser of our business as a going concern.

We will not disclose your information to any other person outside the service without your express written permission, except where legislation requires disclosure.

​

6.1 Regulatory Disclosures – Examples

We may disclose personal information without your consent to:

· Department of Education (for subsidy compliance and regulatory audits)

· ACECQA (for national quality framework assessments)

· State child protection agencies (e.g., Child Safety, Department of Communities) when we reasonably believe a child is at risk of significant harm

· Police or law enforcement when required by a court order or subpoena

 

7. Storage and Security (Based on Our Confidentiality Deed)

​

We take all reasonable precautions to prevent unauthorised access, modification, misuse, or disclosure of confidential information:

​

· Written documents – stored in locked cabinets or secure rooms within the centre.

· Electronic information – All electronic information, including photos, videos, learning stories, enrolment records, and parent portal data, is stored exclusively in a secure cloud-based system hosted within Australia.

· Password protection – all devices and cloud-based programs are password protected with automatic logout enabled.

· Access – only on a "need-to-know" basis for authorised employees. No sharing of login credentials.

· Removal of information – confidential information (written or electronic) is not to be removed from the premises without the Centre Director's or Approved Provider's approval.

· Personal devices – no storing of confidential images or information on personal phones, laptops, or unapproved devices.

· Destruction – information is shredded or permanently deleted from cloud storage when no longer required by law or policy.

· Return of information – immediately upon request or upon termination of employment.

​

URL-specific security: Parent portal URLs sent via email are unique and require individual login credentials. The portal is hosted on our Australian-based cloud platform. Families are responsible for keeping their login details confidential.

 

8. Intellectual Property

All intellectual property created or developed by an employee during employment (including programs, observations, strategies, reports, artwork, and digital content linked to a child's URL-based portfolio) belongs solely to the service. Employees assign all rights to the service and waive moral rights to the extent permitted by law.

 

9. Direct Marketing and Opt-Out

We may use your email address (i.e., the identifier used to ascertain a URL) to send you information about our services, events, or newsletters. You may opt out at any time:

​

· Click the "unsubscribe" link in any marketing email

· Email us at [Insert Centre Email] with "Unsubscribe" in the subject line

​

Opting out of marketing does not affect essential service communications (e.g., enrolment updates, emergency notifications).

 

10. Access and Correction

You may request access to the personal information we hold about you or your child. Requests must be made in writing to the Centre Director.

​

10.1 How to Request Access

To request access to your personal information, please email the Centre Director at [Insert Centre Director Email] with the subject line "Privacy Access Request" . We will:

​

· Acknowledge your request within 7 days

· Provide access within 30 days unless an exception under the Privacy Act applies

· Provide a written explanation if access is denied

​

There is no fee for making a request, but we may charge a reasonable administrative fee for providing copies of documents.

​

10.2 Correction of Information

If you believe our records are incorrect, please contact the Centre Director and we will take reasonable steps to correct the information so that it is accurate, complete, and up to date.

​

We may decline access or correction in certain circumstances (e.g., risk of harm to an individual, unreasonable impact on others' privacy). If declined, we will provide written reasons.

 

11. Information Storage (Cloud-Based in Australia)

All personal information collected by Excellent Kids Montessori Early Learning is stored exclusively in secure cloud-based servers located within Australia. We do not store or process any personal information on servers located outside of Australia.

​

Our Australian-based cloud storage provider is contractually bound to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We conduct regular reviews to ensure ongoing compliance with data sovereignty and security requirements.

 

12. Retention of Personal Information

We retain personal information for as long as required to provide our services and meet legal obligations.

​

Under the Education and Care Services National Regulations, enrolment records (including child and family information) must be kept for:

​

· Three years after the child ceases to attend the service, or

· Until the child turns 25 years of age (whichever is later)

​

After these periods expire, we securely destroy or de-identify all personal information. Staff employment records are retained in accordance with fair work and tax laws.

 

13. Notifiable Data Breaches

Under Australia's Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act), if we suspect or confirm an eligible data breach (unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm), we will:

​

1. Conduct a prompt assessment within 30 days

2. Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law

3. Provide advice on steps individuals can take to protect themselves

4. Take immediate action to contain the breach and prevent future incidents

​

Affected individuals will be notified directly (via email or phone) unless doing so would put them at risk, in which case we will publish a notice on our website and notify the OAIC.

 

14. Breach of Confidentiality

The service treats any breach of confidentiality extremely seriously. Unauthorised use or disclosure of personal information – whether verbal, written, or electronic, including on social

media or websites – may result in disciplinary action, termination of employment, or legal proceedings.

​

Employees' confidentiality obligations survive indefinitely after termination of employment.

 

15. Complaints and Feedback

If you wish to make a complaint about a breach of privacy or confidentiality, please contact the Centre Director in writing. We will investigate and respond within 30 days.

​

If you are not satisfied with our response, you may complain directly to the Office of the Australian Information Commissioner (OAIC) :

· Website: www.oaic.gov.au

· Phone: 1300 363 992

· Email: enquiries@oaic.gov.au

 

16. Contact Us

Excellent Kids Montessori Early Learning 2/12 Springvale Circuit, Underwood 4119 QLD

Centre Director Contact Details: Email: Director@ekmontessori.com.au Phone: 07 3341

 

17. Policy Amendments

We may amend this policy from time to time without prior notice. The current version will always be available on our website (or upon request from the Centre Director). For significant changes, we will notify families via email or parent portal.

 

18. Privacy Impact Assessments

Before introducing new technology or systems that handle personal information (e.g., a new parent portal, AI-based learning tools, or biometric systems), we will conduct a Privacy Impact Assessment to identify and mitigate risks to privacy.

 

19. Version Control

​

Version: 1.0

​

Date: 1 May 2026

​

Changes: Original policy – comprehensive privacy and confidentiality policy incorporating Deed requirements, URL ascertainment, NDB scheme, retention periods, and children's rights

​

Authorised By: Centre Director

 

20. Collection Notice (for Enrolment Forms) – Short Form

The following short-form notice is to be included on all enrolment forms and new family intake documents:

​

Collection Notice – Excellent Kids Montessori Early Learning

We collect personal information about you and your child to provide early childhood education and care, manage enrolments, and meet legal obligations (including the NQF and Privacy Act). We require your email address to give you access to our secure parent portal (via a unique URL). Your information is stored securely on Australian-based cloud servers. You may access or correct your information by contacting the Centre Director. Our full Privacy Policy is available on our website or at reception.

 

Privacy Act 1988 (Cth) Acknowledgement: This policy is provided for your information and does not limit or exclude your rights under the Privacy Act.