Privacy policy

Sunflower Speech
Effective date: 13/01/2025
Review date: 16/10/2025
Version: 1.2

1. Introduction

Sunflower Speech (ABN: 30971755902) is a sole-trader speech pathology practice based in Queensland. I provide speech pathology services to individuals and families, including NDIS participants and private clients, both in person and via telehealth.

I am committed to protecting the privacy and confidentiality of all personal and health information in accordance with:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

• Health Records Act 2001 (Vic) for clients located in Victoria

• NDIS Act 2013 and NDIS Quality and Safeguards Commission Practice Standards

• Speech Pathology Australia (SPA) Code of Ethics (2020) and Professional Standards

This policy explains how your personal and health information is collected, stored, used, and disclosed by Sunflower Speech.

2. What information I collect

I collect information necessary to provide safe, effective and personalised speech pathology services. This may include:

• Personal details (name, date of birth, contact details, address)

• Demographic information (language, cultural background, gender identity)

• Health and disability information (diagnoses, medical history, medication, prior assessments)

• Therapy information (goals, session notes, reports, progress data)

• NDIS details (plan type, goals, support coordinators)

• School or workplace information relevant to therapy

• Payment information (invoices, payment records; I do not store credit card numbers)

• Referrals or reports from other professionals

• Telehealth recordings or correspondence (if applicable and consented)

3. How I collect information

I may collect information:

• Directly from you (or your parent/guardian) through intake forms, consent forms, phone, email, or in sessions

• From others involved in your care (e.g. GP, school, other allied health professionals), where you have provided consent

• Through telehealth platforms or secure digital forms

• From lawful or regulatory sources where required (e.g. NDIS Commission, courts, police)

4. Purpose of collection

I collect and use personal and health information to:

• Provide speech pathology assessment, therapy, and related services

• Develop, implement, and monitor therapy plans

• Communicate with you, your family, carers, and other providers (with your consent)

• Meet NDIS reporting and quality assurance obligations

• Manage administrative functions (billing, scheduling, record keeping)

• Improve service quality, staff training, and practice management

• Fulfil legal, ethical, and professional obligations

Information will not be used for marketing or unrelated purposes without your explicit consent.

5. Use and disclosure of information

I will only use or disclose your information for the purpose for which it was collected, unless:

• You have given consent for another use or disclosure

• It is required or authorised by law (e.g. court order, mandatory reporting of child safety concerns, or serious risk of harm)

• It is necessary to protect the life, health, or safety of an individual or the public

• It is reasonably expected by you and related to the primary purpose (e.g. communication with your GP or support coordinator)

Disclosure examples

• To NDIS or funding bodies (for billing or reporting)

• To other healthcare providers involved in your care

• To administrative or IT service providers under strict confidentiality agreements

• To insurers or legal representatives if authorised

6. Cross-border disclosure

Electronic information may be stored using secure cloud-based systems that utilise servers located within Australia or overseas.
If overseas storage is used (for example, Microsoft 365, Cliniko, Halaxy, or Google Workspace), I take reasonable steps to ensure that the provider complies with the Australian Privacy Principles or equivalent safeguards.

7. Data storage and security

I take reasonable precautions to protect your information from misuse, loss, unauthorised access, or disclosure.

Measures include:

• Password-protected devices and secure digital storage

• Encrypted backups and secure file-sharing systems

• Physical records stored in locked cabinets

• Limited access to information on a “need-to-know” basis

• Confidentiality agreements for any administrative or IT contractors

• Regular review of data security practices

For telehealth clients, I use secure, encrypted video platforms and do not record sessions without explicit consent.

8. Retention and disposal of records

I retain health records in accordance with:

• Queensland requirements: minimum 7 years after the last client contact (or until a child turns 25, whichever is longer).

• Victorian requirements: under the Health Records Act 2001 (Vic), adult records must also be retained for 7 years, and for minors until age 25.

After this period, records are securely destroyed or permanently de-identified.

9. Access and correction

You have the right to:

• Request access to the personal and health information I hold about you

• Request corrections if your information is inaccurate, incomplete or out of date

Requests can be made by email or in writing.
Access may be limited in rare circumstances (e.g. if release would cause harm or breach another person’s privacy).
Where access is refused, I will provide reasons and note your request in the record.

10. Data breaches

If your information is involved in a data breach that is likely to result in serious harm, I will follow the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth).
You and the Office of the Australian Information Commissioner (OAIC) will be notified as required, and steps will be taken to contain and prevent further breaches.

11. NDIS-specific privacy

As a provider supporting NDIS participants, I comply with:

• NDIS Practice Standards – Module 2: Rights and Responsibilities (privacy and dignity)

• NDIS Quality and Safeguards Commission requirements on handling participant information

• Obligations to protect any Protected Commission Information under the NDIS Act

Information provided to the NDIS or NDIA is strictly limited to what is necessary to deliver and claim supports.

12. Speech Pathology Australia Code of Ethics

As a Certified Practising Speech Pathologist, I adhere to the Speech Pathology Australia Code of Ethics (2020), including:

• Respecting client confidentiality and privacy

• Obtaining informed consent before collecting or sharing information

• Maintaining accurate, secure, and confidential records

• Using information for professional purposes only

13. Complaints and concerns

If you have a concern about how your information is handled:

1. Contact me directly:
   Lisa Trinca
   Sunflower Speech
   Email: lisatrincaspeech@gmail.com

2. If unresolved, you may contact:

   • Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au

   • Office of the Health Ombudsman (Queensland) – www.oho.qld.gov.au

   • Health Complaints Commissioner (Victoria) – www.hcc.vic.gov.au

   • NDIS Quality and Safeguards Commission – www.ndiscommission.gov.au

Complaints will be handled fairly, promptly, and in accordance with relevant laws and professional standards.

14. Changes to this policy

This Privacy Policy may be updated periodically to reflect changes in legislation, professional standards, or practice operations.
The most current version will be available on my website or provided on request.

15. Contact details

For privacy enquiries, requests or complaints, please contact:

Lisa Trinca
Speech Pathologist - Sunflower Speech
Email: lisatrincaspeech@gmail.com