top of page

Privacy Policy

1.Introduction

1.1.Karyn Taylor Psychology (‘the Practice’) is committed to managing personal, sensitive and health information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and in accordance with any other applicable privacy laws. This Policy applies to all personal information collected, stored, and used in both physical and electronic formats.

​

1.2.This Privacy Policy outlines how the Practice collects, uses, stores, and discloses personal information in compliance with the APPs and the Australian Psychological Society (APS) Position Statement on Record Keeping in Organisations (December 2020). (The APPs do not apply to Employee Records and consequentially this Policy does not apply to such records.)

 

2.Statement of Principle

2.1.In accordance with the principles of the APPs, the Practice will:

a)Only collect Personal Information and Sensitive Information (collectively ‘Information’) that is necessary for its functions or activities being the delivery of Psychological Services;

b)Ensure that the Individual is made aware of the collection of this information at the time of collection or as soon as reasonably possible afterwards;

c)Ensure that the Individual is informed about the intended use for the information;

d)Collect information about the Individual from the Individual directly, and only collect information about the Individual from an indirect source in circumstances where it would be reasonable and expected to do so;

e)Take reasonable steps to ensure the Information collected is accurate, complete and up-to-date;

f)Only collect information in a manner that is reasonable, fair or expected;

g)Take reasonable steps to destroy or permanently de-identify Information when no longer needed;

h)Give access (when requested by the Individual concerned) to the Information held, unless there is an emergency situation, ministry imperatives, law enforcement, other public interests or any other exception as provided by the Act which would prevent this occurring;

i)Take industry standard steps to ensure that Personal Information is stored in a manner that ensures reasonable protections from misuse and loss from unauthorised access, modification or disclosure; and,

j)Ensure that the information is used and disclosed in a manner consistent with the APPs.

 

3.What Information Do We Collect and Retain?

3.1.We collect Personal Information in relation to Clients and other Individuals necessary to manage client records and deliver psychological services. This may include:

a)Demographic Information: Name, address, contact details, date of birth, and gender.

​

3.2.We collect Sensitive Information in relation to Clients necessary to provide psychological services. This may include:

b)Intake information: Presentation information and other Client generated information.

c)Health Information: Medical history, mental health assessments, diagnoses, and information from other health practitioners.

d)Treatment or Assessment Information: Assessment or measure results, case formulations, session notes, summaries of treatment and other clinical observations.

 

3.3.We collect this information directly from Clients, Individuals, their representatives, or other healthcare providers involved in their care, with the consent of our clients or their guardian(s).

 

3.4.The Information we collect may be by a variety of methods:

a)Forms and documents completed and provided by Clients;

b)Generation of Artificial Intelligence outputs including transcripts and summaries;

c)face-to-face, telephone and/or videoconference consultations or contact with our office; and,

d)video and audio recordings.

 

3.5.We will collect information about a child only when that child is a client or a client’s child. Where children do not have Gillick Competence, we will require their parents or guardians to make decisions on their behalf. Where an assessment is made that a Child has Gillick Competence we will record this in their client record.

 

4. Single Record

4.1.The Practice maintains a single electronic record (e-record) system in accordance with standard practice for psychological services. For the avoidance of doubt, the Practice does not maintain physical records.

 

Sensitive Client Information

4.2.Where the single electronic record contains Sensitive Information about a Client, the Sensitive Information shall be stored separately to Personal Information and require authorisation to be accessed.

4.3.The Practice adheres to a "need-to-know" principle, ensuring that information is only shared with authorised individuals or organisations directly involved in the client's care or as required by law. Only persons duly authorised by the Practice shall have access to Sensitive Information.

 

5.How do we Use and Disclose the Information We Collect?

5.1.We collect Personal Information necessary for our Primary Purpose of providing psychological services and managing client records.

​

5.2.The use and disclosure of this Information may include:

a)Providing psychological services, treatments and interventions;

b)Preparing Reports or Assessments;

c)Facilitating the production of AI generated summaries;

d)Facilitating multidisciplinary team care, where appropriate;

e)Complying with our legal obligations (e.g., court orders, mandatory reporting); and/or

f)Responding to requests from government bodies (e.g., child protection, law enforcement) where required by law.

