Think Psyc
Think Psyc
  • Home
  • About Us
  • Fees
  • FAQs
  • Resources
  • COVID-19
  • Contact Us
  • Privacy & Data Protection
  • More
    • Home
    • About Us
    • Fees
    • FAQs
    • Resources
    • COVID-19
    • Contact Us
    • Privacy & Data Protection
  • Home
  • About Us
  • Fees
  • FAQs
  • Resources
  • COVID-19
  • Contact Us
  • Privacy & Data Protection

Privacy & Data Management

Think Psyc is committed to protecting client privacy and confidentiality. The psychological services provided by Think Psyc are bound by the legal requirements of the Privacy Act 1988 (Cth), including the Australian Privacy Principles, and relevant state and territory privacy and health records legislation where applicable. The Australian Privacy Principles regulate the collection, use, disclosure, storage, access, correction, and security of personal information. Think Psyc is also guided by professional obligations relating to confidentiality, record keeping, informed consent, and the ethical management of client information.


1. Personal information collected by Think Psyc

Think Psyc collects personal information that is reasonably necessary to provide psychological assessment, treatment, consultation, reporting, and related administrative services.

The personal information collected may include:

  • name, date of birth, address, phone number, email address, and emergency contact details; 
  • Medicare, private health insurance, NDIS, WorkCover, insurer, legal, or funding      information where relevant; 
  • referral information from a GP, psychiatrist, lawyer, insurer, employer, NDIS provider, or other third party; 
  • relevant medical, psychological, developmental, family, social, occupational, educational, legal, or forensic history; 
  • information provided during psychological sessions. 
  • Think Psyc may use AI-assisted note-taking features within Zanda Health for clinical documentation purposes. This will only occur with your consent, and any AI-generated notes will be reviewed by your psychologist before being saved to your clinical record.
  • psychological test results, questionnaires, scoring forms, clinical observations, treatment plans, reports, and correspondence; 
  • information received from other professionals, agencies, family members, carers, or support persons, where relevant and with appropriate consent or legal authority. 


Because Think Psyc provides health services, much of the information collected is sensitive health information. Australian privacy law applies strict rules to how health service providers collect, use, disclose, and protect health information. 


2.  How personal information is collected

Think Psyc may collect personal information in several ways, including when:

  • you provide information directly to your psychologist during sessions; 
  • you complete forms, questionnaires, consent documents, emails, text messages, or  written correspondence; 
  • you speak with Think Psyc administration staff; 
  • a GP, psychiatrist, allied health provider, hospital, lawyer, insurer, employer, NDIS provider, WorkCover provider, or other agency provides information to Think Psyc; 
  • information is required to complete psychological testing, assessment, reporting, billing, or service coordination. 
  • Think Psyc may use AI-assisted note-taking features within Zanda Health for clinical documentation purposes. This will only occur with your consent, and any AI-generated notes will be reviewed by your psychologist before being saved to your clinical record.


Where possible, Think Psyc will collect personal information directly from you. In some circumstances, information may be collected from another person or organisation, such as a referrer, treating professional, parent, guardian, legal representative, insurer, or support coordinator.


3.  Purpose of collecting and holding personal information

Think Psyc collects, holds, uses, and records personal information for the purpose of providing psychological services. This includes:

  • assessing your needs and suitability for psychological services; 
  • providing psychological assessment, treatment, intervention, consultation, and review; 
  • preparing treatment plans, letters, reports, and clinical records; 
  • communicating with referrers, treating practitioners, legal representatives, insurers,      NDIS providers, or other relevant parties where consent or lawful authority exists; 
  • managing appointments, billing, rebates, accounts, and administrative matters; 
  • meeting professional, ethical, legal, regulatory, and record-keeping obligations; 
  • responding to subpoenas, court orders, mandatory reporting obligations, or serious risk concerns where required or authorised by law. 


Psychologists are required to keep clear, accurate, and adequate records as part of their professional obligations. If you do not wish to provide personal information that is necessary for  the service, Think Psyc may be unable to provide psychological services to you.


4. Storage and security of personal information

Think Psyc takes reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure. The OAIC  identifies secure handling and storage of health information as a core privacy obligation for health service providers. 


