Privacy Policy

Lily Vesty Occupational Therapy (ABN: 59 596 271 930) respects your privacy. We understand that health, disability, developmental, family and personal information can be highly sensitive. We aim to handle information carefully, respectfully and transparently, and to collect only what is reasonably needed to provide and manage our services.

About this policy

This Privacy Policy explains how Lily Vesty Occupational Therapy (“the practice”, “we”, “us” or “our”) collects, holds, uses, discloses, protects, accesses and corrects personal information and health information.

It applies to:

  • website visitors and people making an enquiry;

  • prospective and current clients;

  • NDIS participants and private or Medicare-funded clients;

  • children, adolescents and adults who receive services;

  • parents, guardians, carers, nominees and authorised representatives;

  • support coordinators, referrers and other people who communicate with the practice; and

  • other people whose information is reasonably included in a client’s records.

It covers information collected through the website and other administrative contact, as well as information collected during assessment, therapy, consultation, report writing, home or community visits, school or kindergarten visits and telehealth.

This policy is separate from clinical consent, an NDIS service agreement, a Medicare referral, consent to share information, media consent and the specific collection notices presented when information is collected.

Privacy laws and professional obligations

As a private health service provider, the practice is generally covered by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including where the practice operates as a small business. Victorian health information is also handled in accordance with the Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs).

The practice also considers applicable occupational therapy professional and ethical obligations, Medicare and NDIS requirements, record-keeping obligations, insurer requirements, safeguarding duties and other laws that apply to the particular circumstances.

What information we may collect

The information collected depends on the person, the service requested and the funding arrangement. We do not collect every category from every person.

General personal information

This may include:

  • name, preferred name and pronouns;

  • date of birth and age;

  • residential or service address;

  • email address and telephone number;

  • preferred communication method and accessibility requirements;

  • emergency contact details;

  • parent, guardian, carer, nominee or authorised-representative details;

  • relationship and decision-making authority information;

  • language, cultural or communication information relevant to accessible services; and

  • identity documents or authority evidence where reasonably needed.

Health and sensitive information

This may include:

  • health conditions, diagnoses and developmental history;

  • disability, neurotype and functional information;

  • medical and mental-health history relevant to services;

  • medications, allergies, safety needs and risk information;

  • sensory preferences and processing information;

  • emotional regulation, communication and behavioural information;

  • assessment results, observations and clinical reasoning;

  • therapy goals, plans, progress notes and outcomes;

  • Functional Capacity Assessments, recommendations and reports;

  • family, social, educational, occupational and environmental information relevant to participation;

  • school, kindergarten, childcare, work or community participation information;

  • information about wellbeing, safeguarding or serious risks;

  • referrals, reports and correspondence from other professionals; and

  • photographs, video or audio only when clinically necessary and appropriately authorised or separately consented to.

Funding, billing and administrative information

This may include:

  • NDIS participant number, plan dates, goals and funding-management details;

  • details needed to verify an NDIS plan or process a payment or claim;

  • Medicare details, referral information and claiming information where applicable;

  • private health insurer details where applicable;

  • service agreements, consent records and authorised contacts;

  • appointment history and attendance information;

  • invoices, payments, refunds and debt-management information;

  • bank or payment transaction information provided by a payment processor; and

  • information required for taxation, insurance, auditing or regulatory purposes.

Website and technical information

When you use the website, the practice and its service providers may collect:

  • IP address;

  • browser, operating system and device information;

  • pages viewed, links used and time spent on pages;

  • referring website or search source;

  • approximate location inferred from technical information;

  • cookie identifiers and analytics events; and

  • information entered into an enquiry or contact form.

How we collect information

We usually collect information directly from you or from a parent, guardian or authorised representative. We may collect information:

  • through website contact or enquiry forms;

  • by email, telephone, SMS or other agreed communication;

  • during intake, consent and service-agreement processes;

  • during assessment, therapy, consultation, observation and report preparation;

  • through telehealth and in-person sessions;

  • from information or documents you provide;

  • from a parent, guardian, carer, nominee or authorised representative;

  • from a referring doctor or other health professional;

  • from allied health, mental-health or disability providers;

  • from schools, kindergartens, childcare services, employers or community organisations;

  • from support coordinators or plan managers;

  • from the NDIA, Services Australia, Medicare or another government body where applicable and authorised;

  • from a previous provider when records are transferred; and

  • automatically through website cookies and related technology.

We may collect information from publicly available sources only where this is lawful, appropriate and reasonably necessary for our functions.

Before seeking information from another person or organisation, we will generally obtain appropriate consent or verify another lawful authority. In urgent, safeguarding or legally authorised circumstances, information may be collected without prior consent where the law permits or requires it.