 

5.3.Sensitive Information will be used for the Primary Purpose of delivering Psychological Services, unless it is for a Secondary Purpose directly related to This Primary Purpose.

 

Job applicants and Contractors

5.4.In relation to Personal Information of job applicants and contractors, the Practice’s primary purpose of collection is to assess and (if successful) to engage the job applicant or contractor, as the case may be.

​

5.5.To the extent the Information is not excluded from coverage of this Policy as part of an Employee Record, the purposes for which the Practice uses and discloses the Personal Information of job applicants and contractors include:

a)Assessing suitability for engagement;

b)Managing engaged Contractors;

c)Meeting our obligations under the relevant child protection regime; and/or,

d)Drafting an engagement agreement.

 

5.6.The Practice will note collect or retain Sensitive Information of job applicants and contractors. The Practice may in its sole discretion erase job applicant and /or contractor information it no longer requires or is lawfully required to retain.

 

6.How To Correct or Delete Your Information

6.1.The Practice takes ongoing steps to ensure that Client Information it holds is accurate, complete and up-to-date.

​

6.2.Clients have the right without charge to:

a)Access their Personal Information, subject to limited exceptions (e.g., where access would pose a risk to the client or others).

b)Request corrections to their records if the information is inaccurate, incomplete, or outdated.

c)Withdraw consent for the use or disclosure of their information, except where required by law.

 

6.3.Should a lawful reason not to correct information exist, the Practice will notify the Client.

 

6.4.Client Information is only retained for the minimum period required by law and is securely erased thereafter.

 

7. Overseas Disclosure

7.1.The Practice will only send Personal Information about a Individual to a recipient outside Australia:

a)on the express consent of the Client; or,

b)for the purpose of data integrity and redundancy through an offshore cloud storage process subject to suitable data security measures;

​

7.2.We will not disclose Personal Information to an overseas recipient without that Individual’s consent, unless an exception under the Australian Privacy Principles (APPs) applies. If disclosure is required, we will take reasonable steps to ensure the overseas recipient complies with the APPs regarding Client Information.

 

8.Data Security and Storage

8.1.The Practice maintains a single electronic record (e-record) system with industry standard security features to protect client information.

​

8.2.Our security measures include:

a)Access Controls: personal identifiers and passwords are required for any individuals engaged by the Practice to access stored Personal Information. Two factor authentication is required for access of Personal information.

b)Data Classification: Information is classified according to whether it is Personal Information or Sensitive Information, with access to Sensitive Information restricted only to individuals engaged by the Practice who have a requirement to assess this information.

c)Audit Trails: the Practice regularly audits the security of stored Personal Information to ensure it meets industry standard practices. The Practice regularly audits the register of engaged individuals authorised to access stored Personal Information.

d)Encryption: Personal Information data is encrypted during transmission and storage to prevent unauthorised access.

​

9.Notifiable Data Breaches

9.1.The Practice will take all reasonably necessary measures to address any unauthorised collection, use, or disclosure of Personal Information that could result in Serious Harm to an individual ("a data breach").

 

9.2.For the purposes of this Policy, "Serious Harm" refers to any harm or loss that has, or could have, significant adverse effects on an Individual’s:

a)Physical;

b)Mental or Psychological;

c)Financial; or,

d)Reputational wellbeing.

 

9.3.In the event of a data breach that includes Personal Information, the Practice will assess whether serious harm has occurred or is likely to occur.

 

9.4.When determining the likelihood of serious harm following a suspected data breach, the Practice will consider:

a)Whether the compromised information includes sensitive or health-related data;

b)The nature of the affected individuals (e.g., young or vulnerable persons may face higher risks);

c)The number of individuals potentially impacted;

d)Whether the data was encrypted, anonymized, or otherwise not easily accessible; and,

e)The identity of any parties who have obtained, or may obtain, access to the information.

 

9.5.In accordance with this Policy, the Practice will make reasonable efforts to notify both the Office of the Australian Information Commissioner (OAIC) and any Individuals at risk of serious harm due to a data breach.

