HOW WE COLLECT INFORMATION

We collect information directly from you in most cases — through intake forms completed before your first appointment, during consultations, by telephone, email, or through our online booking and practice management platform (Cliniko). In some cases we may receive information from other health providers involved in your care, with your knowledge or consent.

We do not collect more information than we need.

03 · Why We Collect and Use Your Information

We collect, hold, use, and disclose personal information and health information for the following purposes:

Providing clinical assessment, treatment, and follow-up care

Managing appointments, recalls, and treatment continuity

Communicating with you about your care

Processing payments and managing billing and health fund claims

Referring you to other health practitioners where clinically appropriate

Meeting legal and professional obligations (including AHPRA requirements, OHS compliance, and mandatory reporting obligations)

Maintaining accurate clinical records for quality and safety purposes

Research and quality improvement activities (only in de-identified or aggregated form, or with your consent)

We will not use your health information for any purpose that is unrelated to your care without your consent, or where required or permitted by law.

04 · Who We May Share Your Information With

We share personal information and health information only where necessary and in accordance with this policy and applicable law. Recipients may include:

Treating practitioners within our practice involved in your ongoing care

Other health practitioners outside our practice, where you have requested a referral or where disclosure is clinically appropriate and you would reasonably expect it

Health insurers or Medicare where a claim is being processed on your behalf

Our practice management software provider (Cliniko), which is used to store appointment, clinical, and billing records

Our professional insurers, in the context of a claim or potential claim

Legal or regulatory authorities, where disclosure is required or authorised by law

Emergency services or other health providers, where there is a serious and imminent threat to your life or safety, or the life or safety of another person

We do not sell personal information. We do not share health information for marketing purposes.

OVERSEAS DISCLOSURE

We do not routinely disclose personal information to overseas recipients. Our practice management platform (Cliniko) is operated by an Australian company; however, some data hosting or processing may occur overseas as part of that platform's infrastructure. Where this is the case, we take reasonable steps to ensure that overseas recipients handle the information in accordance with the Australian Privacy Principles.

05 · How We Store and Protect Your Information

Clinical records are held in our practice management system (Cliniko), which is password-protected and accessible only to authorised practitioners and administrative staff. Paper records, where they exist, are held securely on-premises.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These steps include:

Role-based access controls within our practice management system

Secure, encrypted data storage through our software provider

Staff confidentiality obligations and practitioner professional registration requirements

Physical security of our premises

RETENTION

We retain clinical records in accordance with our legal obligations. Under Victorian health records legislation, health information must generally be retained for a minimum of 7 years from the date of last service (or, where the client was a child, until they reach 25 years of age). Records may be retained longer where clinically or legally appropriate.

When information is no longer required and retention obligations have been met, we take reasonable steps to destroy or de-identify it securely.

06 · Your Rights — Access and Correction

ACCESS

You have the right to request access to the personal information and health information we hold about you. We will respond to a written access request within a reasonable time (generally 30 days). We will provide access unless a legal exception applies — for example, where providing access would pose a serious threat to your health or safety, or the health or safety of another person.

To request access, contact us using the details in Section 08. We may ask you to verify your identity before releasing records.

We will not charge a fee for making an access request, though we may charge a reasonable fee for the cost of providing copies of records (for example, the cost of printing clinical notes).

CORRECTION

If you believe that personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it. We will take reasonable steps to correct information or, if we do not agree that it requires correction, to note your request alongside the record.

07 · Complaints

If you believe we have mishandled your personal information or health information, we want to hear from you first. Please contact us directly using the details in Section 08. We will acknowledge your complaint promptly and aim to respond substantively within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the relevant external body:

Australian Privacy Principles (federal): Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au — 1300 363 992

Health Privacy Principles (Victorian): Health Complaints Commissioner — www.hcc.vic.gov.au — 1300 582 113

08 · Contact Us

For any privacy-related queries, access or correction requests, or complaints, contact us at

Practice

Good Days Studio

ABN

19 199 101 205

Address

149B–151 Pakington Street, Geelong West VIC 3218

Email

[email protected]

Phone

0468 084 400

09 · Compliance Reference — APPs and HPPs

The following tables summarise our approach to each Australian Privacy Principle (Privacy Act 1988, Cth) and each Health Privacy Principle (Health Records Act 2001, Vic). They are intended as a reference for internal governance and for practitioners and staff to understand our obligations.

PART A — AUSTRALIAN PRIVACY PRINCIPLES (APPS)

APP 1

Open and transparent management

We maintain this privacy policy, make it freely available, and train staff on our privacy obligations. We have practices, procedures, and systems to ensure compliance.

