Privacy Policy – Insight Rehab

Last updated: 28/04/2025

This Privacy Policy applies to the collection, use, and disclosure of personal information by Insight Rehab (ABN 9736 071 8856), a business registered under the laws of Australia and governed by the Privacy Act 1988 (Cth) (“Privacy Act“) and the Australian Privacy Principles (“APPs“).

Insight Rehab (“Insight Rehab” “we,” “us,” “our”) is responsible for managing personal information collected through its website www.insightrehab.com.au (the “Website“) and related services.

Insight Rehab is committed to protecting the privacy of all client information. We provide speech pathology services (the “Services”) to individuals with communication, cognitive, or swallowing disorders (each a “Client” and collectively “Clients”). These Services are delivered through a range of formats including in-person sessions, telehealth, and group therapy, and in doing so we handle personal and health information. We comply with the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) which regulate how we collect, use, disclose and safeguard your personal information.

Insight Rehab is responsible for ensuring compliance with Australian data protection laws and for implementing data protection mechanisms to secure personal information, including de-identification and secure international data transfers.

Health information (such as medical history or therapy records) is considered “sensitive information” under the Privacy Act and is afforded a higher level of protection, meaning we will only collect and use it with your consent and as necessary for your care. This Privacy Policy explains how we manage your information in line with our legal obligations and your rights. We aim to make this policy easy to understand and we encourage you to ask questions if anything is unclear.

Questions or concerns that you may have about this Privacy Policy, or the management of personal information may be directed to our Privacy Officer at:

• Email         : jason@insightrehab.com.au
• Mail           : PO Box 1669, Neutral Bay, NSW 2089

1. Legal and regulatory framework

1.1           Privacy Act, APPs and other applicable Standards

As an Australian healthcare provider, Insight Rehab adheres to the Privacy Act 1988 and the Australian Privacy Principles. The APPs set out standards on handling personal information, covering the entire information lifecycle from collection to disposal. In practice, this means we operate with openness and transparency about how we manage your data, only collect the information we need for our Services with your consent, inform you about the collection and purposes, use and disclose your information only for the purposes you expect or with additional consent, and take steps to secure your information and allow you to access and correct it. We also comply with the Privacy Amendment (Notifiable Data Breaches) scheme, which requires us to notify you and the Office of the Australian Information Commissioner (OAIC) of certain serious data breaches. In addition, as Certified Practising Speech Pathologists we adhere to the Speech Pathology Australia Code of Ethics which reinforce consent, privacy, and confidentiality in delivering the Services.

1.2           Healthcare Identifiers Act

We ensure our practices are compatible with the Healthcare Identifiers Act 2010 for any use of healthcare identifiers. If we collect or use a healthcare identifier such as a Medicare number or Individual Healthcare Identifier (IHI) as part of your care, we do so in accordance with that legal requirement. The Healthcare Identifiers Act establishes strict rules that such identifiers only be used for purposes directly related to your healthcare management.

We will not use or disclose your Medicare number, IHI, or other government-related identifier except where necessary to fulfil our duties in providing the Services (for example, verifying your identity, processing Medicare or NDIS claims) or as required by Australian law.  By aligning with both the APPs and the Healthcare Identifiers Act, we protect your health information to the highest standard.

2. Scope of clients covered

This policy applies to all individuals who engage with Insight Rehab’s Services. This includes NDIS participants (clients receiving Services under the NDIS), private clients (self-funded or family-funded), clients under insurance claims (e.g. workers’ compensation or motor vehicle accident schemes), and Medicare-funded clients (those using Medicare plans or CDM referrals). No matter what type of funding or referral source you have, your personal information is handled with the same care and in compliance with the laws above.

(Note: If you are acting on behalf of a client – for example, as a parent/guardian or case manager – this policy also covers how we handle your personal details provided to us in that context.)

3. Collection of personal and health information

3.1           We only collect personal information that is reasonably necessary to provide you with speech pathology services. The types of personal information we may collect include:

(a)        Identity and contact details: Your name, address, phone number, email, date of birth and emergency contact person.

