Aspirations Occupational Therapy - Privacy Policy
Version 1.0 (Updated May 2025)

Your privacy matters

At Aspirations Occupational Therapy [ABN 19 138 118 400], we are committed to protecting your privacy and ensuring your personal information is managed securely. This Privacy Policy explains how we collect, use, store, and disclose your information in line with the Privacy Act 1988 (Cth) and includes recent updates under the Privacy and Other Legislation Amendment Bill 2024 (Cth).

By visiting our website, social media accounts, or engaging with our services, you agree to the collection and use of your information as outlined in this policy.

  1. Types of Personal Information We Collect

    1.1 Personal details: name, address, date of birth, gender, and contact information
    1.2 Family medical history and next of kin details
    1.3 Health information: medical conditions, records, and test results
    1.4 Medicare and NDIS plan details
    1.5 Other sensitive information shared during the course of our services

  2. Collection and Use of Personal Information
    We collect, hold, use, and disclose personal information for the following purposes:

    2.1 Provide access to and use our website and services
    2.2 Communicate with you
    2.3 Conduct administrative activities such as invoicing and record keeping
    2.4 Fulfil legal obligations and respond to disputes
    2.5 Complete reports, assessments, and documentation relevant to the services we provide

  3. How We Treat Personal Information That is Also Sensitive Information
    3.1 Information classified as “Sensitive Information” has a higher level of protection under the APPs.
    3.2 Sensitive information includes details relating to your child’s medical and developmental history, diagnostic reports, assessments, mental health, behavioural information, cultural background, and any information shared during therapy sessions.
    3.3 We only collect Sensitive Information with your explicit consent or where required by law. If we need to collect Sensitive Information, we will inform you of the specific reason and obtain your consent before doing so.
    3.4 So long as you consent, your sensitive information (if we hold any) may only be used and disclosed for purposes relating to the primary purpose for which the sensitive information was collected.

  4. Disclosure of Personal Information to Third Parties
    We may disclose personal information to:

    4.1 Our employees, contractors, and related service providers, where access to personal information is required for the performance of their duties
    4.2 Third parties, including agents, contractors, and subcontractors, who assist us in providing information, products, services, or direct marketing (for example: Xero, Halaxy, cloud storage services, or telehealth platforms). These parties are bound by confidentiality and privacy obligations
    4.3 Other health professionals involved in your care (e.g., general practitioners, psychologists, speech pathologists, paediatricians, teachers, or support staff), only with your consent or where legally required
    4.4 Medicare, NDIS representatives, or other funding bodies, where necessary to process claims or funding and in accordance with your consent
    4.5 Our professional advisors (e.g., accountants, insurers, or lawyers), where required for professional, insurance, or legal purposes, and under confidentiality obligations
    4.6 Credit reporting agencies, courts, tribunals, and regulatory authorities, in the event you fail to pay for goods or services provided to you
    4.7 Courts, tribunals, regulatory authorities, or law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or to establish, exercise, or defend our legal rights
    4.8 Cloud-based storage and data hosting providers, which may store information on servers located within Australia or overseas. All such providers are subject to strict confidentiality and data protection agreements
    4.9 IT service providers, cloud storage providers, and software platforms (e.g., Halaxy, Xero, OneDrive)

  5. Overseas Transfer
    Due to the global nature of electronic systems, your personal information may be stored or accessed by providers based outside Australia. While it's not always feasible to list every country, we ensure all overseas transfers comply with privacy obligations and include data protection agreements.

  6. Data Security and Storage
    We are committed to securing your personal information. We use:

    6.1 Encryption
    6.2 Access controls
    6.3 Physical safeguards
    6.4 Regular cybersecurity audits
    Information is stored in:

    a. Electronic systems (e.g., Halaxy, Xero, OneDrive)
    b. Paper files (stored securely) While we take measures to safeguard against unauthorised disclosures, we cannot guarantee the security of information transmitted over the internet. The transmission and exchange of information is carried out at your own risk. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that the personal information we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.
    We retain personal and health information in accordance with legal requirements:

    6.5 For an adult over the age of 18 years, the minimum timeframe is seven years from the date of the last entry in the client’s record
    6.6 For a person under the age of 18 years, the minimum timeframe is until the person is 25 years of age
    6.7 All copies of client or parent/carer’s information will be securely destroyed at the appropriate time. We use secure destruction methods, including shredding paper records and permanently deleting electronic files from our systems, to ensure your information cannot be recovered or accessed after the retention period has expired.