Why we collect, use and hold information

We may collect, use and hold information to:

  • respond to enquiries and arrange an initial discussion;

  • determine whether our services are suitable, safe and within scope;

  • verify identity, authority and consent;

  • provide occupational therapy assessment, intervention, consultation and care planning;

  • understand strengths, preferences, goals, support needs and functional participation;

  • prepare reports, recommendations and supporting documentation;

  • communicate with you and people you have authorised;

  • coordinate care and multidisciplinary supports;

  • plan home, school, kindergarten, work, community or telehealth services;

  • manage appointments, waitlists, cancellations and reminders;

  • create and maintain accurate clinical and administrative records;

  • invoice, receive payment and administer Medicare or NDIS arrangements where applicable;

  • respond to complaints, incidents, safeguarding concerns and insurance matters;

  • manage clinical quality, supervision, audit and service improvement;

  • comply with legal, professional, contractual, taxation, insurance and record-retention obligations;

  • protect the safety of clients, staff or others where action is legally permitted or required;

  • operate, secure and improve the website; and

  • send practice news or marketing only where permitted and, where required, with consent.

We generally use or disclose information for the purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect. We may also use or disclose information with consent, or where authorised or required by law.

Children, adolescents and families

Many clients are children or adolescents. Information is often provided by a parent or legal guardian, but the child or young person is the person receiving the health service and has privacy interests of their own.

We aim to involve children and adolescents in privacy, consent and information-sharing discussions in a way that suits their age, communication preferences, understanding, capacity and circumstances. We will use accessible, respectful and neurodiversity-affirming communication wherever practicable.

When deciding who may consent, receive information or access records, we may consider:

  • the young person’s capacity and understanding;

  • their views, preferences and wellbeing;

  • the nature and sensitivity of the information;

  • parental responsibility or guardianship;

  • current written authorities and consent arrangements;

  • relevant court orders, parenting orders or safety plans;

  • the privacy and safety of the young person and other people; and

  • applicable law and professional obligations.

Being a parent or guardian does not necessarily mean that every piece of information can always be disclosed without considering the young person’s rights, capacity, wishes, safety and the particular circumstances.

Where parents are separated, we may ask for evidence of parental responsibility, guardianship, decision-making authority, court orders or other arrangements. We will not attempt to resolve family-law disputes and may pause non-urgent disclosures until authority is clarified.

This policy does not replace individual clinical consent, assent, service agreements or information-sharing plans.

When we may disclose information

Where reasonably necessary for the relevant purpose, and with consent or another lawful basis, information may be disclosed to:

  • parents, guardians, nominees, carers and authorised representatives;

  • referring general practitioners, paediatricians and medical specialists;

  • occupational therapists and other allied health professionals;

  • psychologists, counsellors and mental-health professionals;

  • schools, kindergartens, childcare services and relevant education staff;

  • support coordinators, recovery coaches and plan managers;

  • other NDIS providers and the NDIA or NDIS-related government bodies;

  • Services Australia and Medicare;

  • private health insurers, professional indemnity insurers or other insurers;

  • accountants, bookkeepers, auditors and professional advisers;

  • practice-management, cloud-storage, email, website, telehealth, IT and cybersecurity providers;

  • appointment, payment and accounting providers;

  • lawyers, courts, tribunals, regulators and law-enforcement bodies where required or authorised;

  • emergency services;

  • child-protection, safeguarding or reportable-conduct bodies where reporting or disclosure is required or authorised; and

  • another healthcare provider for transfer or continuity of care at your request or with appropriate authority.

We aim to disclose only the information reasonably necessary for the relevant purpose. A recipient may have its own privacy obligations and privacy policy.

Information may also be used or disclosed without consent where the law requires or authorises this, including in some circumstances involving a serious threat, safeguarding, legal proceedings, regulatory reporting, law enforcement or the defence of a legal or insurance claim. These exceptions are applied cautiously and according to the circumstances.

Consent and information-sharing preferences

Consent may be recorded in writing, electronically or verbally where appropriate. For sensitive or ongoing information sharing, we will generally record:

  • who may receive information;

  • the type of information that may be shared;

  • the purpose of sharing;

  • any limits or exclusions; and

  • the duration of the authority where relevant.

You may ask to limit consent to certain people, purposes or timeframes. You may also change or withdraw consent for future collection, use or disclosure by contacting us. Withdrawal does not generally affect actions already taken with valid consent.

Withdrawing or limiting consent may affect our ability to provide a safe service, coordinate care, prepare a requested report, communicate with a funder or process a claim. We will explain the practical effect where possible.

Some collection, use or disclosure may still occur without consent where required or authorised by law.

We will record authorised contacts, preferred communication methods and important restrictions in the client’s record. Please tell us promptly if these details change.

