Privacy Policy

Privacy – Easy Read Summary

At OUR THERAPIES, we take your privacy seriously.

What we collect
We collect personal and health information to provide safe and effective Occupational Therapy services.

How we use your information
We use your information to:

  • provide therapy and support
  • communicate with you and your team
  • write reports and manage your services

Who we share information with
We only share your information:

  • with your consent, or
  • when required by law

This may include your doctor, support coordinator, school, or funding body (e.g. NDIS).

How we keep your information safe

  • Your information is stored securely
  • Only authorised staff can access it
  • We use secure systems and passwords

Your rights
You can:

  • ask to see your information
  • ask us to correct your information
  • make a complaint if you are concerned

Where we operate
We provide services in Victoria and Queensland and follow Australian privacy laws.

Contact us
If you have questions or concerns, contact OUR THERAPIES at:
admin@ourtherapies.com.au

________________________________________________________________________________________________________________

Privacy Policy and Privacy and Information Management Policy

OUR THERAPIES Pty Ltd is a boutique psychosocial Occupational Therapy service operating in Victoria and Queensland. This policy explains how we collect, use, store, disclose, access, correct, and dispose of personal information (including sensitive information such as health information). OUR THERAPIES adheres to applicable Australian Commonwealth privacy laws and relevant State based legislation across both Victoria and Queensland. This policy applies to all therapists, contractors, students (if applicable), and administrative staff working as part of the OUR THERAPIES team.

Legislative and regulatory framework

OUR THERAPIES will comply with applicable Australian privacy and health information requirements, including the Privacy Act 1988 (Cth) (including the Australian Privacy Principles), the Privacy Amendment Act 2012, and the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

OUR THERAPIES operates in a private practice setting. Accordingly, our handling of personal information is primarily governed by the Privacy Act 1988 (Cth) (including the Australian Privacy Principles) and the Notifiable Data Breaches scheme.

We also comply with relevant professional and funding requirements, including the Health Practitioner Regulation National Law and applicable codes and guidelines of the Occupational Therapy Board of Australia and AHPRA. Where services are provided to NDIS participants, we also follow applicable NDIS Practice Standards and the NDIS Code of Conduct. Where relevant, additional privacy and record-handling requirements may apply under program rules for Medicare (including Better Access/Focussed Psychological Strategies and Chronic Disease Management), the Department of Veterans’ Affairs (DVA), private health fund claiming, and our contractual arrangements.

Where services are delivered in Victoria, OUR THERAPIES will also comply with relevant State-based privacy and health records laws such as the Health Records Act 2001 (Vic) and the Privacy and Data Protection Act 2014 (Vic) where applicable.

In Queensland, there is no separate private sector health records Act equivalent to the Health Records Act 2001 (Vic). Private sector health service providers (including allied health providers) are generally regulated under the Commonwealth privacy framework.

Purpose and outcomes

Protect the privacy of individuals’ personal information.

Set clear expectations for lawful and ethical handling of personal and sensitive information.

Support participant confidence that information is kept private and used only for intended purposes.

Meet record-keeping, retention, and security requirements for health information.

Definitions

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Sensitive information is a type of personal information that includes health information and other sensitive details (for example racial or ethnic origin, sexual orientation, religious beliefs, etc.).

Participant means a person receiving services from OUR THERAPIES (including NDIS, private, or Medicare-funded services where applicable).

Health information has the meaning given under applicable health records legislation and includes information about a person’s health, disability, or healthcare services provided.

Eligible data breach (Notifiable Data Breaches scheme) generally means unauthorised access to, unauthorised disclosure of, or loss of personal information that is likely to result in serious harm and where remedial action has not prevented the likely risk of serious harm.

What personal information we collect

We collect personal information that is reasonably necessary to provide safe, effective Occupational Therapy services and to meet our legal and funding obligations. This may include:

Identity and contact details (name, date of birth, address, phone, email, emergency contact).

Funding and administrative information (NDIS details, Medicare details where applicable, invoices and payment records).

