Protect the privacy of members

Most toy libraries collect information of a private nature. It is important that this information is securely stored and appropriately disposed of. 

Data Collection

Toy libraries using Mibase or SeTLS have a standard set of sign-up questions automatically included. Toy libraries can customise a limited number of additional questions to gather information about members.

Before customising any questions or required data, consider:

• Why are we collecting this information?

• Is it necessary for running the toy library?

• How will it be used?

• Who will have access to it?

  
  

Only collect information that is directly relevant to membership, borrowing, communication, safety, or legal requirements.

Sensitive information (such as identification details, children’s exact dates of birth, health information, or concession status) should only be collected if genuinely required. Collecting unnecessary personal data increases privacy risk.

Toy Libraries Australia does not require toy libraries to collect or store driver licence numbers. Best practice is to sight identification to confirm address details, rather than recording ID numbers in your system.

Storing and Protecting Information

Toy libraries should:

• Use secure, password-protected systems (such as Mibase or SeTLS).

• Limit access to member data to authorised committee members or staff only.

• Avoid downloading or storing member lists on personal devices unless necessary.

• Keep any paper forms in a locked cabinet.

• Regularly review who has access to online systems.

• Remove access promptly when a committee member steps down.

• Safely dispose of outdated paper records (e.g. shredding).

  
  

Transparency

Members should know:

• What information is collected.

• Why it is collected.

• How it is stored.

• How they can update or correct their details.

A short privacy statement on your membership form or website supports transparency and builds trust.

Access to Member Data

Access to member information must be limited to what is necessary for each role.

Staff and volunteers should only have access to the information they need to perform their duties.

For example:

• Volunteers assisting with borrowing and returns do not need access to full member contact details such as home address or phone number.

• Committee members responsible for communications may require access to email addresses.

• Only authorised roles (e.g. President, Secretary, Treasurer, Coordinator) should have full administrative access to the membership database.

Toy libraries should:

• Use role-based access settings within Mibase or SeTLS wherever possible.

• Regularly review who has administrator access.

• Remove access promptly when a committee member or volunteer steps down.

• Avoid sharing login credentials between multiple people.

Changed Living Arrangements and Safety Considerations

Toy libraries may be notified of changed living arrangements, including situations involving family violence or safety concerns.

If a primary member requests changes to membership records, including:

• Removing secondary members, or

• Removing or updating address details for safety reasons

the toy library should act promptly and respectfully.

In situations where address details are removed from the main system for safety reasons:

• The toy library should ensure there is a secure and confidential backup record held by an authorised office bearer (e.g. Secretary or President).

• This information must be stored securely and accessed only if legally required or necessary for governance purposes.

• Details should never be disclosed to other members, volunteers, or third parties without proper authority.

Privacy and safety must always take priority over convenience.

If there is immediate risk or a serious safety concern, the toy library should follow its Child Safety and incident response procedures.

Data Retention and Deletion of Sensitive Data

Toy libraries should not retain personal information longer than necessary.

Once a membership has expired and:

• All outstanding fees are paid, and

• All borrowed toys have been returned

the toy library should have a clear process for managing former member data.

This may include:

• Locking inactive memberships within SeTLS or Mibase.

• Using system features to deidentify personal data where appropriate.

• Retaining only minimal information required for financial reporting, audit, or legal purposes.

• Securely deleting or shredding any paper records that are no longer required.

A simple written data retention policy (even one page) supports consistency as committees change over time.

Photograph and Video Privacy and Consent

You must obtain consent from any person who appears in photos or videos taken at your toy library. If a child appears in a photo or video, consent must be provided by their parent or guardian. If a parent or guardian sends the toy library a photo or video via email, the toy library should still obtain consent for the methods in which this image can be used.

You can either:

• Use the Toy Libraries Australia consent form (linked HERE), or

• Copy the wording into your own form.

Toy Libraries Australia can provide your toy library with a list of people who have completed the consent form.

If a parent or guardian tags the toy library in a post on social media, this is implied consent.