Privacy Policy - Flow Physiotherapy

Sole Practice | Ashgrove, Qld | Created October 2025

 

Our commitment to your privacy

We are committed to handling personal information about you, including your health information, in accordance with the requirements of the Privacy Act 1988.

In this policy, we explain:

  • what kind of information we collect and hold about you

  • how and why, we collect it

  • what we do with your information, who we share it with and when

  • your right to seek access to, and if required correction of, the records we hold about you

  • your right to make a privacy complaint, to us and others

  • whether we disclose information about you to overseas recipients.

What kind of personal information do we collect about you?

  • We collect and hold the following kind of information:

  • your name, address, date of birth, email and contact details

  • information about your family or relatives

  • information about other health professionals involved in your care

  • any government identifiers such as Medicare number, DVA number. However,
    we do not use these for the purposes of identifying you in our practice

  • digital identifiers, such as IP addresses, collected during online services like telehealth.

  • other health information about you such as:

    • a record of your symptoms

    • your relevant medical history

    • your medications

    • the diagnosis made and the treatment we give you

    • specialist reports

    • test results

    • your appointment and billing details

    • your healthcare identifier

    • your health fund details

    • other information about you collected for the purposes of providing care to you.

How do we collect and hold your personal information?

We collect personal information:

  • directly from you when you give us your details (eg, face-to-face, over the phone,
    via registration form or an online form)

  • from a person responsible for you

  • from a third party where we are permitted by law to do so (eg, other health care professionals involved in your care, from your health insurer, from the My Health Record system etc.).

We hold your information securely using technical and organisational measures, such as encrypted databases, secure telehealth platforms and restricted-access systems, in line with the Privacy Act’s updated security requirements.

Why do we collect and use information about you?

We primarily collect and use personal information about you to provide our physiotherapy services to you and to communicate with you and others involved in your care in relation to those services.

We also sometimes use that information for other purposes, including:

  • to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our IT systems

  • to conduct accreditation, quality assurance or internal audits.

We may also use de-identified data (where you cannot be identified) to improve our services, such as analysing treatment outcomes for quality assurance.

When and why might we share information about you with others?

We may disclose information about you to others outside of our practice as permitted or required
under law. This will include situations where we disclose information about you to:

  • comply with our legal obligations (eg, mandatory reporting under legislation,
    responding to a court order or subpoena)

  • consult with other health professionals involved in your healthcare

  • get test results from diagnostic and pathology services

  • claim on insurance

  • communicate with your health fund, with government and other regulatory
    bodies such as Medicare

  • help us manage our accounts and administrative services (eg. billing or debt recovery, arrangements with health funds, pursuing unpaid accounts etc.)

  • lessen or prevent a serious threat to a patient’s life, health or safety or a serious threat to public health or safety

  • help in locating a missing person

  • establish, exercise or defend an equitable claim through the My Health Record

  • prepare the defence of anticipated or existing legal proceedings

  • discharge notification obligations to liability insurers

  • share limited information during a data breach to reduce harm, as directed by law under the 2024 amendments.

We never share your information maliciously (eg, through doxxing, which is now a criminal offence) and only disclose what is necessary for the purpose.

Your right to seek access to and to seek correction of the information we hold about you

You have the right to seek access to and correction of the personal information we hold about you. Request must be made in writing where possible and we will usually charge a small fee for giving access.

We will normally respond to your request within 30 days. To make the request, you should contact Sally Watson, Practice Owner, Flow Physiotherapy, details at the end of this document.

If you think that the information we hold about you is not correct, let us know in writing. We will take reasonable steps to correct your personal information where the information is not accurate or up-to-date. From time to time, we may also ask you to verify that the information we hold about you is correct and current. And please notify us if your contact details change (see ‘how to contact us’).

Security: how we hold your personal information

We take reasonable steps to protect the information we hold about you. These are designed to prevent unauthorised access, modification or disclosure and to prevent misuse and loss.

We protect your information using technical measures (eg, encrypted databases, secure telehealth platforms, strong passwords including two-factor authentication) and organisational measures (eg, staff training, confidentiality agreements, access restricted to need-to-know). We scan paper records directly to our practice management software then destroy the original. Digital records are stored on secure servers or cloud storage compliant with Australian law. We also maintain a data breach response plan to act swiftly if unauthorised access occurs, in line with the 2024 Privacy Act updates.

Your right to receive treatment from us anonymously (or by using a pseudonym)

Where it is lawful and practicable for us to do so, you can be treated anonymously or through use of a pseudonym (a name other than yours).

Note that anonymity may not be possible for services requiring identification, such as Medicare or health fund claims.

Disclosing information about you overseas

We do not disclose your information overseas. If we use cloud storage, we ensure providers comply with Australian privacy laws. Should we need to transfer your information abroad, we’ll seek your consent unless required by law.

What we will do If we have a data breach

If we suspect a data breach, we’ll assess it promptly, notify the OAIC and affected patients within 30 days (or sooner if required) and take steps to prevent harm, as mandated by the 2024 Privacy Act amendments.

If you have a privacy-related concern about us

If you’re concerned about how we’ve handled your privacy, contact us in writing at [details]. We’ll respond within 30 days. You may also complain to the Office of the Australian Information Commissioner (details below) or seek redress for serious privacy breaches under the 2024 Privacy Act amendments, even without proving harm.

Office of the Australian Information Commissioner

Phone: 1300 363 992
Email:    enquiries@oaic.gov.au
Post:      GPO Box 5218 Sydney New South Wales 2001

Website: www.oaic.gov.au/privacy/privacy-complaints/

Updating this policy

We will update this policy from time to time, to reflect any changes in our information-handling
practices or the law or both.

  • We will notify you by posting updates on our website www.flowphysiotherapy.com.au, displaying notices in our clinic, or emailing you directly.’

 

How to contact us

To contact us about any privacy related issues, please contact:

Sally Watson - sally@flowphysiotherapy.com.au