Privacy policy

Morning Star Psychology

1. About this Policy

Morning Star Psychology ("we", "us", "our") is committed to protecting the privacy of our clients, their families, referrers, and visitors to our website. We handle personal information and sensitive health information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Health Records Act (where applicable to your State or Territory), and the professional and ethical obligations of psychologists registered with the Psychology Board of Australia under the Australian Health Practitioner Regulation Agency (AHPRA).

This policy explains what information we collect, how we use and protect it, who we may share it with, and the rights you have over your information.

2. Who We Are

3. What Information We Collect

We only collect information that is reasonably necessary for, or directly related to, providing psychological services. The kinds of information we collect include:

3.1 Personal information

  • Identity details: full name, date of birth, gender, preferred pronouns.

  • Contact details: postal address, email address, phone number(s), emergency contact details.

  • Identifiers: Medicare number and reference number, Department of Veterans' Affairs (DVA) number where relevant, NDIS participant number, private health insurance details.

  • Payment details: information required to process fees, including credit card last-four digits and billing address. We do not store full credit card numbers — these are processed by a PCI-DSS compliant payment provider.

3.2 Sensitive (health) information

Because we provide psychological services, we collect "sensitive information" as defined under the Privacy Act, including:

  • Reasons for seeking treatment, presenting concerns, and history.

  • Medical history, current medications, and history of mental health treatment.

  • Mental Health Care Plans, GP referrals, and reports from other treating practitioners.

  • Risk and safety information (including risk to self or others).

  • Clinical notes, assessment results, formulations, and treatment plans created by your treating psychologist.

  • Family, relationship, employment, cultural, and educational information where relevant to your treatment.

3.3 Information from our website

When you visit www.morningstarpsychology.com.au we may collect:

  • Information you submit through contact or enquiry forms (for example, your name, email, phone number, and the message you choose to send).

  • Technical information automatically collected by our website host (Squarespace) and any analytics services we use, such as IP address, browser type, device type, pages visited, and referring URL. This information is used to keep the site secure and to understand how visitors use it.

  • Cookies set by our website host. You can control cookies through your browser settings.

You should not include detailed clinical information in our website contact form. If your enquiry is urgent or sensitive, please call us or, in an emergency, contact 000 or Lifeline on 13 11 14.

4. How We Collect Information

Wherever practicable we collect information directly from you. This may occur:

  • When you complete intake or consent forms (paper or electronic).

  • During sessions, whether in person or by telehealth.

  • When you contact us by phone, email, SMS, our website contact form, or our online booking system.

  • From referring GPs, paediatricians, psychiatrists, schools, or other treating practitioners (with your consent).

  • From third parties such as Medicare, the NDIS, NDIS plan managers, DVA, or insurers when claims or reports are made on your behalf.

  • From a parent, guardian, or substitute decision-maker where the client is a minor or otherwise unable to provide information directly.

If information about you is required from another person, such as a parent or partner, this will be discussed with you beforehand and your permission will be sought.

5. Why We Collect and Use Your Information

We use your information to:

  • Provide assessment and psychological treatment.

  • Communicate with you about appointments, including reminders by SMS or email.

  • Coordinate care with other practitioners involved in your treatment, with your consent.

  • Process Medicare, DVA, NDIS, and private health insurance claims.

  • Issue invoices and process payments.

  • Comply with our legal, regulatory, and professional obligations (for example, to AHPRA, the Office of the Australian Information Commissioner, and our professional indemnity insurer).

  • Improve the quality of our services through internal review, professional supervision, and de-identified continuous improvement.

6. Telehealth and Online Sessions

Where you choose to receive services by telehealth, additional considerations apply:

  • Telehealth sessions are not recorded unless you give explicit, written consent.

  • You are responsible for choosing a private location, a secure internet connection, and a device you trust. We recommend not using shared or public Wi-Fi.

  • No telehealth platform can guarantee absolute security. You acknowledge there is a residual risk that information transmitted over the internet may be intercepted.

7. Medicare, Mental Health Care Plans, and NDIS

If you claim a rebate under Medicare (for example, under a Mental Health Care Plan or Chronic Disease Management Plan), we are required to:

  • Collect and verify your Medicare details.

  • Provide a written report to your referring GP or other referrer at the conclusion of the referred sessions, in accordance with Medicare requirements.

  • Submit claim information to Services Australia (Medicare).

If you are an NDIS participant, we may share information with:

  • Your nominated NDIS plan manager or support coordinator (with your consent).

  • The National Disability Insurance Agency where required for plan reviews, reports, or invoicing.

You can ask us at any time what information has been shared and with whom.

8. Confidentiality and When We Share Your Information

We will not sell or trade your personal information.

Please note that we will not engage with you in public or online in a way that will identify you as a client. This is to protect your privacy and due to the requirements to uphold professional boundaries. Please personally contact your psychologist to engage with them rather than approach them on social media or in public forums.