Third-party systems and service providers

The practice may use third-party providers for website hosting, enquiry forms, email, appointments, clinical records, telehealth, cloud storage, accounting, payments, analytics and NDIS or Medicare administration.

These providers may process personal information on our behalf or receive information to perform their own regulated function. We aim to select suitable services, limit the information provided, use appropriate account settings and review available privacy and security information. However, each provider also operates under its own terms and privacy practices.

Website cookies and analytics

A cookie is a small data file stored on a browser or device. Cookies can support essential website functions, remember choices, protect security and provide information about how a website is used.

Squarespace may use cookies that are necessary for the website to work. If enabled, analytics tools such as Google Analytics may use additional cookies or similar identifiers to collect information about page visits, device and browser characteristics, referral sources, interactions and approximate location.

Visitors can use the website’s cookie controls, where available, or browser settings to block or delete cookies. Blocking cookies may affect some website functions.

Contact and enquiry forms

Please avoid including unnecessary diagnoses, reports or detailed health information in an initial public website enquiry. We may ask you to provide sensitive information later through a more suitable intake or clinical-record process.

Submitting an enquiry does not automatically create a therapist-client relationship, guarantee availability or mean that the practice has accepted a referral. A clinical relationship begins only after suitability, capacity, consent and service arrangements have been confirmed.

Ordinary website forms and email should not be used for urgent or crisis support. The website and enquiry inbox are not monitored as an emergency or crisis service. In an emergency, contact emergency services or an appropriate urgent support service.

Storage and security

We take reasonable steps to protect personal and health information from misuse, interference, loss and unauthorised access, modification or disclosure. The safeguards used depend on the type of information, the system and the risks involved.

Safeguards may include appropriately configured business systems, access controls, passwords, multi-factor authentication, device security, encryption where supported, backups, software updates, secure disposal, confidentiality obligations and physical protection of paper records.

No electronic or physical system can be guaranteed to be completely secure. If information is sent by email, SMS or another electronic method, risks may include interception, incorrect addressing, compromised accounts or access by other people who use the same device.

Email, SMS, telephone and telehealth

We may communicate by email, SMS, telephone or telehealth when this is reasonably necessary and consistent with your preferences. Electronic communication carries privacy and security risks, and we take reasonable precautions appropriate to the communication.

Please tell us if:

  • a particular method should not be used;

  • messages should not identify the practice or service;

  • another person may access your phone, voicemail or email;

  • there are safety concerns about shared devices or accounts; or

  • contact details change.

We may confirm identity or authority before discussing sensitive information. We may also move a conversation from ordinary email or a website form to a more suitable system.

Clients and families should use a reasonably private location and a secure device where practicable. We will discuss practical alternatives if privacy at home is difficult.

Retention and destruction of records

Victorian law requires a private health service provider to retain health information for minimum periods. The practice will generally keep:

  • adult records: for at least seven years after the person was last provided with a health service; and

  • records of a person last treated while under 18: until that person reaches 25 years of age.

Records may be kept longer where reasonably required by another law, a Medicare or NDIS requirement, professional or insurer guidance, taxation rules, safeguarding needs, a complaint, anticipated or current legal proceedings, or another legitimate record-keeping obligation.

When information is no longer required and lawful retention periods have ended, we will take reasonable steps to securely destroy it or permanently de-identify it, subject to any continuing legal hold or obligation.

If the practice closes, is sold or transfers its records, we will follow applicable Victorian requirements for notice, secure custody, client access and continuity of care. Records will not simply be abandoned or deleted because services stop.

Accessing personal and health information

You may request access to personal or health information we hold about you. An authorised representative may also request access where they provide appropriate evidence of authority.

We may ask for the request in writing and will verify identity and authority before releasing information. Depending on what is appropriate, access may be provided by:

  • allowing inspection;

  • providing an electronic or paper copy;

  • providing an accurate summary where legally permitted; or

  • arranging access with an explanation from a health professional.

We will respond without unreasonable delay and within the time required by applicable law. Victorian guidance states that private health-record access requests should be responded to as quickly as possible and no later than 45 days. We aim to use a shorter internal target where practicable.

Access may be limited or refused only where the law permits or requires this. Examples can include a serious threat to a person’s life or health, unreasonable impact on another person’s privacy, information supplied in confidence by another person, legal privilege, unlawful disclosure or certain law-enforcement and repeated-request circumstances.

Where required, we will provide written reasons for a refusal or limitation and explain available review or complaint options.

Records may contain information about another person. We may redact or separate that information where necessary to protect their privacy.

A reasonable access or transfer charge may apply, but it will not exceed the current limits under the Victorian Health Records Regulations. We will explain any likely charge before proceeding. We do not charge for making a correction request.