(b)        Health and medical information: Relevant health history, medical reports or letters, treatment notes, assessments, and any diagnoses or conditions relating to your communication and swallowing needs. This may include information we receive from other health professionals (e.g. your GP, specialist or referring doctor).

(c)        Financial and funding information: For NDIS participants, we may record your NDIS participant number, plan details, and the name of your plan manager or support coordinator. For insurance claims, we collect claim references or insurer details as needed. For Medicare-funded services, we record your Medicare number and referral details (e.g. a care plan from your doctor).

(d)        Other personal details: Details of your next of kin and family, any goals you share with us, communication preferences, or support requirements (for example, if you require an interpreter or accessible formats). We only ask for information that helps us tailor and deliver our Services to you effectively and safely.

3.2           How we collect information

(a)        We will usually collect information directly from you (or your authorised representative) when you fill out our referral form, supply of services contract, or during assessments and therapy sessions. This might be done in writing, through our online forms, or verbally during conversations. In some cases, we may need to collect information from other sources with your consent – for example, from your doctor, another therapist, or a family member – if it’s necessary for your care and you have agreed for us to obtain it. We collect information by lawful and fair means and do not do so in an unreasonably intrusive way. If we ever need to collect information about you from someone else (such as a previous healthcare provider or a support organisation), we will seek your permission first unless required by law or in an emergency.

(b)        We will let you know why we are collecting any information and how we plan to use it at the time of collection. This Privacy Policy itself serves as a notice of our data collection practices. For instance, our referral form or supply of services contract will reference this policy and by signing it you acknowledge you understand what data we collect and why. Being transparent at the outset ensures you are informed and not surprised by any aspect of information handling.

(c)        We also explain any consequences if certain information is not provided – for example, if you choose not to share some health details or identifying information, it may affect our ability to safely deliver services or claim funding on your behalf. We only collect sensitive health information with your consent and when it is necessary for our activities as a health service provider. If you have any concerns about the information being requested, we encourage you to discuss them with us.

4. Use of information (purpose of collection)

4.1           We use your personal and health information to provide you with high-quality Service. The primary purpose for collecting your information is to plan, deliver, and coordinate your care and support including activities such as assessing your needs, developing therapy plans, communicating with you about appointments, delivering therapy sessions, and reviewing progress. For example, information you share about your medical history or communication abilities is used by our therapists to tailor your treatment plan and track your improvements.

4.2           We will only use or disclose your information for purposes directly related to this primary purpose, or for other purposes that you would reasonably expect as part of your engagement with us. In a healthcare context, it is generally expected that information flows between those involved in your care. For instance, if you were referred by a GP or medical specialist, you would expect we might send them updates or reports about your therapy progress; similarly, if you are a NDIS participant, you would expect us to provide necessary service reports to the National Disability Insurance Agency (NDIA) or your support coordinator. These uses and disclosures are considered part of the primary purpose of helping you with your health and support needs. We strive to ensure that any use or sharing of your data is in line with what an ordinary person in your situation would anticipate. We will not surprise you with uses of your information that you did not consent to or expect. If we intend to use your information for a purpose outside of providing the Services – for example, for a different health service or a research project – we will seek your further consent unless an exception under applicable privacy law applies.

4.3           Some common ways we use your information include:

(a)        scheduling and managing appointments;

(b)        sending you or your support person reminders and reports;

(c)        liaising with other members of your healthcare or support team (with consent);

(d)        processing invoices, payments or funding claims; quality assurance and clinical audits within our practice; and

(e)        meeting any reporting requirements to funding bodies (e.g. NDIS progress reports).

Each of these activities is carried out to effectively deliver or account for the services you receive, and we do not use your personal information for any unrelated secondary purpose without your consent. In the rare case we might wish to use your data for staff training, service evaluation, or to invite you to provide a testimonial, we would only do so with your permission (or by using de-identified information that can no longer identify you).

