Privacy and Confidentiality Policy

Last updated: May 2026 · Download PDF

At a Counselling Concern, your privacy, dignity, and trust are deeply respected. I understand that seeking counselling involves sharing personal and sensitive information, and I take this responsibility seriously. All information you share is treated with the utmost care and confidentiality — within the limits set by relevant law and duty of care responsibilities.

My commitment is to provide a safe, secure, and respectful space where you can speak openly, knowing your personal information is protected and only used to support your wellbeing and care.

I am committed to protecting your privacy and the confidentiality of your personal information. This policy explains how I collect, use, store, and protect your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Health Privacy Principles under the Health Records Act 2001 (Vic).

As a health service provider, a Counselling Concern is bound by the Privacy Act regardless of annual turnover.

1. What Information I Collect

I may collect personal information including (but not limited to):

  • Your name, address, phone number, and email address
  • Date of birth and emergency contact details
  • Information about your health, mental health, and wellbeing
  • Appointment history and session notes
  • Payment and billing information

This information is collected when you:

  • Make an enquiry or book an appointment
  • Attend counselling sessions (in person or via telehealth)
  • Complete forms on the website
  • Communicate by phone, email, or other means

I only collect information that is reasonably necessary for providing my services (APP 3).

2. Why I Collect Your Information

I collect your information in order to:

  • Provide counselling and support services
  • Manage appointments, billing, and administration
  • Communicate with you about your care and services
  • Meet legal, ethical, and professional obligations
  • Improve my services and client experience

I will only use or disclose your information for the primary purpose for which it was collected, or for a directly related secondary purpose that you would reasonably expect (APP 6), unless you provide specific consent for another purpose.

3. Sensitive Information

Health and counselling information is classified as sensitive information under the Privacy Act and is treated with the highest level of confidentiality. I only collect this information when it is necessary to provide you with appropriate care and support.

Other sensitive information may include racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal record. I will only collect these where directly relevant to your care, and only with your explicit consent (APP 3).

4. How Your Information Is Stored and Protected

I take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (APP 11).

Electronic records:

  • Stored on encrypted disk (FileVault full-disk encryption)
  • Password-protected user accounts with access restricted to Paul Hammat only
  • Clinical data processed locally — no external cloud processing of client information
  • Website forms transmitted via HTTPS (SSL/TLS encryption)
  • Intake form data stored in a non-web-accessible directory on the server
  • Regular backups to encrypted external storage

Paper records:

  • Stored in locked filing cabinet in secure office
  • Access restricted to Paul Hammat only

Access to your information is limited to Paul Hammat, except where:

  • You have provided specific written consent for another person to access it
  • Disclosure is required or authorised by law
  • It is necessary for professional supervision (with identifying details removed wherever possible)

5. When I May Disclose Your Information

Your information is kept confidential and will not be shared with third parties except:

  • With your written consent — using a specific Consent for Information Release form, which describes exactly what information will be shared, with whom, for what purpose, and includes an expiry date
  • When required or authorised by law — including subpoena, court order, or mandatory reporting obligations
  • If there is a serious and imminent risk to your safety or the safety of others
  • For professional supervision or consultation — in which case identifying details are removed wherever possible
  • For insurance or billing purposes — limited to information necessary for the claim or transaction

I will not use or disclose your information for any purpose other than those stated above without your specific, informed, and voluntary consent (APP 6).

6. Record Retention

I retain your information only for as long as required by law and professional standards:

  • Adult client records: 7 years from the date of your last consultation
  • Client records where you were under 18: Until you turn 25, or 7 years from your last consultation, whichever is longer
  • Supervision records: 7 years from the date of the last supervision session
  • Financial records: 7 years from the end of the financial year (ATO requirement)

After the retention period, records are securely destroyed using methods that prevent reconstruction (secure file deletion for electronic records, cross-cut shredding for paper records). A destruction log is maintained.

For full details, see the Record Retention and Destruction Policy (available on request).

7. Data Stored in Australia

All client information is stored and processed within Australia. I do not store or process personal information outside Australia, and I will not disclose personal information to an overseas recipient unless:

  • You provide specific consent, or
  • I am required to do so by law (APP 8)

If personal information were to be disclosed to an overseas recipient, I would take reasonable steps to ensure the recipient complies with the Australian Privacy Principles.

8. Data Breach Notification

If a data breach occurs that is likely to result in serious harm to any individual whose information is involved, I am required under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act) to:

  1. Notify the Office of the Australian Information Commissioner (OAIC)
  2. Notify affected individuals as soon as practicable

Notifications will include: what happened, what information was involved, what I am doing about it, and what you can do to protect yourself.

I take all data breaches seriously and will act promptly to contain, assess, and remediate any breach, whether or not it meets the notification threshold.

For full details, see the Data Breach Response Plan (available on request).

9. Accessing or Correcting Your Information

You have the right to (APP 12, HPP 6):

  • Request access to your personal information (including your intake form and records)
  • Request corrections if you believe the information is inaccurate, incomplete, or out of date
  • Request a copy of your records

Requests can be made in writing and will be responded to within 30 days. I may charge a reasonable fee for providing copies, consistent with the Freedom of Information Act 1982 (Vic).

In some limited circumstances, access may be refused — for example, if providing access would pose a serious threat to life or health, or if access would have an unreasonable impact on another person's privacy. If access is refused, written reasons will be provided.

10. Website and Online Data

The website may collect limited information such as:

  • IP address and browser type
  • Pages visited and time spent on the site
  • Information submitted via contact or intake forms

This information is used only for website functionality, security, and improvement purposes and is not used to identify you personally.

Intake form data submitted through the website is:

  • Transmitted via encrypted connection (HTTPS)
  • Stored in a non-web-accessible server directory
  • Processed locally on a secure device (never sent to external cloud services)

11. Cookies

The website may use cookies to improve your browsing experience. You can disable cookies in your browser settings if you prefer. Cookie consent is managed via the website cookie banner.

12. Complaints

If you have a concern about how your privacy has been handled, you may:

  1. Contact me directly — I take privacy concerns seriously and will respond promptly
  2. Contact the Office of the Australian Information Commissioner (OAIC) — 1300 363 992 or oaic.gov.au
  3. Contact the Health Services Commissioner (Victoria) — 1300 582 113 or hcc.vic.gov.au

I will attempt to resolve any complaint internally first. If you are not satisfied with the response, you have the right to lodge a complaint with the OAIC or the Victorian Health Services Commissioner.

13. Contact

If you have any questions about this Privacy and Confidentiality Policy or how your information is handled, please contact:

Paul Hammat OAM
a Counselling Concern
Keilor, Melbourne VIC
0405 023 777
paul@counsellingconcern.au

14. Updates to This Policy

This Privacy Policy may be updated from time to time. The current version will always be available on this page. Significant changes will be communicated to current clients.

Related documents:

Call Now