Health and clinical information (referrals, assessments, clinical notes, treatment plans, progress notes, reports, outcome measures, correspondence from other healthcare providers).

Risk and safety information relevant to service delivery.

Media and supporting materials where consented (photographs, video footage, documents provided by you or your representative).

Feedback and quality information (participant satisfaction surveys and quality management activities, where consented).

How we collect personal information (and collection notice)

We usually collect personal information directly from you (or your parent/guardian, nominee, or authorised representative) when you enquire, complete intake forms, participate in sessions, communicate with us by phone/email, or provide documents. We may also collect information from third parties with your consent or where permitted/required by law, such as referrers, other treating professionals, schools, support coordinators, and funding bodies.

At or before the time we collect your personal information (or as soon as practicable afterwards), we will take reasonable steps to ensure you are aware of:

Who we are and how to contact us (see Contact below).

The main purposes for collection (see How we use personal information below).

The types of organisations we may disclose information to (see When we disclose personal information below).

Whether providing the information is optional or required, and the practical consequences if you choose not to provide information (for example, we may not be able to provide services or produce reports).

How to access and correct your information, and how to make a complaint (see Access, correction and complaints below).

Whether we are likely to disclose information overseas and, if practicable, the countries (see Overseas disclosure below).

Anonymity and pseudonymity

Where lawful and practicable, you may interact with us anonymously or using a pseudonym (for example, when making a general enquiry). However, for us to provide Occupational Therapy services and meet legal/funding requirements, we will generally need to collect and verify your identity and relevant health information.

How we use personal information

We use personal information to:

Provide Occupational Therapy assessment and intervention services.

Communicate with you and coordinate care.

Prepare clinical documentation and reports requested/required for service delivery and funding.

Conduct case conferencing and collaborate with other professionals (where consented or permitted/required by law).

Manage administrative, billing and operational functions.

Maintain service quality and safety, including supervision, incident management, and quality improvement (where consented or permitted/required by law).

Use secure digital systems and tools, which may include software incorporating artificial intelligence (AI), to support documentation, service delivery, and administrative functions in accordance with applicable privacy laws.

When we disclose personal information

We do not disclose personal information outside OUR THERAPIES unless it is for a purpose that has been explained to you and you have consented, or where disclosure is required or authorised by law.

Depending on your circumstances, we may disclose relevant information to:

Your nominated representatives (for example, parent/guardian, nominee, authorised support person).

Referrers and other treating health or allied health professionals (for example, GP, psychologist, psychiatrist, speech pathologist, physiotherapist).

Education and support settings involved in implementing supports (for example, schools or support coordinators), where relevant and consented.

Funding or regulatory bodies where required/authorised (for example, NDIA/NDIS Quality and Safeguards Commission, Medicare where applicable).

Our professional advisers and service providers who support our operations (for example, IT and secure record storage providers) where they are required to protect confidentiality.

Consent

We refer to this policy in our NDIS Service Agreement and Private & Medicare Consent Forms. Consents are discussed with the participant and/or their decision maker in a way they can understand prior to commencement of service. Our consent forms include:

Consent for sharing information

Consent for receiving services

Consent for photography

Consent to participate in participant satisfaction surveys

Consent to participate in quality management activities

Consent to the use of secure digital systems (including tools incorporating artificial intelligence) as part of service delivery and documentation processes.

Disclosures required or authorised by law

In some circumstances, the law may require or authorise us to disclose personal information without consent (for example, where there are child safety concerns, to lessen or prevent a serious threat to life/health/safety, or where required by a court/tribunal order or other lawful process).

Direct marketing

OUR THERAPIES does not use sensitive information (including health information) for direct marketing. If we send information about our services (for example service updates), you can opt out at any time by contacting us using the details below.

Government related identifiers

We do not adopt government related identifiers (such as Medicare or NDIS numbers) as our own identifiers for participants. We will only use or disclose government related identifiers where permitted by law and where reasonably necessary for our functions (for example, billing/claims and service administration).

Overseas disclosure

OUR THERAPIES does not intentionally store, process, or disclose personal information outside Australia. If this changes (for example, due to changes in service providers), we will take reasonable steps to ensure any overseas recipient handles personal information in accordance with Australian privacy requirements, and we will update this policy accordingly.

