Privacy Policy
How we collect, use and protect personal information about children, families and staff at Ilim Learning Sanctuary.
Notice — Implied Consent
By enrolling your child, submitting an enquiry, or accessing or using the Ilim Learning Sanctuary website, you acknowledge that you have read this Privacy Policy and agree to the collection, use and disclosure of personal information — including information about your child — as described herein. If you do not agree, please discontinue use of our Website and contact us before submitting an enrolment.
Australian Privacy Principles & National Regulations
This Policy reflects our obligations under APPs 1–13 of the Privacy Act 1988 (Cth) and the confidentiality and record-keeping obligations of the Education and Care Services National Regulations. Defined terms have the same meaning as in the Privacy Act unless otherwise stated.
1. Overview
Ilim Learning Sanctuary (we, us, our, the Centre) is an early childhood education and care service operating centres at Glenroy and Dallas in Victoria. The Centre is an affiliation of Ilim College and is operated by Ilim Learning Sanctuary Limited ACN 649 762 149 ABN 34 649 762 149, a company limited by guarantee and a charity registered with the Australian Charities and Not-for-profits Commission. We are committed to protecting the privacy of children, families, staff and visitors in accordance with the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act, and the confidentiality obligations in the Education and Care Services National Law and the Education and Care Services National Regulations 2011 (the National Regulations).
This Privacy Policy (Policy) describes how we collect, hold, use, disclose and protect personal information, including health information and other sensitive information about children enrolled at the Centre. It applies to personal information we collect through our website (Website), through enrolment and enquiry processes, through our day-to-day delivery of education and care, and through our interactions with families, staff, contractors and regulators.
This Policy applies to families of enrolled and prospective children, children attending the Centre, staff and volunteers, contractors and service providers, and visitors to our Website. Because children in our care generally do not have capacity to give informed consent, consents and authorisations under this Policy are ordinarily given by a parent or person with parental responsibility.
By submitting an enrolment enquiry or enrolment application, by enrolling your child with us, or by accessing or using our Website, you acknowledge that you have read this Policy and agree to the collection, use and disclosure of personal information as described herein. Continued use of our Website or services following any update to this Policy constitutes acceptance of the updated Policy.
This Policy should be read together with our Enrolment Agreement, Child Safe Policy, Photography and Observation Consent, and other Centre policies made available at enrolment and on our Website.
2. What Personal Information We Collect
We collect personal information that is reasonably necessary for, or directly related to, the provision of education and care and the operation of the Centre. The types of personal information we may collect include:
Parent and guardian information, including:
Full name, relationship to the child, and parental responsibility status;
Residential and postal addresses;
Telephone and mobile numbers and email addresses;
Employer name and place of work (for emergency contact purposes);
Customer Reference Number (CRN) issued by Services Australia, for the purposes of claiming the Child Care Subsidy;
Payment details used to settle invoices.
Information about your child, including:
Full name, date of birth, gender, and CRN;
Cultural background, languages spoken at home, and religious observances relevant to the child's care;
Attendance, arrival and departure records;
Developmental observations, learning stories, portfolios and assessments collected by educators in accordance with the Early Years Learning Framework and the Victorian Early Years Learning and Development Framework;
Incident, injury, trauma and illness records.
Health and other sensitive information about your child, which we collect only where reasonably necessary and where you have consented or where collection is required or authorised by law. This may include:
Allergies, dietary requirements, and anaphylaxis action plans;
Medical conditions, disabilities, developmental delays and associated management plans;
Medications administered at the Centre and authorisations to administer them;
Immunisation status and related certificates required under the Public Health and Wellbeing Act 2008 (Vic) and the "No Jab, No Play" requirements;
Medicare number and the name and contact details of your child's medical practitioner;
Racial or ethnic origin, and religious beliefs or affiliations, where relevant to supporting inclusion and cultural programming.
Family circumstances and authorisations, including:
Emergency contact details and nominated authorised persons for collection of your child;
Copies of Family Court orders, parenting orders, intervention orders or other legal documents that affect who may collect the child or have contact with the child;
Information about custody, access or shared-care arrangements to the extent relevant to the care of the child.
Photographs, video and audio recordings of your child captured as part of documentation of the educational program, as described in Section 6.
Staff, educator, volunteer and student-placement information, including identity documents, qualifications, Working with Children Checks, police checks, first-aid and anaphylaxis training records, and employment history.
