Privacy Policy

Introduction

At Mindful Directions Clinical Psychology (we, us, our), we understand that information entrusted to us by our clients, in seeking and receiving psychological care, is private and confidential.

We are committed to protecting the privacy of personal information we collect in the delivery of our services, and conduct of our business, and the way in which it is used, stored and disclosed, in accordance with our obligations under the Privacy Act and those contained in the Australian Privacy Principles.

Our Privacy Policy provides information on:

  • how and what personal information we collect,

  • the purpose for which it is collected, used and disclosed,

  • how our clients can access and/or seek correction of the personal information we hold,

  • storage of personal information,

  • our client’s right to withdraw consent, and

  • our client’s rights to make a complaint about how we have handled their personal information.

Definitions

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether that information or opinion is true or not and whether the information or opinion is recorded in a material form or not.  Personal information includes sensitive information and health information, as defined.

Sensitive information means information or an opinion about, amongst other things:

  • racial or ethnic origin

  • political opinions or associations

  • religious or philosophical beliefs or affiliations

  • membership of a professional or trade association or union

  • sexual orientation or practices

  • criminal record

  • health information about an individual

  • genetic information about an individual that is not otherwise health information

Health information means information or an opinion about:

  • the health, including an illness, disability or injury (at any time) of an individual, or

  • an individual’s expressed wishes about the future provision of health services to the individual, or

  • a health service provided, or to be provided, to an individual

  • other personal information collected to provide, or in providing, a health service to an individual.

Data breach means when personal information is lost, accessed without authorisation or disclosed improperly.

How we collect personal information

We collect personal information, including sensitive and health information, about our clients in a number of ways, including in person, in writing (including through electronic forms), by telephone or email, generally when:

  • a potential client contacts us to provide services, including via our website,

  • a client completes a Halaxy Intake form or other assessment required by us to deliver our service,

  • a client discloses personal information, including sensitive and health information, as part of receiving our services, for which we record notes,

  • a client provides feedback or lodges a complaint.

We may also receive personal information, including sensitive and health information, indirectly or from third parties where it is reasonably expected that the client would have consented to the personal information being shared with us (i.e. unsolicited), including but not limited to:

  • from other involved health care providers, including where we receive a referral to provide services, and/or

  • third parties responsible for the management and payment for and of a client’s services with us.

Types of personal information collected and held

Personal information we collect may include, but is not limited to, the following information:

  • Name and contact details

  • Date of birth

  • Gender

  • Marital status

  • Occupation

  • General practitioner

  • Referring doctor or other health care provider information

  • Information or opinion about a client’s health, including symptoms, diagnoses, prescriptions, test results, health services received or intended to receive and professional opinions/reports

  • Medicare card identifiers

  • Other government identifiers if relevant to the billing of the service (e.g. Department of Veteran Affairs identifier)

  • Credit card details or other payment related details

  • Transaction details associated with services we provide

  • Information provided to us through feedback or complaints

  • Information provided to us by the client in delivering the health service offered by us

Anonymity

Individuals have the option to deal with us anonymously or by pseudonym, except in circumstances where it is required by law or it is impracticable for us to deal with an individual who has not identified themselves, which would include where a client is seeking government funded rebated services. 

Collection, use and disclosure of personal information

There are both primary and secondary purposes for which we collect, use and disclose personal information.

Primary Purpose

We collect, store, use and disclose a client’s personal information only for the purposes consistent with the reasons it was collected, including:

  • assessing a client’s suitability for our services,

  • managing our ongoing relationship with our clients, including:

    • treatment planning and monitoring client progress,

    • providing treatment and care,

    • providing information about treatment and care to third parties, if required and with consent,

  • meet any legislative requirements as they apply to us as a health care provider, including in the taking of treatment notes,

  • answering queries clients have in relation to the services provided,

  • the preparation of referrals and/or reports to treating/referring or other medical or allied health professionals, and

  • gathering feedback and quality assurance reviews to improve our services.

Secondary Purpose

We may also collect, store, use and disclose personal information in order to:

  • resolve any legal and/or commercial complaints or issues, and

  • perform any of our functions and activities relating to our business, including to meet our internal administrative requirements, in the processing of accounts for payment or the communication of information going to the service we provide.

