privacy

Confidentiality & Privacy Policy

At Sanctuary, the trust your family places in us is something we honour deeply. This policy explains how we collect, protect and use personal information — and what your rights are at every step.

What information we collect — and why

We only collect personal information that is necessary to provide quality education and care, and to meet our obligations under Queensland and federal legislation — including the Education and Care Services National Regulations and the Privacy Act 1988.

Personal information includes any details that identify a person or could reasonably allow their identity to be determined — such as names, addresses, phone numbers, photographs and email addresses.

Examples of information we may collect:

Details about children's learning and development
Contact information
Immunisation records
Health care and concession card details
Bank and payment information
Photo identification (where required)

All information is collected with your knowledge and consent. Where information relates to a child, we seek permission from a parent or guardian.

How we keep your information safe

Protecting your family's information is a responsibility we take seriously. We use a combination of physical and digital safeguards.

Electronic records are stored in password-protected systems with access limited to authorised team members only.
Paper documents containing personal information are kept in locked cabinets and shredded when no longer needed.
Payment and banking details are encrypted and credit card information is securely concealed in our systems.
All educators sign a Confidentiality Deed and receive annual induction training on privacy obligations.

When we share information

We will never share your information with direct marketing agencies. Information is only disclosed where it is necessary to provide care or where we are required to do so by law.

In some situations, we may need to share relevant information with trusted third parties, including:

Public health units
Child protection agencies
Regulatory authorities
Banking & financial institutions
Technology service providers
Legal advisors
Early intervention specialists

We share your information through our childcare management software (CCMS) to facilitate Child Care Subsidy (CCS) claims with Services Australia. Parent or guardian consent is always sought before sharing a child's details with visiting specialists such as speech therapists or occupational therapists.

YOUR RIGHTS

You have the right to access any personal information we hold about you or your child, and to request corrections if information is inaccurate. Please advise us in writing of any changes to your details.

A higher level of protection applies to sensitive information — including health details, religious beliefs, racial or ethnic origin, and similar categories. Sensitive information is only collected and used with your explicit consent.

Families may also request that their child's name, photo or birthday not be displayed within the centre — simply notify the Nominated Supervisor in writing.

If you have any questions or concerns about privacy, please speak with the Nominated Supervisor at your centre in the first instance, or follow the grievance procedure displayed in the foyer.

DATA BREAches

As an education and care service, Sanctuary is classified as a health service provider under Australian privacy law and is bound by the Notifiable Data Breaches (NDB) scheme. This means that in the unlikely event of a data breach that is likely to cause serious harm, we are legally required to notify both affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

A data breach may occur when personal information is accessed, disclosed or lost without authorisation, and this is likely to result in serious harm. Any suspected breach must be assessed within 30 calendar days.

We take cyber security seriously. Staff access is limited to what is needed for their role, strong passwords are required, data is backed up regularly, and team members are trained to identify phishing risks and suspicious communications.

For more information, visit www.oaic.gov.au