5. Disclosure of information (sharing with others)

5.1           We respect the confidentiality of your information. There are times, however, when we may need to disclose some of your information to third parties as part of providing our services or meeting our legal obligations. The key situations in which we share data are explained below. We will only share what is necessary for that purpose and, wherever possible, with your consent or as expected in the context of your care.

5.2           Within your care team

If you are receiving support from multiple providers or professionals, we may exchange relevant information with them to coordinate your care. For example, we might send a report to your referring doctor, discuss your case with another therapist involved in your care, or consult with your support coordinator or case manager. We will ensure you know who is part of your “treating team.” Once you understand and agree that these parties are working with us to support you, we will share the necessary information with them on a need-to-know basis (if you ever express concerns about sharing with a particular person, we will respect that and seek your consent separately).

5.3           NDIS and funding bodies

If your Services are funded through the NDIS, an insurance scheme, or Medicare, we will likely need to share certain information with those organisations. This could include providing service logs, progress notes or reports to the NDIA or the NDIS Quality and Safeguards Commission, especially if required for reporting incidents or reviewing your plan. For insurance-funded clients, we may have to communicate with your insurer or their agent (for example, sending treatment plans or invoices to a workers’ compensation insurer). For Medicare claims, we must disclose relevant Service details to Medicare (a government agency) to process your rebates. In all such cases, we only disclose what is required – typically identification details and information confirming the Service(s) provided – and we do so under the authority of those funding arrangements or laws. We will inform you when such disclosures occur as part of our supply of services contract and this policy.

5.4           With your explicit consent

Apart from routine disclosures for care or funding, we will obtain your consent before sharing your information with anyone else. For example, you might want us to update your employer, or your child’s school, about therapy strategies – we will only do this if you ask us and sign off on the information to be shared. If a family member, lawyer, or any other third party requests information about you, we will not release it unless you have given written or clearly expressed permission (except in very limited situations required by law).

5.5           Required or permitted by law

There are certain situations where we may be compelled by law to disclose information even without your consent. These include:

(a)        if we receive a subpoena or court order;

(b)        if a law mandates reporting of certain injuries or risks (for example, mandatory reporting of abuse in some circumstances); or

(c)        if disclosure is necessary to prevent a serious threat to someone’s life, health or safety.

We will only ever disclose the minimum necessary information, and we will typically inform you of such disclosures unless legally prevented from doing so. Importantly, we do not sell or rent your personal information to telemarketers or advertisers. We do not disclose your information for marketing purposes unless you have expressly given us permission, as explained under “Opt-Out Rights” below. Any disclosures we make are primarily in service of your needs or as part of operational requirements (such as secure cloud storage, detailed in the next section). We maintain records of who we share information with, and you have the right to know those details (see “Access to Information” section). Being transparent about disclosures is part of our commitment to handling your information in an open manner.

6. Third-party service providers (data handling and overseas disclosure)

6.1           Insight Rehab utilises trusted third-party service providers to support our operations. This means that some of your personal information may be stored or processed using third-party software or platforms that we use for practice management, communication, and record-keeping. We choose these providers carefully and ensure they have strong privacy and security practices. In our effort to be transparent, we name below the key third-party services we use and why we use them. We also indicate if information might be stored overseas, to meet our obligations under APP 1.4 regarding overseas disclosure.

6.2           Practice Management Software (Zanda Health)

(a)        We use Zanda Health (a practice management system, for invoicing and to schedule appointments, record clinical notes, and manage client files). This system stores your contact details, therapy notes, and related documents in a secure cloud database.

(b)        The data may be stored on secure cloud servers; our understanding is that Zanda stores data within Australia, when possible, but backups or certain functions might utilise servers in other locations. We will update you if we learn data is being stored outside Australia. Zanda’s Privacy Policy can be found here: https://zandahealth.com/au/privacy-policy/.