Client information is stored securely and is accessed only by your psychologist and authorised staff or service providers as required for the operation of the practice. Think Psyc uses Zanda Health, a secure electronic practice management system. Think Psyc may use AI-assisted note-taking features within Zanda Health for clinical documentation purposes. This will only occur with your  consent, and any AI-generated notes will be reviewed by your psychologist before being saved to your clinical record. 


From time to time, Think Psyc may use psychological assessment platforms or registered test providers such as NovoPsych, Pearson Clinical, Multi-Health Systems, and Psychological Assessments Australia. Where these systems are used, client information is entered only as required for assessment, scoring, reporting, or clinical service delivery.


Think Psyc uses reasonable data protection measures, which may include:

  • password-protected systems and devices; 
  • secure practice management software; 
  • access controls for staff and authorised users; 
  • secure storage of electronic and paper records; 
  • limiting access to information to those who need it for their role; 
  • use of secure communication methods where possible; 
  • care when sending emails, reports, and other documents; 
  • secure disposal of records when legally and professionally appropriate; 
  • review of privacy and data protection procedures. 


Clients are asked to be aware that email and SMS may not always be fully secure forms of communication. Think Psyc will take reasonable steps to reduce privacy risks, but cannot  guarantee the security of all electronic communications once transmitted outside practice systems.


5.  Confidentiality

Information gathered by Think Psyc will remain confidential except in circumstances where  disclosure is permitted, required, or authorised.


In most circumstances, information will only be shared with your consent. Think Psyc may ask for your consent to share information with:

  • your GP, psychiatrist, or other treating health practitioner; 
  • a family member, guardian, carer, or support person; 
  • NDIS providers, support coordinators, insurers, WorkCover, or other agencies funding or involved in your care; 
  • a lawyer, court, employer, school, or other third party where relevant to the purpose of the referral; 
  • another professional or agency for the purpose of assessment, treatment, support, reporting, or case coordination. 


Where information is shared with consent, Think Psyc will seek to limit the information disclosed to what is relevant and necessary for the agreed purpose.


6. Supervision and professional consultation

Psychologists are required to consult with professional colleagues and supervisors from time to time. This may occur for the purpose of maintaining professional standards, improving clinical care, managing risk, or meeting registration requirements.


Where client information is discussed in supervision or professional consultation, Think Psyc will take reasonable steps to de-identify the information unless identifying information is necessary for the consultation, the client has consented, or disclosure is otherwise authorised or required by law.


7.  Exceptions to confidentiality

There are circumstances where Think Psyc may disclose personal information without consent. These include:

  • where disclosure is required or authorised by law; 
  • where a court, tribunal, or other lawful authority requires information, such as by subpoena or court order; 
  • where mandatory reporting obligations apply, including concerns relating to child protection or other legally mandated reports; 
  • where there is a serious risk of harm to you or another person; 
  • where disclosure is necessary to lessen or prevent a serious threat to life, health, or safety; 
  • where disclosure is necessary for legal, regulatory, professional indemnity, or complaint management purposes; 
  • where otherwise permitted under relevant privacy, health records, or professional legislation. 


Think Psyc will only disclose information without consent where there is a lawful, ethical, or professional basis for doing so.


8. Use of third-party systems and service providers

Think Psyc may use third-party systems or providers to support service delivery, administration, billing, document storage, psychological testing, communication, or practice management. Where third-party providers are used, Think Psyc will take reasonable steps to ensure that providers are reputable and have appropriate privacy and data protection arrangements. This may include considering whether the provider complies with Australian privacy requirements, uses secure  systems, and limits access to information.


Examples of systems or providers that may be used include:

  • practice management software; 
  • secure telehealth platforms; 
  • psychological assessment and scoring platforms; 
  • billing and payment systems; 
  • professional transcription, administration, or IT support services where required; 
  • secure document storage or backup systems. 


9. Use of AI-assisted note taking

Think Psyc may use AI-assisted note-taking tools available through Zanda Health to assist with clinical documentation. This may involve the use of secure transcription technology to help generate draft session notes from information discussed during psychological consultations. AI-assisted notes are used only for the purpose of supporting accurate and timely clinical record keeping. They do not replace the psychologist’s clinical judgment, assessment, decision-making, or responsibility for maintaining appropriate client records.