We will not use or disclose a client’s personal information for any other reason than those outlined above, unless an exception applies, including:

  • where a client has consented to the use or disclosure of personal information for a secondary purpose or where it would be reasonable to consider that a client would have expected their personal information to be used for such a purpose, and

  • another secondary purpose that is required or authorised under an Australia law or court/ tribunal order.

We do not disclose personal information for any purpose to anyone outside of Australia, except with the express consent of our clients. 

Notification of the collection of personal information

When we directly solicit the collection of personal information from a client, we will provide notice, in writing (which may include via electronic forms) or verbally, to the individual for whom we are collecting, or have collected, their personal information, including the purpose for which the information is collected. We only solicit the collection of personal information where it is reasonably necessary, or directly related to, the provision of our services to our clients and clients consent to the solicitation and collection.

That notice will generally include:

  • contact details,

  • the facts and circumstances of collection and the purpose for collection,

  • whether the collection is required or authorised by law,

  • the consequences for the individual if personal information is not collected,

  • other entities to which the personal information is usually disclosed.

In the case of receiving information from third parties (i.e. unsolicited), where we could have solicited that information, we will provide notice to our clients of the collection of that information, for example, when we receive a referral or other medical report. 

Where we could not have solicited that information, we will notify you that has occurred and the identity and contact details of that individual or organisation and immediately destroy or de-identify the information as soon as practicable.

Inherent Consent

As part of receiving health services from Mindful Directions Clinical Psychology, clients inherently consent to the collection of personal information, including sensitive and health information, that they disclose during treatment.

Withdrawal of Consent

A client may withdraw consent at any time regarding the collection, use, storage and disclosure of their personal.  This request can be made either verbally or in writing.  Withdrawing consent may however impact Mindful Directions Clinical Psychology’s ability to provide ongoing health care services, and certain legal obligations may require retention of specific information despite withdrawal.  Refer to the Storage of personal information section of this policy for more information.

Storage of personal information

We store personal information in both hard and electronic copy.

We take all reasonable steps to ensure that personal information is securely stored and to protect it from misuse, loss, unauthorised access, modification, interference or disclosure, however we cannot guarantee that unauthorised access to personal information will not occur.

We utilise Halaxy as our practice software, which meets stringent privacy, security and confidentiality standards and data is protected by 256-bit bank grade security and encryption.

We also adopt the following electronic and physical security measures:

  • locked storage of personal records;

  • use of document shredding;

  • authentication and password controls for electronic records; and

  • screensavers for when devices are not in use.

Regular risk assessments are conducted to ensure the appropriate availability, integrity and confidentiality of personal information managed through our systems and programs.  Halaxy and NovoPsych are operated from Melbourne, Australia and its data is stored within Australia in security-protected data centres.

We will take reasonable steps to destroy or de-identify the personal information we hold about clients once the personal information is no longer needed for any purpose for which the personal information was collected or may be used or disclosed.  Where we are required by or under an Australian law or court/tribunal order to retain personal information, we are not required to destroy or de-identify the information.

Clients also have the right to request the deletion of personal information when it is no longer necessary, when consent has been withdrawn or if the information was unlawfully processed.  We will take reasonable steps to erase the personal information, unless we are required by or under an Australian law or court/tribunal order to retain the personal information.  Requests for erasure of personal information held will be handled in accordance with the Accessing, correcting or requesting erasure of personal information section of this policy.

Accessing, correcting or requesting erasure of personal information

It is important that we maintain accurate, complete and up-to-date personal information.  We will regularly request that our client’s check and update personal information held by us to ensure it remains current.  All clients are asked to let us know if there are any errors or changes in the personal information we hold.

It is also important that the health information we hold about our clients is accurate, complete, up-to-date, relevant and not misleading.  Clients have a right to request access to the personal information, including health information, we hold about them and, if a client thinks any information we hold about them is incorrect, may request a correction. Clients also have a right to request erasure of their personal information.

There may be circumstances where we are unable to provide access to, correct or erase personal information.  Where we are unable to do so, we will provide the client with written notice outlining reasons for refusal and/or why we were unable to respond to the request, and the client’s right and how to make a complaint about the refusal.

Requesting access or correction to personal information

A client may request access to or correction or erasure of personal information we hold.

Management is responsible for considering all requests to access, correct or erase personal information and responding to the request.