Website and technical information, including:
IP address and approximate geographic location derived from it;
Browser type, operating system and device identifiers;
Pages visited, referring URLs, session duration and interactions with the Website;
Information collected through cookies and similar tracking technologies (see Section 11).
If you provide personal information about another person (for example, an emergency contact, authorised nominee, or the other parent of your child), you warrant that you are authorised to provide that information and that you have made that person aware of this Policy and of the purposes for which we will use their information.
3. How We Collect Personal Information
We collect personal information in a number of ways, including:
Directly from you — through enrolment forms, enquiry forms on our Website, tour bookings, emails, telephone calls, in-person conversations with educators and management, and signed authorisations, permissions and consent forms;
Through the care of your child — educators routinely record attendance, observations, learning stories and incident reports as part of delivering the educational program and meeting our obligations under the National Regulations;
From medical practitioners, allied health professionals and specialist support services — where you have consented to us obtaining information relevant to the care of your child;
From Services Australia and the Commonwealth Department of Education — in connection with Child Care Subsidy entitlements, attendance reporting and related family-assistance administration;
From other regulators, child-protection authorities and information-sharing entities — in the circumstances described in Section 7;
Automatically through our Website — using cookies and analytics tools when you visit our Website (see Section 11).
Where it is reasonably practicable to do so, we collect personal information about a child directly from the child's parents or persons with parental responsibility. Where this is not practicable, we will take reasonable steps to notify affected individuals of the collection and of the matters set out in this Policy.
We do not operate public CCTV systems on our premises for the general purpose of monitoring children. Where any security cameras are used at entry points or perimeters, notices will be displayed and recordings will be handled in accordance with this Policy.
4. Why We Collect and Use Personal Information
We collect and use personal information for the primary purpose of delivering early childhood education and care and operating the Centre. Specific purposes include:
Assessing enrolment applications and administering waitlists;
Planning, delivering and documenting the educational program in accordance with the Early Years Learning Framework, the Victorian Early Years Learning and Development Framework, and the Centre's philosophy;
Providing for the health, safety and wellbeing of children in our care, including responding to medical emergencies, administering authorised medication, managing allergies, and implementing health-care management plans;
Meeting our obligations under the Education and Care Services National Law, the National Regulations, the National Quality Framework administered by ACECQA, and the directions of the Victorian regulatory authority;
Administering fees, invoicing, Child Care Subsidy claims and attendance reporting under Family Assistance Law;
Meeting our obligations under the Child Safe Standards (Ministerial Order 1359), Victorian Reportable Conduct Scheme, and mandatory reporting laws;
Communicating with families about their child's day, progress, attendance, upcoming events, fees and Centre announcements;
Promoting the Centre through our Website and, where consent has been given, marketing and community materials featuring photographs or stories of children;
Responding to complaints, managing disputes, and defending legal claims;
Recruiting, managing and training staff, volunteers and student placements;
Improving our services and Website through analytics.
We will use personal information only for the purposes for which it was collected, for related purposes that you would reasonably expect, or as otherwise permitted or required by law. We will not use sensitive information (including health information) for any other purpose without your consent.
You may opt out of receiving non-essential marketing communications from us at any time by contacting us using the details in Section 15, or by using the unsubscribe mechanism in any marketing email. Opting out of marketing will not affect essential communications about your child's enrolment, care, attendance or fees.
5. Disclosure of Personal Information
We may disclose personal information to third parties in the following circumstances:
Our educators and staff — on a need-to-know basis, in order to deliver education and care and to meet our duty of care to children;
Ilim College and affiliated entities — where relevant to continuity of care, transition to primary schooling, or shared administrative functions, subject to appropriate confidentiality arrangements;
The Commonwealth Department of Education and Services Australia — for the administration of the Child Care Subsidy, attendance reporting, and compliance with Family Assistance Law;
The Victorian regulatory authority (Department of Education), ACECQA, and the Commission for Children and Young People — in connection with regulatory assessment, notifications, investigations, and the Reportable Conduct Scheme;
Medical practitioners, ambulance services and emergency services — in the event of a medical emergency affecting a child, staff member or visitor;
Child Protection (within the Department of Families, Fairness and Housing), Victoria Police, and other prescribed information-sharing entities — in the circumstances described in Section 7;
Allied health professionals, inclusion support agencies and NDIS-funded providers — where parents have consented to collaboration to support a child's learning or development;
Technology and software providers — including childcare management software, cloud hosting, communications and IT support providers engaged to process information on our behalf;
Analytics providers — which collect information about your use of our Website (see Section 11);
Financial and professional advisers — including our accountants, auditors, insurers, bankers and legal advisers, on a confidential basis;
Successors — in connection with a transfer of the provider approval for the Centre or a restructure of the operating entity.