Where AI-assisted note taking is used:

  • your consent will be sought before the tool is used during a session; 
  • the tool will only be used for clinical documentation purposes; 
  • the psychologist will review and edit any AI-generated notes before they are finalised in your clinical record; 
  • information will not be entered into publicly available AI tools, such as general-purpose AI chatbots;
  • Think Psyc will take reasonable steps to ensure that any AI transcription or note-taking system used is secure, privacy-compliant, and appropriate for handling sensitive health information; 
  • you may decline the use of AI-assisted note taking, and this will not affect your ability to receive psychological services from Think Psyc. 


If you have questions or concerns about the use of AI-assisted note taking, please discuss this with your psychologist.


10. Telehealth and electronic communication

Think Psyc may provide services by telehealth where clinically appropriate. Clients are responsible for ensuring they are in a private and safe location when participating in telehealth sessions.

To protect confidentiality during telehealth, clients are encouraged to:

  • use a private room where they cannot be overheard; 
  • use headphones where possible; 
  • avoid joining sessions from public places; 
  • use a secure internet connection rather than public Wi-Fi where possible; 
  • inform the psychologist if anyone else is present or may overhear the session. 


Think Psyc will also take reasonable steps to conduct telehealth sessions from a private location and to use appropriate systems for online consultations.


11. Access to personal information

You may request access to personal information held about you by Think Psyc. Australian privacy law gives individuals a general right to request access to health information held by a health service provider. 


Requests for access should be made in writing to Think Psyc. Think Psyc will respond to written requests within 30 days, unless a shorter or longer timeframe applies under relevant legislation.

Access may be provided by giving you a copy of the relevant information, arranging for you to inspect the information, providing a summary, or discussing the information with you in an appointment.


There may be circumstances where access is refused or limited, including where providing access would:

  • pose a serious threat to the life, health, or safety of any person; 
  • have an unreasonable impact on the privacy of another person; 
  • reveal information given in confidence by another person; 
  • prejudice legal proceedings or professional obligations; 
  • be otherwise restricted under the Privacy Act or other relevant law. 


If access is refused or limited, Think Psyc will provide reasons where appropriate and explain available options for review or complaint.


12. Correction of personal information

You may request correction of personal information held about you if you believe it is inaccurate, out of date, incomplete, irrelevant, or misleading. If Think Psyc is satisfied that the information requires correction, reasonable steps will be taken to correct the information. If Think Psyc does not agree to make the requested correction, you may request that a statement be added to your file noting that you disagree with the information. The OAIC identifies correction of personal information as part of the Australian Privacy Principles framework. 


13. Retention and disposal of records

Think Psyc retains client records in accordance with legal, professional, ethical, and insurance obligations. Records are kept securely for the required retention period. When records are no longer required to be retained, Think Psyc will take reasonable steps to securely destroy or de-identify them, subject to legal, professional, insurance, and clinical requirements.


14. Data breach policy

A data breach occurs when personal information held by Think Psyc is lost, accessed without authorisation, disclosed without authorisation, or otherwise compromised. The OAIC defines a data breach as unauthorised access to, disclosure of, or loss of personal information. 


Examples of a data breach may include:

  • an email or report being sent to the wrong recipient; 
  • a client file, notebook, laptop, phone, USB, or other device being lost or stolen; 
  • unauthorised access to practice management software or email; 
  • accidental disclosure of client information to another person; 
  • a cyber incident affecting client information; 
  • paper records being misplaced or disposed of insecurely; 
  • verbal disclosure of identifiable client information without consent or lawful authority. 


Think Psyc will take all reasonable steps to prevent data breaches. However, if a suspected or actual data breach occurs, Think Psyc will activate its data breach response process.


15. Data breach response and action plan

If Think Psyc becomes aware of a suspected or actual data breach, the following steps will be taken.


Step 1: Contain the breach

Think Psyc will take immediate steps to limit further access, disclosure, loss, or compromise of the affected information.

