Privacy Policy

1. Introduction

 

Treefrog Music Therapy (“we”, “us”, “our”) is committed to protecting the privacy and confidentiality of your personal information.

 

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). For NDIS participants, we also align our practices with the NDIS Quality and Safeguards Framework.

 

This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information, and how you can access or correct it.

 

By engaging with Treefrog Music Therapy, you agree to the terms of this Privacy Policy.

 

2. Who we are

 

Business Name: Treefrog Music Therapy

ABN: 68 153 383 890

Business Structure: Sole trader, mobile music therapy practice

Principal Place of Business: Albion, 4010, QLD

Contact:

 

• Email: brad@treefrogmusictherapy.com

• Phone: 0425434654

 

3. What personal information we collect

 

The type of information we collect depends on how you interact with us. It may include:

 

3.1 Participant and family information

 

• Name, date of birth, gender/pronouns

• Address and contact details (phone, email)

• NDIS status (e.g. self-managed, plan-managed, NDIA-managed)

• NDIS number (optional)

• Emergency contact details

• Cultural or language background where relevant to service delivery

• Information about family structure and household (where relevant to therapy and safety)

 

3.2 Health and support information

 

• Diagnosis and relevant medical history (as provided by you, your guardian, or other professionals)

• Reports, assessments, and therapy goals from other professionals (e.g. speech, OT, psychology, school)

• Medication and risk information relevant to safe service delivery

• Behaviour support information and safety plans

• Therapy goals, progress notes, and session summaries

 

3.3 Funding and administrative information

 

• NDIS plan details (start/end dates, goals, funding categories where relevant)

• Plan manager or support coordinator details

• Invoices, payment records, and billing information

 

3.4 Website and communication information

 

• Information you provide through our website contact forms, email, phone, text, or social media messages

• Any feedback, complaints, or compliments you submit

 

3.5 Media and consent-based information

 

• Photos, audio, or video recordings (only where you have given explicit consent)

• Preferences regarding how we can or cannot use media (e.g. social media, resources, reports)

 

We will not collect more information than is reasonably necessary to provide a safe and effective music therapy service.

 

4. How we collect personal information

 

We collect information in several ways, including:

 

• Directly from you (the participant)

• From a parent, guardian, or legally authorised representative

• From your plan manager or support coordinator

• From other professionals (e.g. therapists, teachers, doctors) when you have given consent

• Through our website, email, phone, text, and practice management software (e.g. Splose)

• Through observations during sessions, which are recorded in clinical notes

 

Where reasonable and practical, we collect information directly from you or your guardian and explain why we are collecting it.

 

5. Why we collect personal information (purpose of use)

 

We collect, use, and store your information for purposes including:

 

• Assessing your needs and suitability for music therapy

• Planning, delivering, and reviewing music therapy sessions

• Documenting clinical notes, progress, and outcomes

• Communicating with you, your family, and your support team

• Coordinating services with other providers (with your consent)

• Managing bookings, invoicing, and NDIS-related administration

• Meeting legal, regulatory, and professional obligations

• Quality improvement, service planning, and de-identified data analysis

• Responding to feedback, complaints, incidents, and safety concerns

 

We only use your personal information for the purposes for which it was collected, or for related purposes that you would reasonably expect.

 

6. Consent

 

We will generally seek your consent (or your guardian’s consent) before:

 

• Collecting sensitive information

• Sharing information with other providers, schools, or services

• Taking or using photos, audio, or video recordings

 

Consent may be:

 

• Written (e.g. consent form, email)

• Verbal (documented in notes)

• Implied from your actions (e.g. continuing to participate after an explanation)

 

You can withdraw or change your consent at any time by contacting us. Some services may not be able to continue if we cannot access certain information needed for safe practice.

 

7. How we store and protect your information

 

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

 

This includes:

 

• Using secure, password-protected practice management software (e.g. Splose) for clinical notes and client records

• Storing electronic information on secure devices and platforms with appropriate access controls

• Limiting access to your information to those who need it to provide services

• Avoiding unnecessary paper records; any physical documents are stored securely and disposed of safely when no longer needed

• Using secure methods for sharing documents (e.g. encrypted email where possible, or secure portals)

 

We retain records for the period required by law and professional standards (for example, minimum record-keeping periods for health records). After this time, information is securely destroyed or de-identified.

 

8. When we may share your personal information

 

We respect your confidentiality and do not sell or trade personal information.

 

We may share information with:

 

• Parents, guardians, or legally authorised representatives (where appropriate)

• Your support coordinator, plan manager, or other NDIS-related contacts

• Other health, education, or support professionals involved in your care (with consent)

• Our professional advisers (e.g. accountant) where necessary and subject to confidentiality

• IT and practice management providers who support our systems (who are bound by privacy obligations)

 

We may also disclose information without your consent where required or authorised by law, for example:

 

• If there is a serious risk to your life, health, or safety, or that of another person

• If we are required to report under child protection, mandatory reporting, or other legal obligations

• If requested by a court, tribunal, or government authority

 

Where possible and safe, we will let you know if we need to share information in these situations.

 

9. Cross-border disclosure

 

We primarily store data in Australia. Some third-party service providers (such as cloud-based software or email services) may store data on servers located outside Australia.

 

Where this occurs, we take reasonable steps to ensure those providers handle your information in a way that is consistent with Australian privacy laws.

 

10. Accessing and correcting your information

 

You have the right to:

 

• Request access to the personal information we hold about you

• Ask us to correct information that is inaccurate, incomplete, or out-of-date

 

To do this, contact us using the details in Section 2. We may need to verify your identity or ensure you are legally authorised (for example, in the case of a child or person with a guardian).

 

In some situations, we may lawfully refuse access (for example, if providing access would pose a serious threat to someone’s safety, or breach another person’s privacy). If this happens, we will explain why and outline any options available.

 

There is no fee to request access or correction. A reasonable fee may apply if you request copies of extensive records.

 

11. Anonymity and pseudonyms

 

Where it is lawful and practical, you may interact with us anonymously or using a pseudonym (for example, making a general enquiry). However, for music therapy services and NDIS-related work, we usually need accurate identifying information to provide safe and appropriate care and to comply with funding and legal requirements.

 

12. Data breaches

 

A data breach occurs when personal information is lost or accessed, disclosed, or altered without authorisation.

 

If a data breach occurs, we will:

 

• Take immediate steps to contain and assess the breach

• Determine whether it is likely to result in serious harm

• If required under the Notifiable Data Breaches scheme, notify you and the Office of the Australian Information Commissioner (OAIC)

• Review and improve our systems to reduce the risk of future breaches

 

13. Complaints about privacy

 

If you have concerns or a complaint about how your personal information has been handled, please contact us first so we can try to resolve the issue:

 

Treefrog Music Therapy

Email: brad@treefrogmusictherapy.com

Phone: 0425434654

 

We take privacy concerns seriously and will respond as soon as reasonably practicable.

 

If you are not satisfied with our response, you may contact:

 

Office of the Australian Information Commissioner (OAIC)

Website: www.oaic.gov.au

Phone: 1300 363 992

 

NDIS participants may also raise concerns with the NDIS Quality and Safeguards Commission:

Website: www.ndiscommission.gov.au

Phone: 1800 035 544

 

14. Changes to this Privacy Policy

 

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practice. The most current version will be available on our website or can be provided on request.

 

Last updated: 18th November 2025