We do not sell, rent or trade personal information — and in particular, we do not sell, rent or trade any information about children — to third parties for their marketing purposes.
Before disclosing personal information to a third-party service provider, we take reasonable contractual steps to ensure that the provider handles the information in accordance with the APPs and with the confidentiality obligations in the National Regulations.
6. Photographs, Video and Observations of Children
Documentation of children's learning is a core part of our educational practice. Educators capture photographs, short videos, written observations and learning stories that illustrate each child's play, relationships and progress. This documentation is used primarily for internal programming, communication with families, and assessment of learning outcomes.
At enrolment, we ask parents to indicate their consent for different uses of images and observations of their child, which may include:
Use in the child's personal learning portfolio and in internal programming;
Display within the Centre (for example, in the child's room or in family communication boards);
Sharing with other families only where the child of the receiving family also appears in the image (for example, a shared moment of play);
Publication on our Website, social media, enrolment materials, or other promotional materials.
Consent preferences are recorded on the child's enrolment record. You may vary or withdraw consent at any time by contacting the Centre in writing. Withdrawal of consent will apply to future use of images; we will take reasonable steps to remove images from active publication on our Website and social media channels, but we may be unable to recover or recall images already distributed or printed.
Educators and staff are not permitted to record images or video of children on personal devices. Parents and visitors are asked not to photograph or record other families' children at Centre events without permission.
7. Mandatory Reporting and Information-Sharing Schemes
Early childhood educators and certain other staff are mandatory reporters under the Children, Youth and Families Act 2005 (Vic). We are required by law to report to Child Protection if we form a reasonable belief that a child is in need of protection from physical or sexual abuse. We cannot and will not seek consent before making a mandatory report.
The Centre is an Information Sharing Entity under the Child Information Sharing Scheme (CISS) established under Part 6A of the Child Wellbeing and Safety Act 2005 (Vic), and under the Family Violence Information Sharing Scheme (FVISS) established under Part 5A of the Family Violence Protection Act 2008 (Vic). Under these schemes, we may share information with other prescribed Information Sharing Entities for the purpose of promoting the wellbeing or safety of a child, or assessing or managing family-violence risk, without consent where the criteria set out in those schemes are met.
The Centre is a "relevant entity" under the Reportable Conduct Scheme administered by the Commission for Children and Young People. We are required to notify the Commission of allegations of reportable conduct involving our workers and volunteers, and to share information as required under the Child Wellbeing and Safety Act 2005 (Vic).
We may also disclose personal information where we are otherwise required or authorised to do so by law, including under court orders, subpoenas, and notices issued by regulators.
8. Overseas Disclosure
Some of the third-party service providers to whom we disclose personal information may be located outside Australia. In particular:
Google LLC (Google Analytics and related tools) is headquartered in the United States. Data transferred to Google may be processed on servers located in the United States or other countries. Google's privacy practices are described at policies.google.com/privacy.
Cloud hosting and software-as-a-service providers we use may store or process data in data centres located in Australia, the United States, or the European Union.
We do not routinely disclose information about children to overseas recipients for any operational purpose.
Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information.
9. Data Quality and Retention
We take reasonable steps to ensure that personal information we hold is accurate, up-to-date, complete and relevant, having regard to the purposes for which it is held. Please notify us promptly if any of your family's personal information changes — including changes to contact details, medical information, court orders, or authorised collection persons — so we can update our records.
We retain personal information for as long as is necessary for the purposes for which it was collected and as required by law. In particular, regulation 183 of the Education and Care Services National Regulations requires us to keep certain records for the following minimum periods:
Records relating to an incident, injury, trauma or illness of a child — until the child is aged 25 years;
Records in connection with the death of a child at the service — until 7 years after the child's death;
Other records relating to a child enrolled at the service — until 3 years after the child's last attendance;
Records relating to a staff member or educator — until 3 years after they cease employment at the service, or until the staff member is aged 25 where the record was created or used in the course of an investigation relating to a child.
Financial records are retained for a minimum of seven (7) years in accordance with tax and corporations law. Website analytics data is retained in accordance with the retention settings configured in our analytics property (currently 14 months). Unsuccessful enrolment enquiries are retained for no longer than 12 months unless a longer retention period is requested by the enquirer.