6.3           Telehealth

(a)        For telehealth sessions, Insight Rehab uses Zoom Telehealth Pro, which is integrated into the Zanda Health platform. Zoom Telehealth Pro is compliant with all Australian privacy and security regulations. Zoom’s security and compliance features can be viewed here: https://www.zoom.com/en/trust/legal-compliance/.  

6.4           Billing and accounting (Xero)

(a)        We use Xero for quoting and financial record-keeping. Your name and email and invoice details may be stored in Xero’s system to manage payments (for example, invoices to you or your plan manager).

(b)        Xero is a New Zealand-based company with global cloud servers; personal data in Xero may be stored in data centres located overseas (potentially in the USA or other countries). We ensure that any information in Xero is limited to what is necessary for billing (usually your name, insurance details, possibly address, and the service provided). Xero’s Privacy Policy can be found here: https://www.xero.com/au/legal/privacy/.

6.5           Document storage (Microsoft SharePoint/Office 365)

(a)        We utilise Microsoft’s SharePoint/OneDrive cloud platform to store certain documents such as reports, letters, or resources. This may include your assessment reports or session resources.

(b)        Microsoft’s cloud services can store data in global data centres. While Microsoft may store Australian customer data in Australian or nearby regional servers, backups or support services might involve access from other countries (e.g., the United States). We rely on Microsoft’s robust security and its commitments under privacy laws to safeguard this data. Microsoft’s Privacy Statement can be found here: https://www.microsoft.com/en-gb/privacy/privacystatement.  

6.6           Clinical documentation (AI Note Scribe)

(a)   At times we may use AI Note Scribe by Zanda Health, an AI-powered medical note-taking and transcription service.  AI Note Scribe is used to assist with documenting your session, capturing only what is necessary for accurate medical records. If we use AI Note Scribe, audio from a session or consultation notes might be processed by the AI Note Scribe system to generate written summaries. AI Note Scribe supports but does not replace your speech pathologist’s professional judgment. All treatment decisions are made solely by your clinician.

(b)   Zanda Health uses Amazon Web Service (AWS) Transcription for transcribing the sessions, and the AWS Bedrock service to access an industry leading LLM (large language model) for generating the note draft summary and for performing updates to the note. Data is encrypted in transit and at rest. No data is used to train the AI model, and all information is processed securely in real-time. There is no storage of the audio for the recorded session, and Zanda Health only store the text-based transcription output which is double encrypted in the database.

(c)   Zanda Health is a digital platform that could process data on servers possibly outside Australia (for example, if using cloud AI services). We would only use such a tool with caution and ensure that any data is transmitted securely and handled under confidentiality agreements. We will let you know if we plan to use AI Note Scribe or similar tools during your sessions, so you have a chance to consent or decline. More information about AI Note Scribe can be found here: https://support.zandahealth.com/how-bizzyai-note-assist-works-keeping-your-data-safe-and-secure.  

6.7           For all the above providers, we have agreements or terms in place that require them to protect your information. Where data is stored in the cloud or overseas, APP 8 (Cross-border disclosure) applies – we remain accountable to ensure your privacy is safeguarded even outside Australia. We take reasonable steps to choose providers with proper security certifications and privacy compliance. If any of our service providers are located in a country with different privacy laws, we will ensure that appropriate safeguards (such as encryption and contractual privacy clauses) are used to protect your data. At this time, the countries in which your information could be stored or accessed include Australia (primary storage) and possibly the United States (due to some cloud services) – if this changes or if other countries are involved, we will update this policy to let you know.

6.8           By engaging our Services and consenting to this privacy policy, you acknowledge that your personal information may be held with these third-party providers as described. We will not otherwise send your personal details overseas unless it’s in line with this policy or we obtain your consent. If you have questions about any specific service we use or wish to know more about their privacy protections, please let us know and we can provide you with further information

7. Consent and active agreement

Because we handle sensitive health information, we take consent very seriously. Under Australian privacy law, we generally require your consent to collect and use your health information, unless an exception applies.  We have designed our intake and onboarding process so that this Privacy Policy doubles as a consent mechanism, meaning you won’t have to sign a separate form solely for consent to handle your data – it’s integrated here. We ask you to read this Privacy Policy (and we can explain it to you in person or over the phone in simple terms). By signing our supply of services contract or ticking the appropriate box on our referral form and acknowledging this policy, you are actively consenting to us collecting, using, and sharing your personal information as outlined. This “active consent” approach ensures you are giving an informed agreement, rather than us assuming consent by default. We will not simply hide consent in fine print or assume your consent from silence; we make it an explicit step in our client intake.

