for Management of Personal Information
(last updated: 8/04/2020)
Client information is held in a combination of: secure filing cabinets; encrypted and password protected Windows Server 2012 data drives accessed using Windows 10 Pro computers owned by PsychSessions and maintained by Blue Arc IT Solutions, as well as via encrypted IPSec VPN links when working remotely using either PsychSessions or privately owned computers; Power Diary, which is an online practice management system; and Office 365, including email, SharePoint, and OneDrive, all of which is accessible only to authorised employees. The information on each file includes personal information such as name, address, contact phone numbers, medical history, and other personal information collected as part of providing the psychological service.
How clients’ personal information is collected
A client’s personal information is collected in a number of ways during psychological consultation with PsychSessions, including when the client provides information directly to PsychSessions using hardcopy forms, correspondence via email, when the client interacts directly with PsychSessions employees such as the receptionist, and when other health practitioners provide personal information to PsychSessions, via referrals, correspondence and medical reports.
Consequence of not providing personal information
Purpose of holding personal information
A client’s personal information is gathered and used for the purpose of providing psychological services, which includes assessing, diagnosing and treating a client’s presenting issue. The personal information is retained in order to document what happens during sessions, and enables the psychologist to provide a relevant and informed psychological service.
Disclosure of personal information
Clients’ personal information will remain confidential except when:
- it is subpoenaed by a court, or disclosure is otherwise required or authorised by law; or
- failure to disclose the information would in the reasonable belief of PsychSessions place a client or another person at serious risk to life, health or safety; or
- the client’s prior approval has been obtained to:
- provide a written report to another agency or professional, e.g., a GP or a lawyer; or
- discuss the material with another person, e.g. a parent, employer, health provider, or third party funder; or
- disclose the information in another way; or
- disclose to another professional or agency (e.g. your GP) and disclosure of your personal information to that third party is for a purpose which is directly related to the primary purpose for which your personal information was collected.
A client’s personal information is not disclosed to overseas recipients, unless the client consents or such disclosure is otherwise required by law. Clients’ personal information will not be used, sold, rented or disclosed for any other purpose.
In the event that unauthorised access, disclosure or loss of a client’s personal information occurs PsychSessions will use all reasonable endeavours to minimise any risk of consequential serious harm, and when required will comply with the requirements of the OAIC Notifiable data breaches scheme.
Requests for access and correction to client information
At any stage clients may request to see and correct the personal information about them kept on file. The psychologist may discuss the contents with them and/or give them a copy, subject to the exceptions in the Privacy Act 1988 (Cth). If satisfied that personal information is inaccurate, out of date or incomplete, reasonable steps will be taken in the circumstances to ensure that this information is corrected. All requests by clients for access to or correction of personal information held about them should be lodged with management. These requests will be responded to in writing within 30 days, and an appointment will be made if necessary for clarification purposes.
If clients have a concern about the management of their personal information, they may inform PsychSessions. Upon request they can obtain a copy of the Australian Privacy Principles, which describe their rights and how their personal information should be handled. Ultimately, if clients wish to lodge a formal complaint about the use of, disclosure of, or access to, their personal information, they may do so with the Office of the Australian Information Commissioner by phone on 1300 363 992, online at https://www.oaic.gov.au/privacy/privacy-complaints/ or by post to:
Office of the Australian Information Commissioner GPO Box 5218 Sydney, NSW 2001