This may include:

  • recalling or correcting an email sent to the wrong recipient; 
  • contacting the unintended recipient and requesting deletion or return of information;      
  • changing passwords; 
  • enabling or reviewing two-factor authentication; 
  • restricting or changing access permissions; 
  • disconnecting affected systems if required; 
  • securing lost or exposed paper records; 
  • contacting IT support, the practice management software provider, insurer, or other professional support as required. 


The health service provider data breach action plan recommends immediate containment steps such as stopping the unauthorised practice, recovering records, changing passwords, turning on two-factor authentication, recalling unread emails, changing computer access privileges, and disconnecting internet connectivity where needed. 


Step 2: Evaluate the breach

Think Psyc will assess the breach to determine:

  • what information was involved; 
  • whose information was affected; 
  • whether the information was accessed, disclosed, lost, copied, altered, or misused; 
  • whether the information included sensitive health information; 
  • whether the breach is likely to result in serious harm; 
  • whether remedial action has removed the likelihood of serious harm; 
  • whether the breach involves My Health Record, Medicare, Centrelink, Child Support, or other government-held information; 
  • whether notification is required. 


Serious harm may include physical, psychological, emotional, financial, or reputational harm. The attached health service provider action plan specifically identifies these forms of harm as relevant when assessing whether a breach is likely to result in serious harm. Where necessary, Think Psyc will seek advice from its professional indemnity insurer, legal advisor, IT provider, the OAIC, Services Australia, or other relevant authority.


Step 3: Notify relevant parties where required

If Think Psyc determines that an eligible data breach has occurred, Think Psyc will notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable.

Under the Notifiable Data Breaches scheme, organisations covered by the Privacy Act must notify affected individuals and the OAIC about data breaches that are likely to cause serious harm.  Notification to affected individuals should include a description of the breach, the type of information involved, and recommendations about steps the person should take in response. If a breach relates to the My Health Record system, Think Psyc will notify the Australian Digital Health Agency and the OAIC as required. The action plan states that all data breaches related to the My Health Record system must be reported. 


If the affected data contains Medicare, Centrelink, or Child Support information, Think Psyc will consider contacting Services Australia for guidance and assistance. The action plan identifies Services Australia as the relevant contact for Medicare, Centrelink, and Child Support information concerns. 


Step 4: Review and prevent recurrence

After a data breach, Think Psyc will review the incident and take reasonable steps to reduce the likelihood of a similar breach occurring in the future.


This may include:

  • reviewing the cause of the breach; 
  • updating privacy and data protection policies; 
  • changing administrative or clinical processes; 
  • providing further staff training; 
  • reviewing access permissions; 
  • strengthening password, email, telehealth, or document-handling procedures; 
  • reviewing software or IT security arrangements; 
  • conducting follow-up audits to ensure changes have been implemented. 


The health service provider action plan recommends investigating the cause of the breach, developing a prevention and response plan, conducting audits, strengthening security practices, reviewing policies and procedures, and revising staff training. 


16. Data breach record keeping

Think Psyc will keep an internal record of suspected and actual data breaches. This may include:

  • the date and time the breach was identified; 
  • the nature of the breach; 
  • the information involved; 
  • the individuals affected; 
  • immediate containment steps taken; 
  • assessment of likely serious harm; 
  • advice sought; 
  • whether notification was required; 
  • notifications made; 
  • remedial action taken; 
  • steps implemented to prevent recurrence. 


Keeping a clear record assists Think Psyc to demonstrate that the incident was assessed, managed, and reviewed appropriately.


17. Concerns or complaints

If you have concerns about how Think Psyc has handled your personal information, you are encouraged to raise this with your psychologist or Think Psyc administration staff. Think Psyc will take privacy concerns seriously and will attempt to resolve concerns promptly and respectfully. If you are not satisfied with the response, you may lodge a complaint with the Office of the Australian Information Commissioner.


Office of the Australian Information Commissioner
1300 363 992
https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us
GPO Box 5288, Sydney NSW 2001


18. Review 

Think Psyc will review this policy periodically and update it as required to reflect changes in privacy law, professional standards, technology, practice procedures, or regulatory guidance.

Copyright © 2026 Think Psyc - All Rights Reserved.

  • Home
  • About Us
  • Fees
  • FAQs
  • Resources
  • COVID-19
  • Contact Us
  • Privacy & Data Protection

Powered by

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept