Privacy Policy

Mindful Expressions Studio (me-studio)

Effective Date:  1st July 2025

1. Purpose

Mindful Expressions Studio (me-studio) is committed to protecting the privacy and confidentiality of our clients' personal and health information. This policy outlines how we manage your personal information in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the My Health Records Act 2012, and, where applicable, Queensland’s Information Privacy Act 2009 (Qld) and the Health Ombudsman Act 2013 (Qld).

2. Collection of Personal Information

We collect personal information necessary to provide psychological services safely and effectively. This may include:

• Full name, date of birth, and contact details
• Medicare, NDIS, private health insurance, or third-party funding information
• Referral, clinical, psychosocial, and developmental history
• Relevant legal, educational, or employment-related information
• Sensitive information including health records, cultural background, gender identity, and information related to vulnerable persons

Information is typically collected directly from you. With your consent, it may also be collected from third parties such as referring practitioners, support coordinators, educators, case managers, or through digital engagement (e.g., website forms).

We also collect limited metadata (e.g., device type, access time, and usage patterns) for quality assurance and troubleshooting. This data is de-identified and cannot identify you.

3. Use and Disclosure of Personal Information

Your personal information is used to:

• Deliver psychological assessments and interventions
• Coordinate services with third parties (e.g., GPs, NDIS providers, schools) with appropriate consent
• Meet clinical, administrative, and legal obligations
• Support supervision, quality assurance, and evaluation (in de-identified form only)
• Process payments and manage appointments
• Respond to lawful requests or legal obligations

Information is not shared without your consent unless:

• There is a serious and imminent risk to you or others
• Disclosure is required or authorised by law (e.g., court orders, mandatory reporting)
• Disclosure is necessary for public safety or legal compliance

We may share information with:

• Medicare, private health insurers, and funding bodies such as the NDIS
• Our administrative and technology providers, under strict confidentiality agreements
• Referring health professionals or service partners involved in your care, with consent

4. Storage, Security, and Retention of Information

We implement reasonable steps to protect your personal information from misuse, loss, unauthorised access, modification, or disclosure:

• Encrypted, password-protected electronic records
• Secure physical storage for paper files
• Access restricted to authorised staff on a need-to-know basis
• Periodic security reviews of third-party systems

Some data may be stored with secure cloud-based services, including those hosted offshore. We ensure these providers adhere to privacy obligations and data protection standards.

Client records are retained for a minimum of 7 years following the last interaction, or until the client reaches 25 years of age (if under 18 at the time of last service), in line with legal and ethical requirements. After this time, records are securely destroyed or permanently de-identified.

5. Access to and Correction of Personal Information

You have the right to:

• Request access to personal information we hold about you
• Request correction of inaccurate, out-of-date, incomplete, or misleading information
• Request deletion or transfer of data unless required to be retained by law

Requests should be submitted in writing. We aim to respond within 30 calendar days. While no fee is charged for lodging a request, reasonable administrative fees may apply for processing large or complex requests.

We may deny access in limited cases where:

• It poses a serious risk to health or safety
• It would unreasonably impact the privacy of others
• The request is frivolous or unlawful
• Disclosure would prejudice legal or enforcement activities

6. Use of De-Identified and Aggregated Information

me-studio may use de-identified information for:

• Clinical supervision and training
• Service evaluation and quality improvement
• Research and reporting to funding bodies (e.g., Primary Health Networks)

De-identified data will not contain information that can reasonably identify you. You may opt out of non-essential data use upon request.

7. Children, Minors and Vulnerable Persons

We take additional precautions when collecting information from or about children and vulnerable individuals:

• For clients under 15 years of age, consent must be provided by a parent or legal guardian
• Sensitive personal information from vulnerable individuals will only be collected with valid consent or authorised representation
• Where practicable, we engage minors in the consent process appropriate to their maturity and understanding

8. Third-Party Service Providers

We may engage secure third-party providers (e.g., telehealth platforms, practice management software, AI tools, cloud storage) who may access limited data only to perform services on our behalf. All third parties are required to comply with Australian privacy standards.

Where services are hosted or managed internationally, we take reasonable steps to ensure equivalent privacy safeguards are maintained and contractual protections are in place.

9. Marketing and Privacy Preferences

We do not use your personal information for direct marketing without your consent. If you opt-in to receive updates (e.g., newsletters or service alerts), you may unsubscribe at any time. We do not sell or share your personal information with third parties for marketing purposes.

10. Photographic, Audio and Video Material

Photographs, videos, and audio recordings that identify clients will only be taken or used with explicit informed consent. These materials may be used for clinical, educational, or promotional purposes only where consent has been clearly provided. You may withdraw this consent at any time.

11. Complaints and Feedback

If you are concerned about a potential breach of privacy, please contact us in writing. We will investigate and respond promptly.

If you are not satisfied with our response, you may contact:

• Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
• Office of the Health Ombudsman (Qld): www.oho.qld.gov.au

12. Data Breaches

In the event of a data breach that is likely to cause serious harm, me-studio will take immediate steps to contain the breach and notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches (NDB) scheme.

13. Policy Updates

This policy is reviewed regularly and may be updated to reflect legislative or operational changes. The most recent version will always be available on our website or by request at reception.

Contact Details:

Mindful Expressions Studio (me-studio)

1/13 Wills Street, Charleville QLD 4470

Phone: 07 4857 7777

Email: admin@me-studio.com.au

Website: www.me-studio.com.au