Correcting information

Please tell us if information is inaccurate, incomplete, misleading or out of date. You may request correction by contacting the privacy contact.

We will take reasonable steps to keep information accurate, complete, current and relevant. Clinical records also need to preserve an accurate history. This means an original professional entry may not simply be erased.

If we agree that a correction is needed, we may add an amendment, clarification or later entry while preserving the original audit trail. Where required, we will take reasonable steps to notify another health service provider that received the incorrect information.

If we do not agree to amend a record, you may provide a written statement describing the correction you seek. Where legally appropriate, that statement will be kept with the record. We will provide reasons and complaint information where required.

Transferring records

You may ask us to make relevant health information available to another health service provider. We will verify your identity, authority and the recipient’s details before transfer.

We will usually transfer only information reasonably needed for continuity of care or the purpose you specify. Secure transfer methods will be used where reasonably available.

A transfer does not necessarily mean that our copy is deleted. We may need to retain a copy to meet legal, insurance and professional obligations.

Any administrative charge will be limited to what is legally permitted and will be explained in advance.

Anonymity and pseudonyms

You may browse the general website without identifying yourself, subject to the technical information collected automatically by the website platform and any permitted analytics tools.

An initial enquiry may sometimes be made without providing full identifying information. However, accurate identity and contact details are usually required before clinical services can be provided. This supports safe care, emergency planning, clinical records, consent, invoices, claims and legal obligations.

We will explain where anonymity or a pseudonym is not practicable or lawful.

Direct marketing

If the practice sends optional newsletters, service updates or promotional information, we will do so only where permitted. We will provide a practical way to unsubscribe from marketing messages.

Sensitive health information will not be used for direct marketing without appropriate consent.

Appointment reminders, service updates, requested information and necessary clinical or billing communications are not direct marketing.

Photographs, recordings, testimonials and case examples

We will seek separate, specific and informed consent before using an identifiable client photograph, recording, testimonial, quotation or story for marketing, education, social media, website content or public presentation.

Refusing marketing or publication consent will not affect access to clinical services.

Consent for clinical care does not automatically authorise public or promotional use. Consent may be limited to a particular image, purpose, audience, platform or period.

Consent may be withdrawn for future use. We will stop new use where reasonably practicable, but material already lawfully printed, downloaded, shared or distributed may not always be fully retrievable.

Case examples described as de-identified must be genuinely de-identified. Removing a name alone may not be sufficient where other details could reasonably identify the person or family.

Data breaches

A data breach can occur when personal information is lost, accessed, changed or disclosed without authorisation. Examples include sending a report to the wrong person, a compromised email account, a lost unlocked device or unauthorised access to a clinical system.

If we suspect a breach, we will take reasonable steps to:

1. contain the incident and protect information;

2. assess what happened, what information is involved and who may be affected;

3. reduce or prevent potential harm;

4. document the response and improve controls; and

5. notify affected people, the Office of the Australian Information Commissioner or another regulator where the applicable legal threshold is met.

Under the Notifiable Data Breaches scheme, notification is required for an eligible data breach where serious harm is likely and remedial action has not removed that likelihood. Not every minor incident is legally notifiable, although we may communicate where it is appropriate to do so.

Privacy complaints

We welcome the opportunity to address privacy concerns directly.

1. Contact Lily Vesty Occupational Therapy using the privacy contact details below.

2. Provide enough information for us to understand what happened, when it happened, the information involved and the outcome you are seeking.

3. We will acknowledge and investigate the concern within a reasonable timeframe. We may ask for further information or verify identity and authority.

4. We will explain the outcome, any action taken and available next steps.

5. If the matter remains unresolved, you may contact the regulator most relevant to the issue.

Possible external complaint pathways include:

  • Office of the Australian Information Commissioner (OAIC): for complaints under the Privacy Act and Australian Privacy Principles. The OAIC generally expects you to complain to the organisation first and allow it a reasonable opportunity to respond.

  • Victorian Health Complaints Commissioner (HCC): for concerns about a Victorian health service or the handling of health information under the Health Records Act.

  • NDIS Quality and Safeguards Commission: where the concern relates to the quality, safety, privacy or conduct of NDIS supports or a provider or worker within its jurisdiction.

You do not need to complain to every regulator. The appropriate pathway depends on the issue.

External links

The website may link to other websites, government services, professional resources or social-media pages. Those services are responsible for their own privacy practices. We are not responsible for the privacy, security or content of a third-party website merely because we provide a link to it.

Changes to this policy

We may update this policy when laws, services, technology or information-handling practices change. The current version will be published on the website and will show its effective or last-reviewed date.

We plan to review the policy at least annually and sooner after a material change, such as adding a new clinical system, telehealth platform, payment provider, analytics tool, staff member or service type.