  7. Data Breach
    If a data breach occurs that is likely to result in serious harm, we will:

    7.1 Assess the breach within 30 days as required under the Notifiable Data Breaches (NDB) Scheme
    7.2 Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable
    7.3 Provide details on the nature of the breach and actions taken to mitigate harm

  8. Serious Invasions of Privacy & Doxxing
    8.1 We recognise your right to take legal action if your privacy is recklessly or intentionally invaded
    8.2 Doxxing (publishing personal information to harass or harm) is a criminal offence. We take all reasonable steps to prevent unauthorised disclosures online

  9. Automated Decision Making & AI Transparency
    If we use automated systems such as Artificial Intelligence (AI) or algorithms either now or in the future, we will:

    9.1 Inform you when a decision affecting you has been made automatically
    9.2 Provide transparency regarding the criteria used in automated processes
    9.3 Allow you to request a human review of an automated decision if legally required or if the decision significantly impacts your rights

  10. Your Rights and Controlling Your Personal Information
    At all times, you have the right to:

    10.1 Request Access: You can access the personal information we hold about you, subject to any legal exceptions
    10.2 Correct Information: If your information is inaccurate, incomplete, or outdated, you can request corrections
    10.3 Opt-Out of Marketing: You can opt out of marketing communications at any time using the unsubscribe function or by contacting us directly. We comply with the Spam Act 2003 (Cth)
    10.4 Children’s Privacy: If you’re a parent/guardian of a child under 14, you can manage their personal information. If the child is 14 or older and capable of making their own decisions, they may control access to their data. If a child refuses access, we will respect their decision unless required by law
    10.5 Legal Considerations: We may deny access to personal information if it would:

    a. Impact the privacy of others
    b. Be frivolous or vexatious
    c. Relate to legal proceedings
    d. Be unlawful or impact national security

  11. Cookies, Web Beacons and Google Analytics
    11.1 We may use cookies and tracking technologies to enhance user experience and measure website performance. By using our website and social media accounts, you consent to use of our cookies.
    11.2 While cookies don’t tell us your email address, they do allow third parties, like Google and Facebook, to track you as part of our retargeting campaigns. If and when you choose to provide our website with personal information, this information may be linked to the data stored in the cookie. You can manage or disable cookies through your web browser settings.
    11.3 Web beacons monitor the behaviour on our website and collect data about your web page viewing.
    11.4 We also use Google Analytics to collect and process data from time to time.

  12. Links to Other Websites
    12.1 We do not have any control over Third Party Websites and we are not responsible for the protection and privacy of any personal information that you provide whilst visiting them. Third Party Websites are not governed by this Privacy Policy, even if you followed a link from our website to the Third Party Website.

  13. Amendments
    13.1 We may update this privacy policy as laws change. The latest version will always be available on our website.

  14. Complaint Procedure
    14.1 If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us as per the contact details set out at the bottom of this policy. All complaints will be considered by us and we may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will, in consultation with you, take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner.

  15. Documentation and Response Timeline
    15.1 We aim to resolve all privacy complaints within 30 business days. If additional time is required, we will notify you in writing. All complaint documentation will be retained for 12 months following resolution. If the matter requires escalation, our Privacy Officer will personally review your case within 10 business days of the escalation request.

  16. Accessibility Statement
    16.1 We are committed to ensuring our Privacy Policy is accessible to everyone. If you require this policy in an alternative format (such as large print, audio, or another accessible format) to accommodate a disability, please contact us at admin@aspirationsot.com.au and we will provide the information in your preferred format wherever possible.

  17. How to Contact Us About Privacy
    17.1 If you have any queries, or if you seek access to your Personal Information, or if you have a complaint about our privacy practices, you can contact us through: Aspirations Occupational Therapy [ABN 19 138 118 400] at admin@aspirationsot.com.au

22/5/2025