top of page

Privacy Policy 

Berwick Counselling and Psychotherapy                             2021

 

1.0 PRIVACY POLICY

 

“The business” respects the rights of individuals to their privacy and any personal information provided to the “the business” will be held in strict confidence. This Rule details how “the business” handles personal and health information that has been collected, used, held, disclosed or shared in accordance with the Principles as set out in the Information Privacy Act 2000 (Vic), Privacy Act 1988 (Cwlth), and Health Records Act 2001 (Vic).

 

“the business” shall only collect information that is necessary to meet the “the business’s operational and legal obligations. In doing so, the “the business” will notify the individual of the purpose for which the information is being collected. The “the business” shall ensure that the information is relevant, accurate, complete and secure and shall allow individuals access to their personal information.

 

2.0 DEFINITIONS

 

Personal Information is defined as information or an opinion that is recorded, whether true or not, about an individual whose identity is apparent, or can reasonably be found out, from the information or opinion.

 

Health Information is defined as information or an opinion about the physical, mental or psychological health of an individual.

 

Sensitive Information is defined as information or an opinion about an individual’s racial or ethnic origin, religious and philosophical beliefs, sexual preferences or practices, political affiliations, disabilities and medical conditions, or criminal record.

 

Unique identifier is defined as an identifier (usually a number) assigned by an organisation to an individual to identify that individual for the purposes of the operation of the organisation.

 

Individual is defined as an employee, a prospective employee, a client and/or prospective client.

 

Information Privacy Principles (IPP) is defined as a blend of core principles for managing information privacy as detailed in the Information Privacy Act 2000 (Vic) and the Privacy Act 1988 (Cwlth).

 

  1. RESPONSIBILITIES

 

  1. The Owner

 

The Owner shall be responsible for hearing complaints of acts or practices that allegedly contravene the “the business’s Privacy Policy and will attempt to resolve the issue within 14 working days of receiving the complaint.


 

PRINCIPLES AND COMPLAINT RESOLUTION

 

  1. Information Privacy Principles

 

The Privacy Principles outlined in the Information Privacy Act 2000 (Vic), Privacy Act 1988 (Cwlth), and the Health Records Act 2001 (Vic) form the basis for this Rule.

 

  1. Collection

 

All records of personal information collected and held by the “the business” fall into the following categories:

  1. Client records 

  2. Business and Financial records managed by the Chief Financial Officer/Owner

  3. IT records handled by the Owner

 

“the business” shall only collect personal information from individuals in a fair and legal manner for the purpose of conducting its business. Should it become necessary to source information from a third party, the “the business” shall notify the individual concerned.

 

At the time of data collection or as soon as is practicable, “the business” shall inform the individual of the intended use of the information, any legal requirements and the individual’s right of access to that information. 

 

Use and Disclosure

 

“the business” shall only use an individual’s personal information for the purpose for which it was collected and not disclose it to any person, body or agency unless:

  1. The secondary purpose for disclosure is related to the primary purpose and the person would reasonably expect such use or disclosure

  2. The disclosure is in compliance with law enforcement and public or individual health and safety issues

  3. It is to be used for research or statistical analysis that does not identify any particular individual.

 

If use or disclosure is made under these circumstances it will be noted in the individual’s personal records.


 

  1. Data Quality

 

“the business” shall provide ease of access for individuals to view, update or query their personal information to maintain accurate and complete records.

 

  1. Data Security

 

The integrity of personal information collected by “the business” is maintained through strictly controlled management policies and procedures including document control, storage and retrieval, web/internet policies and practices and education and training of relevant personnel. The “the business” has security measures in place to guard against the loss or corruption of information gathered through the “the business”’s website, including the use of regular data back-ups, firewalls, data encryption and access-controlled areas.

 

Documents and data that are no longer required shall be destroyed subject to Public Records Office retention specifications.

 

  1. Openness

 

In accordance with this Rule and the Information Privacy Act, “the business” aims to be open and transparent with regard to its use of personal information.

 

  1. Access and Correction

 

Clients and employees may request access to their personal information by applying in writing to the Registrar or Associate Director Human Resources respectively. Access is free of charge and will be granted with the following exceptions:

  1. Providing access would pose a serious and imminent threat to life or health of individuals

  2. Providing access would have an unreasonable impact on the privacy of other individuals

  1. The request for access is frivolous or vexatious

  2. The information relates to existing legal proceedings between the “the business” and the individual

  3. Providing access would be unlawful or prejudice a lawful investigation.

 

Where access is denied and the use of intermediaries is not applicable, “the business” shall notify the applicant of the reasons for the decision.

 

Where a third party requests access to information held by the “the business”, written authorisation from the affected individual must be provided.

 

An individual may submit a written request for corrections to be made to their personal records. “the business” shall either correct the records or provide reason as to why the request is refused within 45 days of receiving the request.

 

All other requests for access to personal information shall be consistent with the “the business’s  

Rule for Freedom of Information.

 

  1. Unique Identifiers

 

The assignment of unique identifiers by “the business” clients is necessary to protect the personal records and safety of the Clients. “the business” shall not use the identifier of another organisation as its own unless it is necessary to conduct the “the business’s business and has the consent of the individual to use that unique identifier.

“the business” shall not require an individual to provide a unique identifier for any service unless it is required by law or is in connection with the purpose of which it was assigned.

 

  1. Anonymity

 

Wherever it is lawful and practicable, individuals may remain anonymous when entering transactions with “the business”.

 

  1. Transborder Data Flows

 

“the business” may be required to transfer personal information to organisations or persons whether local, interstate or international. Such transfers shall only occur where:

  1. The individual consents to the transfer

  2. The transfer is necessary for the performance of the contract

  3. The transfer is for the benefit of the individual but it is impracticable to gain their consent.

All reasonable measures will be taken to protect the information.

“the business” will take all possible steps to ensure the recipient abides by the Information Privacy Principles.

 

  1. Sensitive Information

“the business” shall not collect sensitive information regarding an individual unless:

  1. The individual has consented

  2. The collection is required under law

  3. It is necessary to prevent a serious or imminent threat to life or health of that individual

  4. The collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

 

  1. Complaints process

“the business’s policy is to attempt to resolve all complaints at the local level. Individuals who believe that their privacy has been compromised should, in the first instance, discuss their concerns with the Owner. The Owner shall attempt to resolve the complaint within 14 days of the receipt of the complaint. The complainant shall be advised in writing of the outcome of the complaint.

 

If the individual is not satisfied with the initial outcome they may lodge a formal written complaint to the “the business’s Privacy Officer/Owner within 14 days of being advised of the outcome of the original complaint.

 

The Privacy Officer/Owner shall:

  1. Maintain a complaints register

  2. Acknowledge receipt of the complaint to the complainant in writing as soon as possible

  3. Convene the Privacy Committee within 21 days of receiving the complaint.

The Privacy Committee may dismiss a complaint which is deemed to be frivolous, vexatious, misconceived, lacking in substance, or where there has been no attempt to solve the issue at the local level.

The Privacy Committee shall hear the complaint and make recommendations for further action if required. The Committee shall notify the Privacy Officer who shall inform the complainant, in writing, of the hearing outcomes.

 

An individual who is still unsatisfied with the outcomes of the complaint may refer the matter to the appropriate external body. IE The Australian Counselling Association.

​

5.0 DOCUMENTS

 

Information Privacy Act 2000 (Vic) Health Records Act 2001 (Vic) Privacy Act 1988 (Cwlth)

Freedom of Information Act 1982 

(Staff Information Book)

“the business’s” Web published Policy and Procedures

​

​

​

​

bottom of page