How we hold and secure personal information

Participant information is kept in an individual participant record, which may include personal information, clinical notes, assessment reports, investigations, correspondence, photographs and video footage (where applicable).

Electronic records are stored in Splose (secure, password-protected). We restrict access to authorised team members based on role and need-to-know.

Paper records (if created/received) are scanned and uploaded to the participant record and then shredded as soon as practicable.

Devices and systems that may access participant information are protected by passwords and appropriate access controls. Users must lock/log out of devices when unattended.

We take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure.

Where digital tools incorporating artificial intelligence (AI) are used, we take reasonable steps to ensure personal information is handled securely and in accordance with Australian privacy requirements.

Retention and disposal of records

We store participant information for at least seven (7) years after the date of last discharge.

For participants aged under 18 years at the time of service, information is kept until their 25th birthday and for at least seven (7) years after last discharge (whichever results in the longer retention period).

When information is no longer required and we are permitted to do so, we securely destroy or de-identify it. Participant-related papers identifying a participant are destroyed by shredding, and electronic records are deleted from systems and databases in line with our secure disposal processes.

Quality and accuracy of information

Participants are encouraged to provide accurate, up to date and complete information. If information is missing or out of date, this may delay or reduce service provision. OUR THERAPIES staff update participant records during reviews and when changes become known, and clinicians/administration update records as soon as practicable after service delivery.

Unsolicited personal information

If we receive personal information that we did not request, we will assess whether we could have collected it under the Privacy Act. If we could not have collected it (and we are not required to keep it), we will securely destroy or de-identify the information as soon as practicable.

Access to and correction of personal information

Access: Participants have the right to request access to the personal information we hold about them. Requests should be made to the contacts listed below. We may need to verify identity before releasing information. We will respond within a reasonable timeframe and may refuse access only where permitted by law.

Correction: If you believe information we hold is inaccurate, out of date, incomplete, irrelevant or misleading, you can request a correction. We will respond within a reasonable timeframe. If we do not agree to make a requested correction, we will (where required) take reasonable steps to associate a statement with the information noting your request.

Privacy complaints

If you have a complaint about how your personal information has been handled, please contact OUR THERAPIES using the details below. We will manage the complaint in line with our Complaints Procedure and aim to resolve concerns promptly and fairly. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner and/or the NDIS Quality and Safeguards Commission (where relevant) to request independent review.

Data breach and privacy incident response

A privacy incident includes suspected or actual unauthorised access to, unauthorised disclosure of, or loss of personal information (for example: misdirected email, lost device, compromised password, or system intrusion). OUR THERAPIES will respond promptly to privacy incidents to reduce harm and meet legal notification requirements.

Contain: Immediately take steps to stop or limit the breach (for example, recall emails where possible, disable accounts, reset passwords, isolate affected systems, recover documents).

Assess: Assess what happened, what information is involved, who may be affected, and the likelihood of serious harm. Document findings and actions.

Notify: Where required, notify affected individuals and relevant regulators in line with the Notifiable Data Breaches (NDB) scheme and other applicable requirements. Notifications will include recommended steps individuals can take to reduce harm.

Remediate: Take steps to reduce the risk of harm (for example, security updates, access changes, additional monitoring, staff guidance).

Review and prevent: Conduct a post-incident review to identify root causes and implement improvements (for example, training, process changes, supplier controls).

Contact

To request access/correction, ask a question about this policy, or make a privacy complaint, please contact: Julia Dixon, Narelle Rigby or Britt Watson, OUR THERAPIES.

Email: admin@ourtherapies.com.au
Address: 240 Frankston-Dandenong Road, Seaford Vic 3198

Policy review

We review this policy at least annually, and also when there are relevant changes to legislation, guidance, our systems, or the way we provide services. All OUR THERAPIES team members are required to understand and comply with this policy.

References

Office of the Australian Information Commissioner (OAIC) – Australian Privacy Principles and health sector privacy guidance.