To satisfy ourselves that the request comes from a client, all requests must be in writing and signed by the client, and include the following:

  • clients name, address and date of birth, and

  • the specific personal information, including sensitive or health information, requested to be accessed, corrected or erased, and

  • if an access request, how access to the personal information is preferred (e.g. by email, paper copies or to view), and

  • if another person or organisation is authorised to access the personal information on the client’s behalf.

Requests can be emailed to marion@mindfuldirections.com.au.  Clients are not required to provide a reason for requesting access. 

Responding to an access request

Generally, we will provide the requested information within 30 days of receiving the request.

In certain limited circumstances, we may refuse to provide access, such as if:

  • it may threaten our client’s or someone else’s life, health or safety,

  • it may impact someone else’s privacy, or

  • giving access would be unlawful.

If giving certain information would impact someone else’s privacy, we may provide redacted information. If it is not possible to provide information directly to the client because of a concern for their health or safety, it may be provided through an agreed third party. 

If a client requests access in a way that is unreasonable or not practical, we will endeavour to provide it in another satisfactory way.

Responding to a correction request

Generally, we will respond to a request to correct any personal information, including any sensitive or health information, within 30 days of receiving the request.

Upon receiving a request to correct any personal information, including any sensitive or health information, held by us, we will consider the reasons for holding such information and review the client’s health information to determine if it is correct. 

We will take reasonable steps to respond to the request and will add, change or delete personal information, including sensitive or health information, where appropriate.

It is important to recognise that our opinion may differ from that of our clients, but this does not mean it is inaccurate.

We may refuse to correct personal information, including any sensitive or health information, where doing so would be unreasonable, for example where we have a legal obligation to hold particular information about a client for a certain period or where we believe the health information we hold is accurate.

Where we refuse a request to correct a client’s personal or health information, we will provide the client with written notice outlining:

  • the reasons for refusing to correct the personal or health information,

  • the client’s right to request that:

    • a) a statement be associated with their personal information (i.e. a statement that the client thinks their personal information is inaccurate, out of date, irrelevant or misleading, that we must take reasonable steps to associate the statement with the client’s personal information so that the statement is apparent to users of the personal information, and/or

    • b) a statement be associated with their health information (i.e. a statement that the client  thinks the health information is inaccurate, out of date, irrelevant or misleading, that we must take reasonable steps to attach the statement to their health information so that other health service providers will know the client disagrees with the information, including but not limited to printing a statement to attach to a physical record or linking the statement to a digital record), and

  • the client’s rights, and how, to complain about the refusal.

Responding to an erasure request

Generally, we will respond to a request to erase any personal information, including sensitive and health information, held by us within 30 days of receiving the request.

Upon receiving a request to erase any personal information, including sensitive and health information, held by us, we will consider the reasons for holding such information, whether it can be erased without affecting the ability to provide the health services, or whether there are any exceptions, such as we are required by or under an Australian law or court/tribunal order to retain the personal information.

Where we refuse a request to erase a client’s personal information, including sensitive or health information, we will provide the client with written notice outlining:

  • the reasons for refusal,

  • offer alternatives, including de-identification if possible, and

  • the client’s rights, and how, to complain about the refusal.

Charges

Requesting access to personal information held by us is free, however we reserve the right to charge an administrative fee for the giving of access to cover the cost of deciding, searching for, locating and retrieving the information and the provision of the personal information.

The fee will be discussed at the time of receiving a request to provide access to the personal information and will be based on the extent of the individual request.

Requesting a correction to or erasure of personal information held by us does not incur a charge.

Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will:

  • investigate and assess the breach and its impact and take immediate action to contain the breach and mitigate any risks, and

  • notify affected individuals, and

  • report the breach to the Office of the Australian Information Commissioner, if required,

  • review and strengthen practices to prevent future breaches.

Complaints and Contact Details

If you have any queries, concerns or complaints about the way in which collect, use, store or disclose personal information, or the way we have handled your personal information, please contact:

Marion Swetenham
marion@mindfuldirections.com.au

Should we fail to respond within the notified time frame, or you remain unsatisfied with our response, a formal complaint can be lodged with the Office of the Australian Information Commissioner (call 1300 363 992 or visit www.oaic.gov.au for further information).

Changes to our Privacy Policy

From time to time our Privacy Policy may be updated to account for changes in how we manage personal information.  We will notify you of any change to our Privacy Policy.

Version Control

Version 2.0 (June 2025) Revision to reflect more detailed personal information management practices and to publish on website.

Version 1.0 (February 2018) Original policy.