7.1           What are you consenting to?

In summary, you consent that we may collect and handle your information to provide services to you, and that we may share your information with the parties and for the purposes described in this policy (for example, with other healthcare providers involved in your care, with NDIS or funding agencies, and via the third-party systems we use). We will highlight any key uses or disclosures when we first discuss privacy with you, so you know exactly what you’re agreeing to. For instance, we might say: “Is it okay if we send a report to your GP and to your NDIS support coordinator?” – and record your agreement.

By giving consent, you also agree that you understand why we need this information and what could happen if you chose not to provide or allow use of certain information (such as, we might not be able to effectively deliver services, or you might not receive funding reimbursement). We want to ensure your consent is informed, voluntary, current, and specific. This means you have the capacity to understand what you’re agreeing to, you’re not under pressure, the consent relates to the particular things we do with your data, and it’s up to date (we will re-confirm consent if circumstances change).

We also avoid “bundling” unnecessary consents together. We won’t force you to agree to something unrelated in order to get the service (for example, we won’t make you consent to marketing emails as a condition of receiving therapy – those choices are separate). Our consent request is focused on what is needed for care and administration. If there are optional aspects, we will give you a genuine choice.

7.2           Withdrawing or changing your consent

You have the right to withdraw your consent at any time, or to refuse consent for a specific aspect, and we will respect your wishes. For example, if you initially agree we can share information with a certain support worker but later change your mind, just let us know and we will stop any further disclosures to that person. If you withdraw consent for us to use or hold your information entirely, we will explain any implications – for instance, we may not be able to continue providing services to you if we cannot use basic information about you. However, you are always free to make that choice. We will make the process of withdrawing consent as easy as possible (a written or verbal request to our team is sufficient). Note that withdrawing consent will not affect any use or disclosure that has already happened with your earlier permission, but it will stop future handling.

Our goal is that you feel in control of your personal information. Consenting to this policy is not a one-time, irrevocable decision – it’s a continuous agreement that you have the right to pause or revisit. We check in with clients periodically (for example, at annual reviews of service) to ensure you remain comfortable with how we are managing your information. If you have any questions about our consent process or need help understanding this policy to give consent, we are happy to assist, including providing the information in an alternate format or involving a trusted person of your choice in the explanation. Your active consent is fundamental to our relationship, and we aim to honour both the letter and spirit of consent requirements in Australian privacy law.

8. Data security and storage

8.1           Protecting your personal information is utmost priority for Insight Rehab. We take reasonable and rigorous steps to safeguard the information we hold from misuse, interference, loss, unauthorised access, modification, or disclosure (this is required by APP 11). In practical terms, we store your information securely in both physical and electronic forms and limit who can access it.

8.2           Here are some of the measures we have in place to keep your data safe:

(a)        Secure digital systems: All electronic client records (therapy notes, reports, contact details) are stored in secure systems such as our practice management software or cloud storage that require login authentication. We use strong passwords and, where available, multi-factor authentication for staff access. Access to systems such as Zanda Health, SharePoint, and Xero is restricted to authorised team members on a need-to-know basis (for example, your therapist can access your clinical notes, and our bookkeeper can access billing info, but each cannot see the other’s domain without permission).

(b)        Encryption and firewalls: We ensure that data transmitted electronically (e.g., sending a report via email or uploading documents to cloud storage) is protected. Our devices and storage drives are encrypted, and our cloud providers use encryption for data at rest and in transit. We maintain up-to-date firewalls and security software on our computers to prevent unauthorised intrusion.

