Privacy Policy

The Mental Health Foundation Australia (MHFA) is committed to protecting your privacy and ensuring the confidentiality, integrity, and security of your personal information.


This Privacy Policy outlines how we collect, use, store, and manage your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988, the guidelines provided by the Office of the Australian Information Commissioner (OAIC), and the information security standards set in compliance with the ISO 27001 certification.


We value your trust and want you to feel comfortable with how we handle your personal information. By using our services, you’re agreeing to the terms outlined in this Privacy Policy. If you have any concerns or don’t agree with something, please don’t hesitate to reach out to us. We’re here to help and ensure you feel supported.

 

Collection of Personal Information

We collect personal information that is necessary to provide mental health services to you, including but not limited to:

  • Contact details (name, phone number, email address)
  • Demographic information (age, gender, location)
  • Health information (medical history, mental health status)
  • Billing and payment information (where applicable)


We collect this information directly from you during interactions such as booking appointments, filling out intake forms, or communicating with us via phone, email, or in-person.

 

Use of Personal Information

We use the personal information we collect for the following purposes:

  • To provide mental health services, including counselling and peer support groups.
  • To manage appointments, billing, and payment processes.
  • To communicate with you regarding your support including reminders and follow-ups.
  • To improve the quality of services we offer through feedback or surveys.
  • To comply with legal and regulatory requirements, including reporting obligations to relevant health authorities.

We will not use your personal information for any other purposes without your consent, unless required or permitted by law.

 

ISO 27001 - Information Security Management Systems

As an ISO 27001 certified organisation, we adhere to the highest standards of information security to protect your personal information. This certification ensures that we have implemented a comprehensive Information Security Management System (ISMS) that addresses confidentiality, integrity, and availability of the data we handle including all personal information stored and transmitted electronically is encrypted to ensure its confidentiality, authorised personnel have access to your personal information.


We regularly assess risks to personal information and implement security measures to mitigate potential threats. We conduct regular internal and external audits to ensure compliance with ISO 27001 standards and continuously improve our security practices.

 

No Disclosure to Third Parties

We do not sell, rent, or share your personal information with third parties for marketing purposes. We may, however, disclose your personal information to the following entities only when necessary and in accordance with applicable laws:

  • Health professionals and medical practitioners: We may share relevant information with other healthcare professionals involved in your treatment if you have consented or if it is required to provide continuity of care.
  • Service providers: Third-party service providers that help us manage our operations, such as IT service providers or payment processors, may have access to your information. These providers are bound by confidentiality agreements and are only permitted to use the information for the specific services they provide to us.
  • Legal and regulatory authorities: If required by law, we may disclose your personal information to government authorities, regulatory bodies, or law enforcement agencies.


In all instances, we ensure that any third party with access to your information adheres to the same strict security and confidentiality standards as outlined in our ISO 27001 certification.

 

Data Retention and Deletion

We retain your personal information only for as long as it is necessary to fulfil the purposes for which it was collected and in accordance with legal and regulatory requirements. Once the personal information is no longer required, we will securely delete or anonymise the data in compliance with our data retention policy.


Personal information related to mental health treatment is typically retained for a minimum of 7 years in accordance with health record-keeping standards. After this period, your data will be securely destroyed. We follow industry best practices and ISO 27001 standards for data retention and deletion.

 

Your Rights and Access to Information

You have the right to:

  • Request access to the personal information we hold about you.
  • Request correction of any inaccuracies in your personal information.
  • Withdraw your consent to the use of your personal information at any time, subject to certain legal and contractual restrictions.
  • Request deletion or anonymization of your personal information (subject to our legal obligations and data retention policy).


If you would like to exercise any of these rights, please contact us using the details below. We will respond to your request promptly and in accordance with our obligations under the Privacy Act 1988.

 

How to Contact Us

If you have any questions about this Privacy Policy, wish to make a complaint, or exercise any of your rights under the Privacy Act, please contact us:

Mental Health Foundation Australia
Email: data.privacy@mhfa.org.au   

Phone: 03 8825 3500
 

We will respond to your request as soon as possible.

 

Policy Changes

This Policy may change from time to time and is available on our website.