
Think Psyc is committed to protecting client privacy and confidentiality. The psychological services provided by Think Psyc are bound by the legal requirements of the Privacy Act 1988 (Cth), including the Australian Privacy Principles, and relevant state and territory privacy and health records legislation where applicable. The Australian Privacy Principles regulate the collection, use, disclosure, storage, access, correction, and security of personal information. Think Psyc is also guided by professional obligations relating to confidentiality, record keeping, informed consent, and the ethical management of client information.
1. Personal information collected by Think Psyc
Think Psyc collects personal information that is reasonably necessary to provide psychological assessment, treatment, consultation, reporting, and related administrative services.
The personal information collected may include:
Because Think Psyc provides health services, much of the information collected is sensitive health information. Australian privacy law applies strict rules to how health service providers collect, use, disclose, and protect health information.
2. How personal information is collected
Think Psyc may collect personal information in several ways, including when:
Where possible, Think Psyc will collect personal information directly from you. In some circumstances, information may be collected from another person or organisation, such as a referrer, treating professional, parent, guardian, legal representative, insurer, or support coordinator.
3. Purpose of collecting and holding personal information
Think Psyc collects, holds, uses, and records personal information for the purpose of providing psychological services. This includes:
Psychologists are required to keep clear, accurate, and adequate records as part of their professional obligations. If you do not wish to provide personal information that is necessary for the service, Think Psyc may be unable to provide psychological services to you.
4. Storage and security of personal information
Think Psyc takes reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure. The OAIC identifies secure handling and storage of health information as a core privacy obligation for health service providers.
Client information is stored securely and is accessed only by your psychologist and authorised staff or service providers as required for the operation of the practice. Think Psyc uses Zanda Health, a secure electronic practice management system. Think Psyc may use AI-assisted note-taking features within Zanda Health for clinical documentation purposes. This will only occur with your consent, and any AI-generated notes will be reviewed by your psychologist before being saved to your clinical record.
From time to time, Think Psyc may use psychological assessment platforms or registered test providers such as NovoPsych, Pearson Clinical, Multi-Health Systems, and Psychological Assessments Australia. Where these systems are used, client information is entered only as required for assessment, scoring, reporting, or clinical service delivery.
Think Psyc uses reasonable data protection measures, which may include:
Clients are asked to be aware that email and SMS may not always be fully secure forms of communication. Think Psyc will take reasonable steps to reduce privacy risks, but cannot guarantee the security of all electronic communications once transmitted outside practice systems.
5. Confidentiality
Information gathered by Think Psyc will remain confidential except in circumstances where disclosure is permitted, required, or authorised.
In most circumstances, information will only be shared with your consent. Think Psyc may ask for your consent to share information with:
Where information is shared with consent, Think Psyc will seek to limit the information disclosed to what is relevant and necessary for the agreed purpose.
6. Supervision and professional consultation
Psychologists are required to consult with professional colleagues and supervisors from time to time. This may occur for the purpose of maintaining professional standards, improving clinical care, managing risk, or meeting registration requirements.
Where client information is discussed in supervision or professional consultation, Think Psyc will take reasonable steps to de-identify the information unless identifying information is necessary for the consultation, the client has consented, or disclosure is otherwise authorised or required by law.
7. Exceptions to confidentiality
There are circumstances where Think Psyc may disclose personal information without consent. These include:
Think Psyc will only disclose information without consent where there is a lawful, ethical, or professional basis for doing so.
8. Use of third-party systems and service providers
Think Psyc may use third-party systems or providers to support service delivery, administration, billing, document storage, psychological testing, communication, or practice management. Where third-party providers are used, Think Psyc will take reasonable steps to ensure that providers are reputable and have appropriate privacy and data protection arrangements. This may include considering whether the provider complies with Australian privacy requirements, uses secure systems, and limits access to information.
Examples of systems or providers that may be used include:
9. Use of AI-assisted note taking
Think Psyc may use AI-assisted note-taking tools available through Zanda Health to assist with clinical documentation. This may involve the use of secure transcription technology to help generate draft session notes from information discussed during psychological consultations. AI-assisted notes are used only for the purpose of supporting accurate and timely clinical record keeping. They do not replace the psychologist’s clinical judgment, assessment, decision-making, or responsibility for maintaining appropriate client records.
Where AI-assisted note taking is used:
If you have questions or concerns about the use of AI-assisted note taking, please discuss this with your psychologist.
10. Telehealth and electronic communication
Think Psyc may provide services by telehealth where clinically appropriate. Clients are responsible for ensuring they are in a private and safe location when participating in telehealth sessions.
