PRIVACY POLICY

The purpose of this policy is to explain how I collect and use your personal information, and the circumstances in which I may share it with third parties.

INTRODUCTION

I am bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).

“I”, “me” and “my” means Ailsa Robson Consulting (ABN 91 615 718 521) of PO Box Uraidla, SA 5142.

When you register as a client of mine, I will ask you to provide your consent to me collecting, holding, using and sharing your personal information in accordance with this policy. If you do not provide me with your personal information, I may not be able to provide you with my services, communicate with you or respond to your enquiries.

‌

WHAT IS PERSONAL INFORMATION?

Personal information is any information or an opinion about a person who can be reasonably identified from the information or opinion.

Some examples are your name, signature, phone number, address or date of birth.

WHAT IS SENSITIVE INFORMATION?

Sensitive information is a sub-type of personal information, and includes:

Health Information, including, for example, information about your mental or physical health, notes of treatment or diagnosis, prescriptions, or specialist reports;
Racial or ethnic origin, political opinion and associations, sexual orientation or practices, religious or philosophical beliefs, criminal record, or trade union membership or affiliation.

‌

WHAT PERSONAL INFORMATION DO I COLLECT AND HOLD?

I collect personal information about you and your interactions with me, for example, when you book in an appointment using Accuity Scheduling or visit my website and send me an enquiry or email.

I collect more detailed personal information from you in our booked appointments as part of my professional services.

‌

WHAT SENSITIVE INFORMATION DO I COLLECT AND HOLD?

To provide you with my professional services, it is necessary for me to obtain sensitive information from you.

I will obtain your consent when you become a client of mine to collect sensitive information from you. The most common type of sensitive information that I collect is your Health Information.

‌

WHY DO I COLLECT, HOLD AND USE YOUR PERSONAL INFORMATION?

The reasons that I collect, hold and use your personal information are so that I can:

(a) provide you with my professional services;

(b) contact you, for example, to respond to your queries or complaints, or if I need to tell you something important;

(c) comply with my legal and regulatory obligations including my obligations to report and keep good quality records; or

(d) undertake marketing, analytics, and business development.

‌

HOW DO I COLLECT YOUR PERSONAL INFORMATION?

I will collect your personal information directly from you when you interact with me, including during our appointments, on my new client forms that you complete, or when you email me.

I will usually only collect your Sensitive or Health Information directly from you, unless it is not practical to do so, for example when the health information is provided by a referring health practitioner. Some Health Information is also collected when you book an appointment with me using Accuity Scheduling on my website.

I may collect basic personal information indirectly via my website, I do this by using a range of tools such as Google Analytics. I also collect basic contact information if you agree to go onto my mailing list via my website.

I may collect information from external parties such as:

(a) Accuity Scheduling, my booking service, which may include your name, phone number and other contact details; and

(b) A person referring you to me, such as a health practitioner or a National Disability Insurance Scheme (NDIS) provider or your employer under an Employee Assistance Program (EAP). A referral may contain Health Information.

‌

HOW DO I STORE AND HOLD PERSONAL INFORMATION?

I store any personal information I receive, including my written notes and appointment details, confidentially using electronic computer systems and databases operated by me. I do not keep hard copy records. Some data is stored securely in the Cloud via our third-party software providers including Evernote, Google Drive, Drop Box, and Acuity Scheduling.

I implement and maintain processes and security measures to protect your personal information from misuse or loss, and from unauthorised access, modification or sharing.

Examples of my security measures include:

(a) the use of identity and access management technologies to control access to systems on which information is processed and stored, such as two-factor identification;

(b) storing my computer and other equipment securely; and

(c) attending cyber security training sessions to enable me to monitor and maintain good security practices.

I will also take reasonable steps to destroy or de-identify personal information once I no longer require it for the purposes for which it was collected or for any secondary purpose permitted under the APPs (such as a legal requirement to keep records).

‌

WHO DO I DISCLOSE YOUR PERSONAL INFORMATION TO, AND WHY?

Subject to the confidentiality obligations in my client relationship with you, I may disclose personal information in the following ways:

1. External Service Providers

I may share personal information with certain external service providers or contractors in connection with providing my services to you, including:

National Disability Insurance Scheme (NDIS) Clients

For NDIS clients, I may share information with your NDIS provider in the form of progress reports that are directly related to the services I provide to you. The National Disability Insurance Agency (NDIA) is also subject to and must comply with the APPs.

