Last Updated: February 2026
 

Outcomes Lab Pty Ltd ABN 87 676 259 091 ("we", "us", "our") provides psychology, neuropsychology, and positive behaviour support services as an NDIS-registered provider (Organisation ID: 4050165135).

This Privacy Policy outlines how we collect, hold, use, and disclose your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. This Policy should be read alongside our Informed Consent for Services form and any Service Agreement you have entered into with us.

We may update this Privacy Policy from time to time. The most current version will always be available on our website.

​

1. What Is Personal Information?

Personal information means any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not. This includes health information, which refers to information about a person's physical, mental, or psychological health, disability, or the health services provided to them.

Sensitive information is a subset of personal information that is generally afforded a higher level of privacy protection. Sensitive information includes health and genetic information and information about racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, and some types of biometric information.

​

2. What Personal Information Do We Collect?

We may collect a variety of personal and health-related information, including:

• Your full name, date of birth, gender, pronouns, and contact details (email, phone number, address)

• NDIS number, plan details, and funding information

• Medicare, private health insurance, VOCAT, TAC, or other funding body details

• Emergency contact or next of kin information

• Cultural background, language preferences, and accessibility needs

• Information provided in referrals from GPs, specialists, support coordinators, or other agencies

• Clinical notes, assessment results, treatment records, and behaviour support plans

• Appointment history and progress notes

• Communication records (e.g., emails, phone calls, intake correspondence)

• Billing and payment information

• Intake forms, consent forms, and other documentation required for service delivery

• Photos, videos, and audio recordings collected for assessment, progress monitoring, or clinical documentation purposes on an as needed basis and with your consent

​

3. How Do We Collect Your Information?

We collect information:

• Directly from you when you contact us, complete forms, participate in an intake process, attend appointments, or use our website

• From your treating Practitioner during the course of assessment or therapy

• From third parties including referring practitioners (e.g., GPs, psychiatrists), support coordinators, plan managers, schools, or government agencies

• From your authorised representative (e.g., parent, legal guardian, or NDIS-appointed nominee)

Collection may occur via our practice management system, by email or phone, in person, via telehealth, or through our website.

​

4. Why Do We Collect Your Information?

We collect your personal and health information to:

• Deliver psychology, neuropsychology, and positive behaviour support services

• Schedule and manage your appointments

• Develop and review clinical documentation, including behaviour support plans

• Process billing and claims through the NDIS, Medicare, or other funding bodies

• Communicate with you and your support network about your care

• Comply with our obligations under health, privacy, and disability legislation

• Ensure continuity of care and coordinate with other professionals involved in your support (with your consent)

• Maintain and improve the quality of our services

• Conduct quality assurance activities, research, and analysis in a manner that does not identify individuals

• Comply with NDIS Practice Standards, auditing, and reporting requirements

• Recruit employees, contractors, and volunteers

• Carry out internal functions including administration, training, accounting, and information technology

If you choose not to provide certain information, we may be unable to fully deliver our services, which may affect your plans and goals.

​

5. When Do We Disclose Your Information?

We may disclose your personal information to:

• Your GP, psychiatrist, or other health professionals involved in your care (with your consent)

• Support coordinators, plan managers, schools, or other providers supporting you (with your consent)

• Funding providers including the NDIA and Medicare

• Government and regulatory bodies including the NDIS Quality and Safeguards Commission, the Department of Social Services, and the Australian Taxation Office

• People acting on your behalf including nominated representatives, legal guardians, and legal representatives

• Police, courts, or tribunals where required by law

• Financial institutions for payment processing

• Supervisors and peer consultants, using de-identified information only

• NDIS auditors, in accordance with regulatory requirements

• Our contracted service providers (e.g., IT providers, external business advisers) who are obligated to handle your information in accordance with applicable privacy legislation

Your information will not be disclosed without your consent, except where:

• There is a serious and imminent risk of harm to you or another person

• Disclosure is required or authorised by law (e.g., mandatory reporting obligations, court orders)

• Authorised staff need to access your file for clinical governance, complaints management, leave coverage, or risk and safety concerns

• You would reasonably expect the information to be used or disclosed for the primary purpose of your care

We do not sell your personal information or use it for direct marketing without your consent.

​

6. Practice Management and Payment Systems

We use secure, cloud-based systems for practice management, clinical documentation, billing, communication, and administrative workflows. All systems used to store or process personal information are encrypted, access-controlled, and operated by providers who are contractually required to handle personal information in accordance with applicable privacy legislation.

A third-party payment processor is used for card payments. We do not store your payment card details directly.

​

7. How Do We Secure Your Information?

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• Encryption of all digital records

• Password-protected access to all systems with role-based restrictions

• Firewalls and anti-virus software

• Controlled access to our premises

• Confidentiality obligations for all staff and contractors

• Training and workplace policies

No method of electronic storage or transmission is completely secure. While we take all reasonable precautions, we cannot guarantee the absolute security of your information.

​

8. How Long Do We Keep Your Information?

All client records and personal information are retained for at least seven years after a client ceases to be a client, or until the client turns 25 if services were provided while they were under 18 — whichever is longer. This is consistent with legal and professional requirements.

When records are no longer required, they are securely destroyed or de-identified.

​

9. Data Breaches

In the event of an eligible data breach likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner as required.

​

10. Overseas Disclosure

Some third-party systems we use may store or process data on servers located outside Australia. Where this occurs, we ensure appropriate safeguards are in place in accordance with the Australian Privacy Principles.

​

11. Accessing or Correcting Your Information

You have the right to:

• Request access to the personal information we hold about you

• Ask us to correct information that is inaccurate, out of date, or incomplete

• Withdraw or amend your consent

Requests should be submitted in writing to hello@outcomeslab.com.au. We may need to verify your identity before processing a request. Requests involving clinical notes may require consultation with the relevant Practitioner.

In limited circumstances, access may be refused where permitted or required by law. If access is denied, we will explain the reasons and available remedies.

​

12. Children's Privacy

We provide services to children and young people. Where a client is a minor, personal information is typically collected with the consent of a parent, legal guardian, or authorised representative. Where appropriate, a minor may make independent privacy decisions if they are assessed by their Practitioner as having the maturity and understanding to do so.

​

13. Website, Cookies, and Log Data

Our website may use cookies and third-party analytics tools to collect usage statistics including IP address, browser type, pages visited, and time and date of visits. Cookie settings can be controlled through your browser. We do not use cookies to identify individual users or collect personal health information.

​

14. Questions or Complaints

If you have a question about this Privacy Policy, wish to make a privacy-related request, or want to raise a concern, please contact us:

Email: hello@outcomeslab.com.au

Phone: 03 7064 0444

If your concern is not resolved to your satisfaction, you may contact:

• Office of the Australian Information Commissioner: www.oaic.gov.au

• NDIS Quality and Safeguards Commission: www.ndiscommission.gov.au | 1800 035 544

• Health Complaints Commissioner (Victoria): www.hcc.vic.gov.au