All personal information gathered by the psychologist during the provision of psychological service will remain confidential and secure except when:

  1. A court subpoena or other disclosure is required or authorised by law.

  2. Your consent cannot be gained due to a requirement to get you emergency services during a medical crisis.

  3. If there is unauthorised access to data held by the clinic some limited information may need to be shared with the Office of the Information Ombudsman.

  4. Failure to disclose the information would place you or another person at risk of harm.

  5. Given your prior approval or consent of a parent or guardian who is legally authorised to act on your behalf to provide a written report to another professional or agency or discuss information with another person, e.g., parent or employer.

  6. You have provided your consent to share your information for a specific reason and purpose.

  7. You would reasonably expect your personal information to be disclosed to another professional or agency, and disclosure is directly related to the primary purpose for which it was collected, such as to inform your GP of treatment and progress, to claim Medicare rebates on your behalf etc.

  8. Clinical consultation with another professional is required to provide better services. If this occurs, identifying details will remain confidential.

If, during your treatment, the psychologist becomes aware of a risk to someone's life, health, or well-being, the psychologist is required to report the matter to the appropriate agencies.

We may also disclose information to service providers (such as our practice management software, email and SMS providers, secure document storage providers, accountants, and IT support) who are bound by confidentiality and data protection obligations, and to AHPRA, the Psychology Board of Australia, or our professional indemnity insurer where we have a regulatory or professional obligation to do so.

9. Storage Location and Overseas Disclosure

Your information is stored in a combination of secure paper records (where applicable) and encrypted electronic systems. Our website is hosted by Squarespace, and data may be stored on servers located in the United States and other jurisdictions where Squarespace operates.

Some of our service providers may store or process information outside Australia. Where this occurs, we take reasonable steps to ensure they handle your information consistently with the Australian Privacy Principles.

10. How We Protect Your Information

We take reasonable steps to protect your information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

  • Restricting access to client records to authorised staff only, on a need-to-know basis.

  • Using strong passwords and multi-factor authentication on systems that hold client information.

  • Encrypting electronic records in transit (HTTPS/TLS) and at rest where supported by the provider.

  • Storing paper records in locked cabinets in secured premises.

  • Maintaining current anti-malware protection and applying software updates promptly.

  • Backing up electronic records and testing recovery periodically.

  • Training staff in privacy, confidentiality, and information security.

11. How Long We Keep Your Information

We retain your records for the minimum period required by law and professional standards. As a general rule:

  • Adult clients: at least 7 years from the date of the last service.

  • Clients who were under 18 at the time of service: until the client reaches 25 years of age, or 7 years from the date of last service — whichever is later.

  • Where State or Territory health records legislation requires longer retention, we will follow the longer period.

When records are no longer required, they are securely destroyed or de-identified.

12. Accessing and Correcting Your Information

You have the right to ask for access to the personal information we hold about you and to ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant, or misleading.

To make a request, please contact us using the details in section 2. We will normally respond within 30 days. In some circumstances we may decline access, for example where giving access would pose a serious threat to the life or health of any individual, or where access is otherwise restricted by law. If we refuse access we will explain why in writing.

There is no charge for making a request, although a reasonable fee may apply for the cost of preparing copies of large records.

13. Children, Young People, and Decision-Making Capacity

Where the client is a child or young person, we will work with parents or guardians as appropriate. Older children and adolescents may be assessed as having capacity to consent to their own treatment and to direct who their information is shared with. The treating psychologist will discuss this with the family at the start of treatment.

14. Website, Cookies, and Analytics

Our website is hosted by Squarespace. Squarespace and any analytics services we enable (such as Google Analytics) may use cookies and similar technologies to understand site usage and improve performance. You can control cookies through your browser settings. Disabling cookies may affect how the website functions.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those external sites and encourage you to review their privacy policies.

15. Email and SMS Communications

We use email and SMS to confirm appointments, send reminders, and respond to enquiries. Email is not always a secure form of communication. Please:

  • Avoid sending detailed clinical or sensitive information by email unless we agree in advance to use a secure channel.

  • Tell us if you do not want to receive SMS or email reminders, or if your preferred contact method changes.

  • Tell us if it is unsafe for us to leave voicemails or send messages to a particular number.

16. Data Breaches

We have processes in place to detect, contain, and respond to suspected data breaches. If a breach is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

17. Complaints

If you believe we have not handled your information in accordance with this policy or the Australian Privacy Principles, please contact us using the details in section 2. We take privacy complaints seriously and will:

  • Acknowledge your complaint within 7 days.

  • Investigate and aim to provide a written response within 30 days.

  • Treat you respectfully throughout the process and not allow your complaint to affect the care you receive.

If you are not satisfied with our response, you can also contact:

  • Office of the Australian Information Commissioner (OAIC)www.oaic.gov.au or 1300 363 992.

  • AHPRA — for concerns about a registered health practitioner: www.ahpra.gov.au.

  • Your State or Territory Health Complaints Commissioner.

18. Changes to This Policy

We may update this policy from time to time. The current version will always be available on our website at www.morningstarpsychology.com.au.

19. Contact Us

If you have any questions about this policy or how your information is handled, please contact us using the details in section 2.