(c)        Physical security: Paper documents (if any) containing personal information, such as signed forms or handwritten session notes, are kept in locked cabinets when not in use. Our office has controlled access. We also have policies that if staff take any notes off-site (for example, to a home visit), they keep them secure and return them to the office promptly for filing or secure disposal.

(d)        Staff training and confidentiality: All Insight Rehab staff, contractors, and professional services engaged by Insight Rehab are trained in privacy and confidentiality. They are made aware of their obligations to protect client information and are required to sign confidentiality agreements. We conduct privacy training and reminders, where required, so that everyone handles personal data carefully (e.g., not leaving files open on screens, verifying identities before sharing info over the phone).

(e)        Monitoring and auditing: We keep logs of access to electronic records where possible. This means we can trace who accessed or updated your file and when. If any suspicious activity were detected, we would investigate it. Our systems are kept updated with the latest security patches to minimise vulnerabilities.

8.3           Despite all precautions, no system is 100% secure. However, we follow industry best practices and OAIC guidelines to continually assess and improve our data security measures. We also prepare for the unexpected by having a data breach response plan. In the unlikely event of a data breach (for example, if our systems were hacked or a laptop with information was stolen), we have steps to contain the breach, assess its seriousness, and notify affected individuals and authorities such as the OAIC when required under the Notifiable Data Breaches scheme. You can be assured that we would inform you quickly if a serious compromise of your information occurs, and we would work to prevent any harm.

9. Data Retention and destruction

9.1           We will keep your personal information only for as long as it is needed for the purposes described in this policy, or as required by law and professional standards. As a healthcare provider, we have certain obligations to retain health records for minimum periods. For example, it is common practice (and in some jurisdictions legally required) to retain adult client records for at least 7 years from the last date of service, and for minors, until the child turns 25 years old. These retention practices ensure that information is available if you return for services or if it’s needed for any follow-up. We comply with any applicable health records laws in our State/Territory that mandate specific retention periods.

9.2           When your information is no longer needed for the purpose for which it was collected, and we are not required by law to keep it, we will take reasonable steps to destroy or permanently de-identify that information. For instance, if you cease services with us and after the requisite retention time has passed, we will securely shred paper files and delete or anonymise electronic records. We use data deletion processes that ensure your information cannot be reconstructed or read (for example, using secure delete functions or professional destruction services). As noted in the security section, we also actively destroy or de-identify any duplicate records or unnecessary data on an ongoing basis to reduce risk.

9.3           If you withdraw consent for us to hold your data and it’s appropriate to do so, we can also discuss deletion of your information. However, please be aware we might need to retain certain records to fulfill legal responsibilities (for example, health practitioners must keep treatment records for a period even if a client leaves, to defend against any potential legal claims or for medical continuity). In such cases, we would archive your records securely and not use them moving forward.

9.4           We also retain records of any consents, withdrawals of consent, or opt-outs you have given, as part of our accountability. These records themselves are kept private and only as evidence of your choices.

9.5           We do not keep your information indefinitely “just in case.” We have a schedule for reviewing and culling data that is no longer required. Our aim is to minimise the amount of personal information we hold about you over time, consistent with our obligations. If you have questions about how long we keep specific types of information, or if you want us to consider special retention or deletion requests, you can contact us (see “Contact Details” and “Complaints” in sections 14 and 15, respectively) and we will be transparent about our practices.

10. Access to information and corrections

10.1        You have the right to access the personal information we hold about you. This means that, upon request, we can provide you with information such as your contact details, therapy notes, reports, or other records that we have in our files, subject to some exceptions under law. We will respond to your access request in a reasonable time frame (typically within 30 days) and in the format you request if feasible. To protect your privacy, we may need to verify your identity (or authority, if you are requesting on behalf of someone else) before releasing any information. If a family member or advocate requests access on your behalf, we will require your consent or legal authority (except for parents accessing a young child’s records, which is usually allowed).