To protect confidentiality during telehealth, clients are encouraged to:
Think Psyc will also take reasonable steps to conduct telehealth sessions from a private location and to use appropriate systems for online consultations.
11. Access to personal information
You may request access to personal information held about you by Think Psyc. Australian privacy law gives individuals a general right to request access to health information held by a health service provider.
Requests for access should be made in writing to Think Psyc. Think Psyc will respond to written requests within 30 days, unless a shorter or longer timeframe applies under relevant legislation.
Access may be provided by giving you a copy of the relevant information, arranging for you to inspect the information, providing a summary, or discussing the information with you in an appointment.
There may be circumstances where access is refused or limited, including where providing access would:
If access is refused or limited, Think Psyc will provide reasons where appropriate and explain available options for review or complaint.
12. Correction of personal information
You may request correction of personal information held about you if you believe it is inaccurate, out of date, incomplete, irrelevant, or misleading. If Think Psyc is satisfied that the information requires correction, reasonable steps will be taken to correct the information. If Think Psyc does not agree to make the requested correction, you may request that a statement be added to your file noting that you disagree with the information. The OAIC identifies correction of personal information as part of the Australian Privacy Principles framework.
13. Retention and disposal of records
Think Psyc retains client records in accordance with legal, professional, ethical, and insurance obligations. Records are kept securely for the required retention period. When records are no longer required to be retained, Think Psyc will take reasonable steps to securely destroy or de-identify them, subject to legal, professional, insurance, and clinical requirements.
14. Data breach policy
A data breach occurs when personal information held by Think Psyc is lost, accessed without authorisation, disclosed without authorisation, or otherwise compromised. The OAIC defines a data breach as unauthorised access to, disclosure of, or loss of personal information.
Examples of a data breach may include:
Think Psyc will take all reasonable steps to prevent data breaches. However, if a suspected or actual data breach occurs, Think Psyc will activate its data breach response process.
15. Data breach response and action plan
If Think Psyc becomes aware of a suspected or actual data breach, the following steps will be taken.
Step 1: Contain the breach
Think Psyc will take immediate steps to limit further access, disclosure, loss, or compromise of the affected information.
This may include:
The health service provider data breach action plan recommends immediate containment steps such as stopping the unauthorised practice, recovering records, changing passwords, turning on two-factor authentication, recalling unread emails, changing computer access privileges, and disconnecting internet connectivity where needed.
Step 2: Evaluate the breach
Think Psyc will assess the breach to determine:
Serious harm may include physical, psychological, emotional, financial, or reputational harm. The attached health service provider action plan specifically identifies these forms of harm as relevant when assessing whether a breach is likely to result in serious harm. Where necessary, Think Psyc will seek advice from its professional indemnity insurer, legal advisor, IT provider, the OAIC, Services Australia, or other relevant authority.
Step 3: Notify relevant parties where required
If Think Psyc determines that an eligible data breach has occurred, Think Psyc will notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable.
Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC about data breaches that are likely to cause serious harm. Notification to affected individuals should include a description of the breach, the type of information involved, and recommendations about steps the person should take in response. If a breach relates to the My Health Record system, Think Psyc will notify the Australian Digital Health Agency and the OAIC as required. The action plan states that all data breaches related to the My Health Record system must be reported.
If the affected data contains Medicare, Centrelink, or Child Support information, Think Psyc will consider contacting Services Australia for guidance and assistance. The action plan identifies Services Australia as the relevant contact for Medicare, Centrelink, and Child Support information concerns.
Step 4: Review and prevent recurrence
After a data breach, Think Psyc will review the incident and take reasonable steps to reduce the likelihood of a similar breach occurring in the future.
This may include:
The health service provider action plan recommends investigating the cause of the breach, developing a prevention and response plan, conducting audits, strengthening security practices, reviewing policies and procedures, and revising staff training.
16. Data breach record keeping
Think Psyc will keep an internal record of suspected and actual data breaches. This may include:
Keeping a clear record assists Think Psyc to demonstrate that the incident was assessed, managed, and reviewed appropriately.
17. Concerns or complaints
If you have concerns about how Think Psyc has handled your personal information, you are encouraged to raise this with your psychologist or Think Psyc administration staff. Think Psyc will take privacy concerns seriously and will attempt to resolve concerns promptly and respectfully. If you are not satisfied with the response, you may lodge a complaint with the Office of the Australian Information Commissioner.
Office of the Australian Information Commissioner
1300 363 992
https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us
GPO Box 5288, Sydney NSW 2001
18. Review
Think Psyc will review this policy periodically and update it as required to reflect changes in privacy law, professional standards, technology, practice procedures, or regulatory guidance.
Copyright © 2026 Think Psyc - All Rights Reserved.