When personal information is no longer required and is not subject to a legal retention obligation, we take reasonable steps to destroy or de-identify it in a secure manner.
10. Data Security
We take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification or disclosure. Our security measures include:
Physical security measures at our premises, including access control, supervised sign-in and sign-out of children, locked storage of paper records, and restricted access to administrative areas;
Password protection, access controls and role-based permissions for our digital systems, with access to children's records limited to staff with a genuine operational need;
Transmission of data over our Website via TLS/HTTPS encryption;
Training of staff, educators and volunteers on privacy and confidentiality obligations as part of induction and ongoing professional development;
Contractual obligations requiring third-party service providers to maintain appropriate security measures.
No method of transmission over the internet or electronic storage is completely secure. While we strive to protect personal information, we cannot guarantee absolute security. If you have reason to believe that the security of your information, or information relating to your child, has been compromised, please contact us immediately using the details in Section 15.
In the event of a data breach that is likely to result in serious harm to any individual whose information is involved, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme under the Privacy Act.
12. Access and Correction
Under the Privacy Act you have the right to request access to personal information we hold about you, and to request that we correct it if it is inaccurate, out-of-date, incomplete, irrelevant or misleading. Parents and persons with parental responsibility may generally make access and correction requests on behalf of their child.
Where parents have separated or where parenting orders are in place, we will handle access and correction requests in a manner consistent with those orders and with our obligations under the National Regulations. In particular, we will not release information to a person whose access to the child has been restricted by court order.
To make an access or correction request, please contact our Privacy Officer using the details in Section 15. We will respond to your request within a reasonable time, and in any event within 30 days. We may need to verify your identity and, where relevant, your parental responsibility before we can process your request.
We reserve the right to charge a reasonable fee to cover the cost of retrieving and providing access to personal information where the request is substantial. We will inform you of any applicable fee before processing your request.
We may decline access or correction requests in the circumstances permitted by the Privacy Act — for example, where providing access would have an unreasonable impact on the privacy of other individuals (including another child or the other parent), where it would be unlawful, or where the information is subject to legal professional privilege. Where we decline a request, we will provide written reasons.
13. Complaints
If you believe we have handled personal information in a way that breaches this Policy or the Privacy Act, you may lodge a complaint with our Privacy Officer using the details in Section 15. Please describe your complaint in as much detail as possible.
We will acknowledge receipt of your complaint within five (5) business days and will endeavour to resolve it within 30 days. If we need more time, we will let you know the reasons for the delay and the expected resolution date.
If you are not satisfied with our response to your complaint, or if you believe we have not handled your complaint within a reasonable time, you may refer the matter to:
Office of the Australian Information Commissioner (OAIC) — oaic.gov.au — 1300 363 992 — GPO Box 5218, Sydney NSW 2001.
Complaints about the quality of education and care or about conduct at the Centre (as distinct from privacy complaints) may also be made to the Victorian regulatory authority (Quality Assessment and Regulation Division, Department of Education) on 1300 307 415.
14. Third-Party Links
Our Website may contain links to third-party websites, including Ilim College, social media platforms and government information resources. This Policy does not apply to those websites. We encourage you to review the privacy policies of any third-party websites before providing personal information to them.
We are not responsible for the privacy practices of third-party websites linked from our Website.
15. Contact and Policy Updates
For any questions, access or correction requests, complaints, or other privacy-related matters, please contact our Privacy Officer:
Ilim Learning Sanctuary — Privacy Officer
Glenroy Centre: 48 Box Forest Rd, Hadfield VIC 3046 — (03) 9359 4444
Dallas Centre: 47 Millewa Cres, Dallas VIC 3047 — (03) 9359 4444
Email: info@ilimls.vic.edu.au
This Policy is effective from 1 April 2026 and replaces any previous versions. We may update this Policy from time to time to reflect changes in our practices or applicable law. The current version will always be available on our Website. We encourage families to review this Policy periodically.
Material changes to this Policy that affect the way we handle personal information — particularly information about children — will be notified by a prominent notice on our Website and by direct communication to enrolled families prior to the change taking effect.
Privacy Questions or Concerns?
Contact our Privacy Officer for access requests, correction requests, or complaints. We aim to respond within 30 days.
If your complaint is not resolved to your satisfaction, you may refer the matter to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.