Privacy Policy
Privacy Policy for Management of Personal Information
Purpose of this policy
This document describes the privacy policy of MyStory Psychology for the management of clients’ personal information. The psychological service provided is bound by the legal requirements of the Australian Privacy Principles set out in the Privacy Act 1988 (Cth), the principal piece of legislation protecting the handling of individuals’ personal information.
What is personal information?
In this Policy, ‘personal information’ is defined by the Act. Personal information includes a broad range of information, or opinion that could identify an individual. This information may also include sensitive information.
‘Sensitive information’ includes health information as well as information or an opinion about an individual’s racial or ethnic origins, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional, or trade association, membership of a trade union, sexual preferences or practices or criminal record.
What kind of personal information is collected?
The following personal information may be collected as part of providing a psychological service.
Your name, address, and date of birth;
Your contact details;
Medicare and referral details;
Current and past medical information;
Your family’s personal and medical history to the extent that it may inform current services;
Your educational, occupational, and social history;
Responses and results from psychological tests and questionnaires; and
Information pertaining to your session notes, treatment plan and progress in treatment.
What is the purpose of collecting personal information?
Your personal information is gathered and used for the purpose of providing psychological services, including assessing, diagnosing, and treating the presenting issue(s). The personal information is retained to document what happens during sessions and enables the provision of relevant and informed psychological service.
Client files are held via the online practice management software, Halaxy, which is accessible only to the treating psychologist and authorised personnel of the practice (as necessary) in accordance with the practice's policies and procedures. The information on each file includes personal information such as name, address, contact phone numbers, medical history, and other personal information collected as part of providing the psychological service.
How is personal information collected?
Your personal information is collected in numerous ways including:
during in-person or telehealth psychological consultations with your psychologist;
providing information directly to MyStory Psychology personnel using hard copy or electronic forms;
correspondence via email;
out of session contact with your psychologist and or MyStory Psychology personnel such as phone or text message and/or;
when other health practitioners provide personal information to your psychologist and/or MyStory Psychology personnel via referrals, correspondence and medical reports.
Please note that whilst measures are taken to guard the security of communications, no information transmitted over the internet can be guaranteed to be secure.
How is personal information stored?
Client personal information is held in secure filing cabinets and electronic document management system which is accessible only to authorised persons.
This information is also stored in electronic form on a secure server located within Australia managed by a third-party provider of a practice management system called Halaxy. Halaxy is also regulated by the Privacy Act 1988 (Cth) and other relevant privacy legislation.
Consequence of not providing personal information
If the client does not wish for their personal information to be collected in a way anticipated by this Privacy Policy, MyStory Psychology may not be in a position to provide the psychological service to the client.
Purpose of holding personal information
A client’s personal information is gathered and used for the purpose of providing psychological services, which includes assessing, diagnosing and treating a client’s presenting issue. The personal information is retained in order to document what happens during sessions, and enables the psychologist to provide a relevant and informed psychological service.
Disclosure of personal information
Clients’ personal information will remain confidential except when:
it is subpoenaed by a court, or disclosure is otherwise required or authorised by law;
failure to disclose the information would in the reasonable belief of the MyStory Psychology place a client or another person at serious risk to life, health or safety; or
the client’s prior approval has been obtained to:
a) provide a written report to another agency or professional, e.g., a GP or a lawyer; or
b) discuss the material with another person, e.g. a parent, employer, health provider, or third party funder; or
c) disclose the information in another way; or
d) disclose to another professional or agency (e.g., your GP) and disclosure of your personal information to that third party is for a purpose which is directly related to the primary purpose for which your personal information was collected.
Your personal information is not disclosed to overseas recipients unless you consent, or such disclosure is otherwise required by law.
Non-identifiable information may be utilised by the online practice management provider, Halaxy. You can access the full details of Halaxy’s Policy at http://www.halaxy.com/article/privacy or by contacting them at privacy@halaxy.com.
In agreeing to the terms of MyStory’s Privacy Policy, you are consenting to your information being disclosed to Halaxy and that they may collect, use, or disclose such information for their purposes, as described in Halaxy’s Privacy Policy.
Data breach plan
Reasonable steps are taken to protect personal information from misuse, interference, or loss, and from unauthorised modification, access, or disclosure. This includes:
ensuring physical security over paper and electronic data stores, such as locks and security systems, are maintained and enhanced where possible,
maintaining security systems, for example, by using a firewall, using passcodes to control access to electronic devices, and using two-factor authentication when available to access electronic systems;
taking reasonable steps to destroy or de-identify your personal information once it is no longer legally required;
conducting regular privacy and data security audits to assess adequate compliance and implementation of these measures.
If a data breach is suspected, an assessment will be made that is in accordance with the Notifiable Data Breach Scheme to determine if there has been an ‘eligible data breach’.
In the event of an eligible data breach (where there is unauthorised access or unauthorised disclosure or loss of your personal information that is likely to result in serious harm to you or other individuals) we will investigate and notify you and the Office of the Australian Information Commissioner in accordance with the Privacy Act. For more information about the national requirements see http://aaa.oaic.gov.au/privacy/notifiable-data-breaches/
For information stored with Halaxy, the organisation has data breach plan prepared in accordance with the Notifiable Data Breaches Scheme.
Requests for access and correction to client information
At any stage clients may request to see and correct the personal information about them kept on file. The psychologist may discuss the contents with them and/or give them a copy, subject to the exceptions in the Privacy Act 1988 (Cth). If satisfied that personal information is inaccurate, out of date or incomplete, reasonable steps will be taken in the circumstances to ensure that this information is corrected.
All requests by clients for access to or correction of personal information held about them should be lodged with the treating psychologist or authorised personnel of the practice (such as the Director, Ms Joanne Ronalds). These requests will be responded to in writing within 30 days and an appointment will be made if necessary for clarification purposes.
Disposal of records
Complying with Health Record Acts and the APS Ethical Guidelines Code, MyStory Psychology is required to retain client records for a minimum period. This period is for a minimum of seven years since last client contact (unless legal or their organisational requirements specify otherwise) and, in the case of records collected while the client was less than 18 years old, records will be retained at least until the client attains the age of 25 years. These requirements override any requests from clients to dispose of their records.
Changes to policy
Please note this Policy is subject to change without notice. Should you wish to review the Policy at any time, please contact MyStory Psychology for a copy.
Concerns
If clients have a concern about the management of their personal information, they may inform their treating psychologist or authorised personnel of the practice( such as the Director, Ms Joanne Ronalds). Upon request they can obtain a copy of the Australian
Privacy Principles, which describe their rights and how their personal information should be handled.
Ultimately, if clients wish to lodge a formal complaint about the use of, disclosure of, or access to, their personal information, they may do so with the Office of the Australian Information Commissioner via post, phone or online using the details below.
Office of the Australian Information Commissioner
GPO Box 5288, Sydney, NSW 2001
P: 1300 363 992,
http://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us