APP 2

Anonymity and pseudonymity

Where practicable and lawful, individuals may interact with us without identifying themselves — for example, general enquiries. Clinical care cannot be provided anonymously.

APP 3

Collection of solicited personal information

We collect only information that is reasonably necessary for our functions and activities. Health information is collected only where necessary for providing care. We collect directly from the individual where practicable.

APP 4

Dealing with unsolicited information

If we receive personal information we did not solicit and could not have collected ourselves, we destroy or de-identify it promptly where it is lawful and reasonable to do so.

APP 5

Notification of collection

We notify individuals of the collection of their personal information at or before the time of collection — through our Privacy Collection Notice provided at intake.

APP 6

Use and disclosure

We use and disclose personal information only for the primary purpose of collection, related secondary purposes the individual would reasonably expect, or with consent, or where required by law.

APP 7

Direct marketing

We do not use health information for direct marketing. Any other marketing use of personal information (e.g. appointment reminders) is limited to our existing clients and is clearly connected to our services.

APP 8

Cross-border disclosure

We take reasonable steps to ensure overseas recipients of personal information comply with the APPs. Our practice management system may use overseas infrastructure; we rely on that provider's contractual and technical safeguards.

APP 9

Adoption, use or disclosure of government-related identifiers

We do not adopt government-related identifiers (such as Medicare numbers) as our own identifier. We may record Medicare and health fund numbers solely for the purpose of processing claims.

APP 10

Quality of personal information

We take reasonable steps to ensure information we collect, use, and disclose is accurate, up to date, and complete. Clients are encouraged to update their details at each visit.

APP 11

Security of personal information

We hold personal information securely in our practice management system with role-based access controls. On-premises paper records are stored securely. We take reasonable steps to protect against misuse, loss, and unauthorised access or disclosure.

APP 12

Access to personal information

Individuals may request access to their personal information. We respond within 30 days. We may refuse access on limited grounds permitted by the Privacy Act and will explain any refusal in writing.

APP 13

Correction of personal information

We take reasonable steps to correct inaccurate, outdated, or incomplete information on request. If we do not make a correction, we will explain why in writing and note the request alongside the record.

PART B — HEALTH PRIVACY PRINCIPLES (HPPS) — HEALTH RECORDS ACT 2001 (VIC)

HPP 1

Collection

Health information is collected only where necessary for providing health services. We collect directly from the individual at intake. Consent is obtained before collecting sensitive information.

HPP 2

Use and disclosure

Health information is used and disclosed only for the primary purpose of providing health services, related secondary purposes the individual would expect, or with consent, or as required by law.

HPP 3

Data quality

We take reasonable steps to ensure health records are accurate, complete, and up to date at the time of use.

HPP 4

Data security

Health records are held in our secure practice management system (Cliniko) with access restricted to treating practitioners and authorised administrative staff.

HPP 5

Openness

This policy is our primary disclosure document. A copy is available at reception, on request, and on our website.

HPP 6

Access and correction

Clients may request access to and correction of their health records. We respond within 30 days. Correction requests are actioned or noted where we disagree.

HPP 7

Identifiers

We do not use government identifiers as our own. Medicare and health fund numbers are recorded only to facilitate claims.

HPP 8

Anonymity

Where lawful and practicable, general enquiries may be made anonymously. Clinical services require identification.

HPP 9

Transborder data flows

We take steps to ensure health information sent outside Victoria is protected to an equivalent standard. Our practice management platform's overseas hosting is covered by contractual and technical safeguards.

HPP 10

Sensitive information

All health information is treated as sensitive. It is not collected, used, or disclosed without consent or lawful justification.

HPP 11

Making information available to other health service providers

With client consent, or where necessary for continuity of care, we share relevant health information with other treating health practitioners.

10 · Definitions

In this policy, unless the context otherwise requires:

Health information

Information or an opinion about the health or disability of an individual, an individual's expressed wishes about future health services, or health services provided or to be provided to an individual — as defined in the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).

Personal information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

APPs

Australian Privacy Principles as set out in Schedule 1 of the Privacy Act 1988 (Cth).

HPPs

Health Privacy Principles as set out in Schedule 1 of the Health Records Act 2001 (Vic).

Practice management system

Cliniko, the cloud-based software used by Good Days Studio for appointment scheduling, clinical records, and billing.

We / us / our

Good Days Studio (ABN 19 199 101 205).

You / your

An individual whose personal information or health information we collect, hold, use, or disclose.