 

9.6.The Practice is not required to notify the OAIC if it determines that the breach has been remediated, provided:

a)Corrective actions have been taken to prevent serious harm to affected individuals; and,

b)No further risk of serious harm remains.

 

9.7.In cases where a data breach cannot be remediated ("a notifiable data breach"), the Practice will submit a statement to the OAIC containing:

a)The Practice’s identity and contact details;

b)A summary of the breach;

c)A description of the compromised personal, sensitive, or health information; and,

d)Recommended steps for affected individuals to mitigate potential harm.

 

9.8.Where a notifiable data breach occurs, the Practice will directly inform all Individuals whose Personal Information was involved and who are at risk of Serious Harm.

 

9.9.If direct notification is impractical, the Practice will publish the details of the breach on its website, including the statement provided to the OAIC.

 

10.Definitions

10.1.The Act means the Privacy Act 1988 (Cth).

 

10.2.APPs means Australian Privacy Principles as set out under the Act.

 

10.3.Artificial Intelligence (or ‘AI’) means any software application that involves machine learning outputs, whether or not the software application identifies the use of this function as a form of “Artificial Intelligence”.

 

10.4.Client means a client of the Practice and includes a potential or prospective client.

 

10.5.Client Information include Personal Information and Sensitive Information collected in relation to a Client.

 

10.6.Employee record means a record of Information relating to the employment of current or former employee. This includes Information about any of the following:

i.Engagement, training, disciplining or resignation of the employee;

ii.Termination of the employment of the employee;

iii.Terms and conditions of the employee;

iv.Employee’s personal and emergency contact details

v.Employee’s performance or conduct;

vi.Employee’s hours of employment;

vii.Employee’s salary or wages;

viii.Employee’s membership of a professional or trade association;

ix.Employee’s trade union membership;

x.Employee’s recreation, long service, sick, personal, maternity, paternity or other leave; and/or,

xi.Employee’s taxation, banking or superannuation affairs.

 

10.7.Gillick Competence means in the view of the Practitioner a child has sufficient maturity and understanding to give valid consent to the collection of Sensitive Information.

 

10.8.Individual, in relation to Personal Information, means the individual to whom the information relates (and includes a Client).

 

10.9.Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or not and regardless of the form the information or opinion is recorded in. Personal Information includes Sensitive Information.

 

10.10.Primary Purpose means the purpose for which the Personal Information was collected.

 

10.11.Privacy Officer means the person appointed to the position of Privacy Officers per clause 11 of this Policy.

 

10.12.Secondary Purpose means the use of Personal Information for a purpose that is not the Primary Purpose.

 

10.13.Sensitive Information means:

a)Information or an opinion about an individual’s:

i.Racial or ethnic origin; or

ii.Political opinions; or

iii.Membership of a political association; or

iv.Religious beliefs or affiliations; or

v.Philosophical beliefs; or

vi.Membership of a professional or trade association; or

vii.Membership of a trade union; or

viii.Sexual orientation or practices; or

ix.Criminal record;

b)That is also personal information; or,

c)Health information about an individual; or,

d)Genetic information about an individual that is not otherwise health information; or,

e)Biometric information that is to be used for the purposes of automated biometric verification or biometric identification; or,

f)Biometric templates.

 

10.14.The Practice means Karyn Taylor Psychology

 

11.Complaints & Privacy Officer

11.1. If you have concerns about how your personal information is handled, please contact the Practice’s Privacy Officer at: hello@ktpsychology.com.au

​

11.2.The Privacy Officer will investigate and respond to your complaint within 28 days. The Privacy Officer may seek an extension of time of up to 56 days. You will be notified of the decision of the Privacy Officer in writing.

 

11.3.If you are unsatisfied with our response, you may lodge a complaint with the OAIC.

 

12.Adoption

12.1.This Policy is aligned with the Australian Privacy Principles and the APS Position Statement on Record Keeping in Organisations (December 2020).

 

12.2.This policy is reviewed periodically to ensure compliance with legislative changes and best practices. Clients will be notified of significant updates.

 

12.3.This version was adopted on 15/12/2025.

bottom of page