10.2        To request access, you can contact our Privacy Officer. Please let us know what information you would like to see. We can provide copies (physical or electronic). There is no fee to make a request, but in some cases, we may charge a small fee to cover the costs of copying or delivering large amounts of information (we will let you know in advance if this applies, and it will be in line with any regulations on fees). We will endeavour to make the process as easy as possible, because we believe in transparency.

10.3        There may be rare situations where we cannot give you access to certain information. Examples include if giving access would pose a serious threat to someone’s life or health, or if it would unreasonably impact another person’s privacy, or if it relates to anticipated legal proceedings, or where we are legally prohibited from disclosing it. If any such exception applies, we will provide you with a written explanation of the refusal and the reasons (except where we cannot by law) and inform you of any further steps you can take. For most clients, full access is usually granted with no issues.

10.4        We also take steps to ensure the information we hold is accurate, up-to-date, and complete However, if you believe that any information we have about you is incorrect or out-of-date, you have the right to request that we correct or update it. For example, you might want to correct your address or phone number, or you may feel that a detail in a therapy report is inaccurate or misrepresents what happened. Please contact us and let us know what needs fixing. We may ask for evidence if it’s a factual change (such as proof of new address), but generally we will make the correction if you show that an entry is wrong. If we disagree that the information is incorrect (which is uncommon), we will let you know our reasons and, if you request, we can add a note to the record stating that you contest its accuracy.

10.5        In some cases, correcting health information might involve creating an additional note (for clinical integrity, we might not erase the original note but will annotate the record to reflect the correction). We will notify you once corrections are made. There is no charge for requesting corrections.

11. Complaints and Feedback

11.1        We welcome any questions, concerns, or feedback you have about your privacy or this policy. If you have a complaint about how we have handled your personal information – for example, if you believe we have not respected your privacy, or you have a concern that we have breached the APPs – please let us know immediately. We take privacy complaints very seriously and see them as an opportunity to resolve any issues and improve our practices.

11.2        How to complain to us: You can lodge a complaint by contacting our Privacy Officer using the contact details provided at the beginning of this privacy policy. It’s helpful if your complaint is sent in writing (such as an email or letter) so that we can fully understand and document the problem. Please include details such as what happened, approximately when, and what outcome you seek. If you prefer to talk it through, you can call us, and we will make a written record of your concerns. We will acknowledge your complaint as soon as possible (usually within a few days) and then investigate.

11.3        Our process is to investigate and respond to your privacy complaint within a reasonable time, typically within 30 days. The Privacy Officer will review the relevant records and speak with any staff involved to understand the situation. We may contact you for more information during this process. After investigation, we will provide you with a written response outlining the findings and any actions we will take to address the issue. If we find we did fail in some aspect of our obligations, we will apologise and let you know how we’ve fixed it or will prevent it happening again. If there was a misunderstanding, we will try to clarify the matter. Our aim is to achieve a fair resolution that you are satisfied with.

12. Opt-out rights and your choices

12.1        We believe in giving you control over your personal information. Aside from the core uses of your information necessary for our Services, you have choices about some secondary uses, particularly related to communications beyond your care.

Below are some opt-out options and preferences you can exercise at any time:

(a)        Direct marketing and newsletters

Insight Rehab may, from time to time, send out newsletters, updates about new services or events, or resources that might benefit our clients. We will only send you such communications if you have agreed to receive them. Health information will not be used for direct marketing without your consent. If you do choose to subscribe to our updates, you can opt out at any time – every email will contain an “unsubscribe” link, or you can tell us, and we will remove you from the mailing list immediately. Opting out of promotional or educational communications will not affect the Services we provide to you.

(b)        Use of Information in testimonials or stories

We value sharing success stories (for example, highlighting a client’s progress as encouragement to others). However, we will not publicly share any identifying information or story about you without your explicit consent. If we would like to feature your story or feedback, we will ask you separately. This is entirely voluntary. You can decline and it will have no effect on our Services to you. If you consent and later change your mind, inform us and we will cease any future use of your story.