SaaS

I use external software-as-a-service providers (SaaS) for the purposes of:

· scheduling appointments; and

· securely storing and managing my client files.

For example, I use software provider Evernote to record my notes in our meetings and Xero for book-keeping purposes. These SaaS providers may have limited access to your personal information purely for the purposes of securely storing and managing your information for billing or other reasons directly related to providing you with services.

I only work with reputable external providers and take reasonable steps to ensure that those providers comply with the APPs.

1. Employee Assistance Programs

If I see you as a client under an Employee Assistance Program (EAP), I only provide de-identified personal information back to your employer, meaning that they cannot identify you. Please feel free to ask me for more details.

2. Health Information

As a health practitioner I take great care with the confidentiality of the information you provide to me, and I do not disclose your health information unless:

· I have first obtained your specific consent, or

· I am otherwise reasonably required or reasonably able to do so under the APPs, including:

a) If I am required or authorised by law to do so, including for example, mandatory reporting[HW1] ;

b) It is for a directly related secondary purpose that would be reasonably expected, such as referring you to another health practitioner; or

c) Where it is it is unreasonable or impracticable to obtain your consent and I reasonably believe the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any person, or to public health or safety.

3. Other possible disclosures of personal information

In addition to the above situations, I may also share your (non-health) personal information to others where:

(a) You have expressly consented to the disclosure, or I can reasonably infer your consent from the circumstances;

(b) It is for a related secondary purpose and the disclosure would be reasonably expected e.g. for billing purposes;

(c) For sensitive information, it is for a directly related secondary purpose, that would be reasonably expected.

(d) I reasonably believe that the disclosure is necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement or regulatory body;

(e) To locate a person reported as missing[HW2] ;

(f) The use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or conducting an alternative dispute resolution process; or

(i) I am otherwise permitted to disclose the information under the Privacy Act or the APPs.

If the ownership or control of all or part of my business changes, I may transfer your personal information to the new owner. If this happens I will always attempt to notify you first.

[HW1]My understanding of mandatory reporting is that it is only relevant when you are working with minors (under theChildren and Young People (Safety) Act 2017 , but I may be wrong. See also (f), which is an exception to confidentiality under the Privacy Act and also your Code of Ethics.

[HW2]This is not specifically referred to under your Code of Ethics though, so you may wish to take it out if you wouldn’t do it. Your Code of Ethics talks about confidentiality, which is a slightly different concept to privacy. Something is only confidential if told to you in confidence, however; in your practice area this will apply to most of the information you collect.

‌

DO I DISCLOSE PERSONAL INFORMATION TO OVERSEAS RECIPIENTS?

Some of my software providers are located outside of Australia, including Evernote and Google and they may, on occasion have access to very limited personal information. I only use software providers who have their own privacy policies and abide by privacy principles.

These recipients are likely to be located in the United States and Switzerland.

‌

DO I USE YOUR PERSONAL INFORMATION FOR MARKETING?

I may use your contact information to offer you products and services I believe may interest you, but I will not do so if you tell me not to. I will not use your Health or Sensitive Information for marketing unless I have your specific consent.

If you receive electronic marketing communications from me, you may opt out of receiving further marketing communications by following the opt-out instructions provided in the communication.

‌

ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION

You may access or request correction of the personal information that I hold about you by contacting me. My contact details are set out below. There are some circumstances in which I am not required to give you access to your personal information.

I will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information I hold about you remains accurate, up to date, complete, relevant and not misleading.

‌

COMPLAINTS

If you have a complaint about the way in which I have handled any privacy issue, including your request for access or correction of your personal information, you should contact me and provide me with details of the complaint or request. My contact details are set out below.

I will consider your complaint and determine whether it requires further investigation. I will notify you of the outcome within a reasonable time frame.

If you are still unhappy with how I have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (OAIC) (www.oaic.gov.au) for guidance on alternative courses of action which may be available.

‌

CONTACT DETAILS

If you have any questions, comments, requests or concerns, please email me at: Ailsa@ailsarobson.com

CHANGES TO THIS POLICY

From time to time, I may need to change my policy on how I handle personal information or the types of personal information which I hold. Any changes to my policy will be published on my website.

You may obtain a copy of my current policy from my website or by contacting me at the contact details above.