Privacy Policy

Last updated: 17 Oct 2025

1. Purpose and Commitment

Butterfly Health Group (“we”, “our”, “us”) is committed to protecting the privacy and confidentiality of the personal and health information of our clients, participants, their families, and representatives.

We comply with:

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);

  • The Health Records Act 2001 (Vic);

  • The NDIS Act 2013;

  • NDIS Quality and Safeguards Commission requirements; and

  • Other relevant Commonwealth and Victorian laws.

We are committed to respecting each person’s right to privacy and dignity and to meeting our legal obligations under the NDIS Practice Standards and the NDIS Code of Conduct.

2. Scope

This policy applies to:

  • All employees, contractors, allied health assistants, students, volunteers, and agents of Butterfly Health Group

  • All services delivered under NDIS registration or private arrangements;

  • All personal, sensitive, and health information collected, used, stored, and disclosed by Butterfly Health Group

3. Definitions

For the purposes of this policy:

  • Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether recorded in material form or not.

  • Sensitive Information: Includes health information, disability-related information, racial or ethnic origin, sexual orientation, or other information protected by law.

  • Health Information: Information about an individual’s health, disability, medical history, health services provided, or expressed wishes about future health care.

  • Participant: A person receiving services from [Business Name], including NDIS participants and private clients.

  • Consent: Voluntary agreement to the collection, use, or disclosure of personal information, either verbally or in writing.

4. Information We Collect

We collect only the information necessary to provide high-quality therapy and related services.

This may include:

  • Identifying information: name, date of birth, address, contact details.

  • Health and therapy information: assessments, medical history, therapy notes, reports, care plans.

  • NDIS-related information: plan details, NDIS number, funding arrangements, support team contacts.

  • Family and emergency contacts, guardianship or legal representative details.

  • Communication records, consent forms, and progress documentation.

  • Billing and payment information.

We will inform individuals why we are collecting their information at the time of collection or as soon as practicable thereafter.

5. How We Collect Information

We collect information in a number of ways, including:

  • Directly from the participant or their authorised representative;

  • Through referral from other health professionals, support coordinators, or schools (with consent);

  • Through service agreements, intake forms, assessment tools, or correspondence;

  • Through our website, email, phone, or in-person communications.

Information is collected lawfully, fairly, and with respect for privacy at all times.

6. Purpose of Collection

We collect, use, and disclose personal and health information to:

  • Deliver occupational therapy and allied health services;

  • Assess, plan, implement, and review therapy goals and supports;

  • Communicate and collaborate with other health, education, or support professionals;

  • Fulfil obligations under the NDIS and other legal or regulatory frameworks;

  • Administer billing, invoicing, and operational functions;

  • Manage risk, quality improvement, training, and compliance;

  • Protect health, safety, and wellbeing of participants, staff, and the community.

We will not collect, use, or disclose information for any other purpose without consent, unless required or authorised by law.

7. Legal Basis for Collection

Our collection and handling of personal information is governed by:

  • APP 3 and APP 5 of the Privacy Act 1988 (Cth);

  • Health Records Act 2001 (Vic);

  • NDIS Act 2013 and NDIS Practice Standards;

  • Consent from the participant or their representative;

  • Statutory obligations or legal authority (e.g., serious risk to safety).

8. Consent

We obtain informed consent before collecting or sharing personal and health information, except where collection or disclosure is required or authorised by law.

Consent may be provided in writing, verbally, electronically, or through a legal guardian or authorised representative. Participants can withdraw consent at any time by contacting us in writing.

9. Storage, Security and Data Hosting

Butterfly Health Group is committed to maintaining the confidentiality and integrity of personal and health information.

All information is stored:

  • On secure servers located in Australia;

  • Within secure clinical software platforms that meet Australian data protection standards;

  • In physical files stored in locked cabinets with restricted access.

We implement industry best practice security measures, including:

  • Encryption and password protection of digital records;

  • Multi-factor authentication where appropriate;

  • Access controls and staff training;

  • Secure destruction of records in accordance with legal retention periods.

10. Cross-Border Disclosure and Offshore Storage

We do not store or transfer participant personal or health information offshore.

This aligns with our obligations under the NDIS Practice Standards – Information Management, the Privacy Act 1988 (Cth), and Australian Privacy Principal 8 (APP 8) (Cross-border disclosure).

In the event that offshore storage or processing is ever required in the future (e.g., through a third-party IT vendor):

  • We will obtain explicit, informed written consent from the participant or their legal representative;

  • We will ensure the overseas recipient is subject to privacy laws or contractual obligations equivalent to or exceeding Australian Privacy Principles;

  • We will conduct a formal privacy and security risk assessment; and

  • We will remain legally accountable for the protection of the data at all times.

Our default and preferred practice is to store all data within Australia.

11. Disclosure of Information

We may disclose information to:

  • Other treating health, education, or support professionals involved in the participant’s care (with consent);

  • The NDIS Commission, NDIA, or other government authorities as legally required;

  • Support coordinators, plan managers, or relevant service providers (with consent);

  • Emergency services if there is a risk of serious harm;

  • Legal or regulatory bodies pursuant to a subpoena, warrant, or investigation.

We do not sell, rent, or trade personal information.

12. Access and Correction

Participants or their authorised representatives have the right to:

  • Access their personal and health information;

  • Request corrections to ensure accuracy, completeness, and currency.

Requests must be made in writing. We will respond within a reasonable timeframe and in accordance with applicable legislation. If access is refused, we will provide written reasons and inform the individual of their rights to escalate the matter.

13. Retention and Destruction of Records

We retain records in accordance with Victorian and Commonwealth legislative requirements, including minimum retention periods for health records.

When no longer required, personal information will be securely destroyed or permanently de-identified.

14. NDIS Obligations

As an NDIS provider, Butterfly Health Group adheres to:

  • NDIS Code of Conduct;

  • NDIS Practice Standards (Rights and Responsibilities, Privacy and Dignity, Information Management);

  • NDIS Quality and Safeguards Commission reporting requirements.

15. Notifiable Data Breaches

In accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), we will:

  • Promptly assess any data breach involving personal information;

  • Notify affected individuals and the OAIC (and/or NDIS Commission) if serious harm is likely;

  • Take immediate steps to mitigate the impact and prevent future occurrences.

16. Complaints and Dispute Resolution

If you believe your privacy has been breached or mishandled, you may make a complaint to:

Privacy Officer
Butterfly Health Group
279A McKinnon Road, McKinnon Vic 3204
Email: info@butterflyhealthgroup.com.au
Phone: 0412360423

We will respond to complaints promptly and fairly.

If unresolved, you may contact:

17. Policy Review and Updates

This policy will be reviewed annually or as required to reflect legislative or operational changes. The most current version will be available on our website or upon request.

18. Contact

For all privacy-related queries, access requests, or complaints, please contact:

Privacy Officer
Mary Mastos
279A McKinnon Road, McKinnon Vic 3204
Email: info@butterflyhealthgroup.com.au
Phone: 0412 360 423

Key Legislative References:

  • Privacy Act 1988 (Cth) & Australian Privacy Principles

  • Health Records Act 2001 (Vic)

  • NDIS Act 2013

  • NDIS Practice Standards – Information Management

  • Notifiable Data Breaches Scheme

  • OAIC Guidelines

Butterfly Health Group

Empowering individuals through personalised allied health services for all ages and facilitating improved quality of life.

admin@butterflyhealthgroup.com.au

0412 360 423

© 2025. All rights reserved.

Butterfly Health Group Privacy Policy