What Does the Privacy Act 2020 Mean for Children's Data in NZ Services?

The Privacy Act 2020 governs how your service collects, uses, stores, discloses and gives access to personal information, and it applies to early childhood education services just as it does to any other organisation. In practice it sets the ground rules for handling tamariki information like photos, learning stories and health notes, and it requires you to notify the Office of the Privacy Commissioner and affected people when a breach is likely to cause serious harm. Here is what centre leaders and kaiako need to understand.

What the Privacy Act 2020 actually is

The Privacy Act 2020 came into force on 1 December 2020. It is the law that governs how organisations (including ECE services) collect, use, store, disclose and give people access to personal information.

“Personal information” is simply information about an identifiable individual. In an early learning setting that covers a great deal: a child’s name and date of birth, enrolment forms, health and developmental notes, learning stories, photos and video, attendance records, and information about whānau. If your service holds it and it identifies someone, the Act applies.

The Office of the Privacy Commissioner oversees the Act and is the body services should refer to for guidance.

The 13 privacy principles, in plain language

The Act contains 13 Information Privacy Principles (IPPs). They are the practical backbone of the law. You do not need to memorise them, but the day-to-day obligations they create matter for every service. The principles cover, among other things:

  • Only collect what you need. Don’t gather information about tamariki or whānau beyond what your service genuinely requires.
  • Collect it directly and fairly. Get information from the person concerned, for young children usually their whānau, and collect it in a fair, lawful way.
  • Tell people why. Be clear about the purpose you are collecting information for, and how it will be used.
  • Keep it secure. Protect the information you hold against loss, misuse and unauthorised access.
  • Limit use and disclosure to the purpose. Use and share information only for the reason it was collected, not for unrelated purposes.
  • Allow access and correction. People are entitled to access the personal information you hold about them and to ask for it to be corrected.

For a centre, these principles translate into ordinary, repeatable habits: collecting only the enrolment details you actually use, explaining to whānau why you ask for them, storing everything securely, and being ready to share or correct a child’s records when whānau request it.

The notifiable breach scheme

One of the most significant changes the Act introduced is the mandatory notifiable privacy breach scheme.

If your service experiences a privacy breach that causes, or is likely to cause, serious harm, you must notify both the Office of the Privacy Commissioner and the people affected. A breach can be more mundane than people assume: a lost device with enrolment data on it, an email of children’s information sent to the wrong address, or unauthorised access to your management system.

The key test is serious harm. This makes it worth thinking ahead about what a breach would look like in your service and who would need to act, so that if something goes wrong you can respond quickly and meet your obligations rather than scrambling.

Why children’s data needs particular care

Children’s personal information is sensitive. Photos, learning stories, health records and developmental notes are exactly the kind of information that deserves careful handling, because it concerns young, vulnerable individuals who cannot manage it themselves.

That is also why whānau consent sits at the centre of good practice. For young tamariki, it is usually whānau who provide the information in the first place and who authorise how it is used. For example, whether a child’s photo can appear in a learning story documented against Te Whāriki and shared with other families, or on your service’s social media. Being clear with whānau about what you collect, why, and how it will be used is not just courteous; it reflects the collection and purpose principles in the Act.

A few areas in ECE settings deserve extra attention:

  • Photos and video, particularly when shared in group learning stories or online.
  • Health and developmental notes, among the most sensitive records a service holds.
  • Sharing between staff and with external parties; keep it tied to the purpose it was collected for.

Practical steps for your service

You don’t need to be a lawyer to put good privacy practice in place. A handful of practical measures cover most of the ground:

  • Have a privacy statement. Set out clearly what information you collect, why, how it is used, and how whānau can access or correct it.
  • Store information securely. Whether records are on paper or in software, control who can access them and protect against loss or unauthorised access.
  • Train your kaiako. Make sure staff understand the basics: collect only what’s needed, use information only for its purpose, and know what to do if a breach occurs. Privacy confidence is one more reason it pays to invest in attracting and retaining good kaiako in a tight market.
  • Get and record whānau consent. Be explicit about uses like photos and learning stories, and keep a record of what whānau have agreed to.
  • Vet your software carefully. When choosing any system that holds children’s data, consider how and where the data is stored and secured.

Choosing software: where your data lives matters

The shift to digital learning stories, portfolios and management systems means a lot of children’s information now lives in software. When you choose or review a platform, the Act’s security and storage obligations don’t disappear; they move with the data.

Sensible questions to ask any provider:

  • How is children’s information secured, and who can access it?
  • Where is the data stored?
  • What happens in the event of a breach, and how would we be supported to meet our notification obligations?

Treat these as part of your due diligence, the same way you would when running an internal evaluation against the ERO framework or any decision affecting tamariki and whānau.

A note on getting advice

This article is general information only and is not legal advice. Privacy obligations can depend on your service’s specific circumstances, and the law is overseen by the Office of the Privacy Commissioner, the authoritative source for guidance and the place to go for detailed or situation-specific questions. If you are unsure about your obligations, seek advice rather than relying on a general summary.

Handled well, privacy is not just compliance; it is part of the trust whānau place in you when they share their tamariki’s information.

Personhood360 is built to store children’s learning and wellbeing information securely, with careful attention to how and where data is held, helping services meet their privacy obligations with confidence.