Privacy Policy

1. Introduction

  • Your “Practitioner” (your psychologist/social worker/counsellor) and admin “Provider” (Changes Psychology) have adopted this Policy in accordance with the privacy law.
  • This Policy outlines how Provider deals with Personal Information, which it collects in conjunction with the Services.
  • Provider may also collect information about Individuals who do not use the Services.
  • Capitalised words in this Policy are defined terms. Defined terms are explained at the end of this Policy.

2. Collecting information directly from people

Provider collects Personal Information directly when an Individual:

  • contacts Provider by telephone, sms, fax, email or via another from of communication;
  • gives Provider his or her information over the phone, email, sms or via electronic form, including a client intake and claiming form;
  • sends the Provider a message through SMS or a third party app;
  • registers or subscribes for an account;

Provider also collects Personal Information directly when:

  • Provider’s server and analytics service may log details about website visits; and
  • Provider’s website places a cookie on an Individual’s device or store Individuals’ I.P. addresses.

3. Collecting information from third parties

  • Provider collects Personal Information about Individuals from third parties when:
  • third parties give Provider access to files containing Personal Information;
  • Practitioners manage records about an Individual using the Services;
  • Provider is given written or verbal information from a teacher, a medical practitioner or health practitioner, EAP provider or other referral source; and
  • parents and guardians provide information about their children or children in their care.  

4. Types of Information that Provider collects and holds

Using processes described in this Policy, Provider collects the following categories of Personal Information about Individuals:

  • (Content) whatever Personal Information, including sensitive Health information, that is included in content Individuals share using Provider’s Services;
  • (Identity Information) name, signature, date of birth, nationality, license & registration details, Medicare details, private health insurance, member details, bank account and credit/debit card details, family details, employment details, educational information, usernames;
  • (Contact Information) email address, social media profiles, telephone & fax number, third-party usernames, residential, Provider and postal addresses;
  • (Internet Data) website form submissions, webpage views, IP address, referring web site addresses, location, browser type, operating system, domain name, access times and other data typically collected by analytics services like Google Analytics;

5. Sensitive Information

Privacy law categorise certain types of Personal Information as “sensitive information”, including:

  • information or an opinion (that is also Personal Information) about an Individual’s:
    • racial or ethnic origin;
    • political opinions;
    • religious beliefs or affiliations;
    • philosophical beliefs;
    • criminal record; and/or
    • sexual orientation or practices;
  • health information about an Individual, including:
    • any information or opinion about the Individual’s health, health services, or wishes regarding health care; and
    • information collected to provide, or in providing, a health service of any kind.

Provider collects health information from Individuals in providing the Services. If Individuals disclose other sensitive information to their Practitioner, this may be included in records and sometimes managed by the Provider. Practitioners, not the Provider, take responsibility for storing sensitive information disclosed to them during appointments (ie casenotes or session records).

6. How Provider stores Personal Information

Provider holds and stores Personal Information using:

  • (Storage Services) third party data storage services with servers based in Australia and overseas including, but not limited to, Google Email and applications, Microsoft Azure cloud storage, Halaxy or Powerdiary (practice management software), National Australia Bank (NAB) Transact, Notion, Slack, Xero and any other applications and software used for business operations;
  • (Provider Devices) devices operated by contractors to and employees of Provider’s business; and
  • (Paper Files) printed paper and files.

7. Security

Provider will take reasonable precautions to protect Personal Information from unauthorised access. This includes measures to secure the Provider’s physical facilities and electronic networks. Provider secures Personal Information that Provider collects with requirements and agreements between Provider and employees and contractors used by the provider.

Provider limits access to personal information to those with a valid reason for using that information. Provider’s document storage includes security measures such as passwords, pins, encryption, session expiries, firewalls, SSL network encryption, SSL certificate and website transmission encryption, the use of reputable vendors (eg Microsoft, Google, Halaxy, Powerdiary), physical locks and storage on physical files and datacentres housing servers.

Microsoft security information: https://privacy.microsoft.com/en-us/privacystatement

Google/Gmail security information: https://www.google.com/policies/privacy/#infosecurity

Halaxy security information: https://www.halaxy.com/article/security

Powerdiary security information: https://www.powerdiary.com/au/security

National Australia Bank security information: https://www.nab.com.au/nabc-content/nab-connect-help/security

Xero: https://www.xero.com/au/accounting-software/security

Notion: https://www.notion.so/help/security-and-privacy

Slack: https://slack.com/intl/en-au/trust/privacy/privacy-policy

For more information on security, please contact Provider using the details in the “contacting us” section below.

8. Deletion Procedures

  • Provider deletes Personal Information when considered appropriate under relevant state and national laws.
  • Provider’s deletion process:
  1. Provider identifies all digital records relating to the individual and delete them from these digital storage media; and
  2. Provider identifies any paper records relating to the individual and shred these onsite or personally de-identify them.
  • Records relating to adult clients will be kept for seven years following the date of last contact and records regarding children are to be kept until the child attains the age of 25 years. 
  • Provider has certain obligations under Australian law to retain some client information for a prescribed period of time.