(c)        Participation in research or training

Occasionally, we might be involved in research projects or student training (e.g., a student observing a session). We will inform you and ask for consent if your data or involvement is requested. You have the right to opt-out of research or having students present during your sessions. We understand and will always respect a “no” decision – it will not impact your access to our Services.

(d)        Withdrawal of consent

As noted in the Consent section, you can withdraw consent for any specific use or disclosure. For instance, if you previously allowed us to share reports with a certain agency and you no longer want that, just let us know. If you opted into something and then opt-out (such as receiving our newsletter), we will honour that going forward.

(e)        Anonymous or pseudonymous options

Where practical, you have the option to not identify yourself or to use a pseudonym when interacting with us. In healthcare services, it is usually impractical to remain anonymous, especially since we need accurate information to treat you and process funding. However, if you have a situation where you prefer not to use your real name (perhaps for an initial inquiry or if you are providing feedback), we will try to accommodate. For active clients, we do need your true identity for clinical and legal reasons, however, know that your information is kept confidential as per this policy.

(f)         Cookies/online opt-out

If our Website uses cookies or similar technologies for analytics, you can usually opt out by adjusting your browser settings. We do not use cookies to collect sensitive information. The privacy notice on our Website provides details on any online data collection and how to opt out.

To exercise any opt-out or preference, you can simply contact us (an email or call stating your preference is sufficient) or follow any provided mechanisms (such as the unsubscribe link for emails). Remember, you are in control. Our default is to assume you want the maximum privacy, so we will not do anything beyond the necessary uses of your data without asking. And when asked, you are completely free to say no. These choices will be documented so all our staff know your preferences (for example, we mark in our system if a client has opted out of group emails or if they have requested no info be shared with a certain party). Your comfort and trust are our priority, and that includes respecting your choices regarding your personal information.

13. Your legal rights

13.1        You have a number of rights under data protection laws in relation to your personal data.

You have the right to:

(a)        request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

(b)        request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

(c)        request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

(d)        object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.

(e)        you also have the absolute right to object any time to the processing of your personal data for direct marketing purposes.

(f)         request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

(g)        request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:

(i)         if you want us to establish the data’s accuracy;

(ii)        where our use of the data is unlawful but you do not want us to erase it;

(iii)       where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

(iv)       you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

13.2        If you wish to exercise any of the rights set out above, please contact us [see Contact details (paragraph 14)]

13.3        No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

13.4        What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

13.5        Time limit to respond

We try to respond to all legitimate requests within one (1) month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you informed.

14. Contact details

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:

(a)        Email address           : jason@insightrehab.com.au

(b)        Postal address          : PO Box 1669. Neutral Bay, NSW 2089

(c)        Telephone number   : 0414 560 421

15. Complaints

If you have concerns about how we collect, use, or disclose your personal information, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC), the regulator responsible for enforcing Australian privacy laws.

Office of the Australian Information Commissioner (OAIC)

(a)        Website                     : https://www.oaic.gov.au

(b)        Phone                       : 1300 363 992

(c)        Mailing Address        : GPO Box 5218, Sydney NSW 2001, Australia

We encourage you to contact us first to allow us the opportunity to address your concerns before reaching out to the OAIC. You may contact our Privacy Officer at the contact details provided on the first page of this privacy policy.

16. Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated on 28/04/2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

17. Third-party links and user-generated content disclaimer

17.1        This Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy policy of every website you visit.

17.2        We act as a platform for user-generated reviews and do not endorse, verify, or take responsibility for the content of these reviews. All reviews reflect the opinions of individual Users and not of Insight Rehab. We are not liable for any claims, damages, or legal actions arising from user-generated content, including defamation claims.

18. General disclaimer

Any general information published by Insight Rehab on its website or social media platforms is provided for informational purposes only and does not constitute clinical, therapeutic, or legal advice. You should seek personalised advice from your treating clinician or healthcare provider before acting on such information.