9. Why data is held, used and disclosed

Provider’s handling of Personal Information includes holding, using and sometimes sharing the Personal Information so that Provider can:

  • facilitate the booking of appointments with practitioners;
  • manage records about Individuals’ appointments and psychological health and treatment;
  • offer surveys and questionnaires;
  • transact with Individuals to collect card details and process payments;
  • facilitate medicare and health insurance claims;
  • assess and improve the Services; and
  • provide secure access to the Services.
  • For more information on when Provider shares Personal Information, see below.

10. Disclosing Personal Information

Provider shares Personal Information with others in the following ways:

  • sharing information with the treating health practitioners, governmental institutions including Medicare and private healthcare insurers; and
  • sharing information with administration staff and business service providers and contractors to provide services.
  • facilitating the sharing of information wabout sales, inquiries, processing Medicare rebates, invoices and payments;

11. Information requests from clients or 3rd parties (eg lawyers/subpoenas)

Clients are able to make a written request for copies of their personal information with at least 21 days notice, and can nominate which parties are sent the collated documents. The psychologist will bill the client pro-rata for their time taken to review and collate the clients documents and this fee needs to be paid before the notes are released to the party the client nominates. Provider has a clear process for verifying the identify of any person requesting information in relation to a person under 18 years, if they are not the parent or caregiver that has initiated the engagement of our services, as well as verify that person’s right to access information about a child with written evidence, to ensure that we only share information with people who are appropriately authorised to access this information about a child.

12. Service providers can access personal information

When Provider uses the services of companies that Provider works with to provide the Services, they may get access to the Provider’s data, including Personal Information. Such third party services may include:

  • (Hosting) Cloud and web hosting service providers (see Microsoft Azure Hosting Services https://azure.microsoft.com/en-au/overview/trusted-cloud/privacy, Google applications https://www.google.com/policies/privacy/, Ventra IP https://ventraip.com.au/terms-policies-agreements, Halaxy Practice Management Software https://www.halaxy.com/article/privacy, Powerdiary Practice Management Software https://www.powerdiary.com/au/privacy-policy/);
  • (SaaS) providers of software as a service;
  • (Support) administration staff and contractors, IT support services, web and software development staff and contractors;
  • (Data analytics) Google Analytics (see [http://www.google.com/intl/en/policies/privacy/](http://www.google.com/intl/en/policies/privacy/));
  • (Online payment) National Australia Bank (NAB) provider of online payment system NAB Transact or Via Powerdiary or Halaxy’s payment systems;
  • (Billing) private health insurers and Medicare; Halaxy or Powerdiary practice management practice management software, or Medicare Australia http://www.humanservices.gov.au/customer/information/privacy, any private health insurer that accepts claims relating to services rendered in Australia.

Provider will only share Personal Information with these third parties to the extent reasonably necessary to perform their functions. These third parties may have their own privacy and security policies. For more information about this, please contact Provider using the details listed in the “contacting us” section below.

For information on disclosures to overseas recipients, see below.

13. Disclosing information overseas

We disclose Personal Information to overseas contractors in the Philippines for the purposes of administration and data-processing support.

The Provider may store or process some Personal Information overseas. 

By providing Provider with Personal Information, Individuals consent to the transfer of their Personal Information to overseas recipients as contemplated by this privacy policy.

We take reasonable steps to ensure that the Personal Information that we transfer to overseas recipients will not be held, used or disclosed by the recipient of the information inconsistently with the APPs.

14. Contacting us

Individuals contact the Provider using the details below if they want to access, correct or delete Personal Information or lodge a complaint. Privacy Officer – steve@changespsychology.com.au

Provider reserves the right to refuse access or correction where there are reasonable grounds for doing so, for example if providing access would be unlawful or would compromise the privacy of another person.

15. Complaints process

If Individuals have a complaint about privacy, they can contact Provider using the details listed above.Provider will respond to complaints in writing within a reasonable period (usually 10 business days from the day Provider receives an email).

Provider will try to work with Individuals to resolve complaints entirely within 20 business days, although that period may be longer if it is reasonable to take longer given the nature of the complaint.

If Individuals are unsatisfied with our response, they may refer the complaint to the Office of the Australian Information Commissioner (http://www.oaic.gov.au/).

16. Amendment

Provider may amend the Privacy Policy at its sole discretion. Individuals that continue to use the Services after receiving notice from Provider of such an amendment, agree to be bound by the Privacy Policy as amended.

17. Definitions

Individual, Individuals

means a natural person.

Personal Information

means information about an Individual whose identity is apparent, or can reasonably be ascertained, from that information. This includes information like names, telephone numbers, email addresses and physical addresses.

Policy, Policies

means this document, drafted in accordance with the Privacy Act 1988 (Cth).

Provider

means Changes Psychology Pty Limited and its staff and contractors.

Practitioner

means your treating psychologist, social worker, counsellor or other allied health professional providing therapy or assessment services to you.

Service, Services

means the following services:

  • arranging appointments with practitioners including telephone appointments, and home and school visits;
  • facilitating medicare and private health insurance claims in relation to appointments;
  • facilitating electronic payment for appointments;  and
  • managing the documentation and records associated with appointments.