top of page

Privacy Policy

Introduction

At Megan’s Music ABN:28 538 722 743 (referred to as “we”, “us”, or “our”), we are committed to protecting your privacy and ensuring the confidentiality or your health and personal information. This privacy policy explains how we collect, use disclose and protect your information in accordance with the Privacy Act 1988 (Cth), The Australian Privacy Principles (APPs), relevant Queensland privacy and health records legislation. As a private allied health provider, our practices are also guided by relevant Queensland health regulations, child safety frameworks and the NDIS Code of Conduct. 

 

In order to interact with us and use our services you will need to provide some personal information. This policy explains why this is so, how we use the personal information that you provide, and how we keep that information safe. 


Whether or not you provide personal information to us is entirely up to you. However, because we provide clinical health services, we may not be able to safely or effectively provide our services or products to you without it. 

 

When we collect your personal information, we endeavour to let you know transparently why we are doing so, and how we intend to use that information to support your care.

 

Policy review statement 

This policy may be amended or reviewed regularly to ensure it remains applicable to our current practice procedure and legal requirements. When an amendment is made it may be accessed on our website, or via email or hard copy as required. 

 

1. What Information Do We Collect? 

 

Megan’s Music may collect personal information where it is required for the work we undertake. We will only collect personal information by lawful and fair means, and primarily direction from you (for example, through our interaction with you or your use of our website). 

 

The types of personal information collected may depend on your interaction with Megan’s Music. Whether you are participating in education services or music therapy services. 

 

To provide you with high quality music therapy services, we need to collect relevant personal and sensitive (health information).

 

We may collect:

  • Personal details (Name, date of birth, gender)

  • Your contact information (address, email and phone number) 

  • Personal information (next of kin details, photographic images, attendance records, personal interests, hobbies, current activities, academic profiles, behaviour records, employment history, educational qualifications). 

  • Health and Clinical information (Medical history, disabilities, diagnoses, physical or cognitive abilities, psychological history, current medications, immunisation history, information about your functional capacity. Other health information that you provide). 

  • Medicare number or Private health fund details (if applicable)

  • NDIS (National Disability Insurance Scheme) number, NDIS plan, NDIS Goals, or relevant NDIS contact details you may share (such as plan nominee, child representative, support coordinators, other therapists or support worker). 

  • Emergency Contact details Personal Details and contact information of emergency  contacts

  • Legal Guardian Details Personal Details and contact information of legal guardians

  • Medical reports or information shared with us by yourself, other practitioners or stakeholders. This may also include the details of other practitioners, schools, residential facility, or other stakeholders involved in the care of the client that have been shared with us. 

  • Session Notes Clinical observations, progress reports, and evaluations recorded during or after music therapy sessions

  • Media Audio or Visual recordings of sessions (collected only with your explicit, separate consent) used for clinical review, tracking progress, or reporting. 

  • Financial information Banking details for management of fees for our services. 

2. How We Collect Your Information

 

There are several ways in which we may collect your personal information directly from you (or your authorised representative/guardian) including, but not limited to:   

  • Intake forms and client registration processes 

  • Waitlist forms 

  • Emails, website contact forms, text message or phone enquiries. 

  • Enquiries on social media channels. 

 

In the intake form or waitlist form, where information is not collected directly from you, we ask for confirmation that person is authorised and has consent to share that information on your behalf. 

 

In some circumstances information may also be collected from other sources throughout the course of services. This may include information collected from your guardian or responsible person, or information they provide consent to collect if they are authorised to act on your behalf. With your consent, we may collect information from third parties, such as your GP, paediatrician, medical specialist, other allied health professionals involved in your care (OT, speech pathologist, psychologist), school, or NDIS support coordinator, hospitals, or community health services. 

 

When you visit our website, we may collect information other than personal information. This may happen even if you are only browsing. Rest assured we will only ever use this information in an aggregated form. Information of this type includes: 

  • Your server’s IP address (an identifier unique to the device that you use to surf the web);

  • Your browser and operating system details; 

  • The date, time and duration of your visit; and 

  • Information about your visit, such as which pages you viewed.

3. Why we Collect and Use Your Information

 

We collect and use your information primarily to deliver safe, effective and personalised  music therapy or adaptive music lessons.

 

  • To assess your needs and design clinical music therapy programs. 

  • To provide ongoing therapy and documenting your progress. 

  • To communicate with you regarding appointments, billing and services. 

  • To liaise with other members of your multidisciplinary care team (with your consent) 

  • To meet legal, regulatory, and professional obligations (e.g. Australian Music Therapy Association guidelines, Queensland College of Teachers, NDIS Quality and Safeguards Commission requirements). 

  • To provide our best music educations to the student in adaptive music lessons 

  • To contact the parent/guardian 

  • To liaise with any medical authorities in the event of an emergency

  • To process payments, Medicare, private health fund, or NDIS claims. 

 

4. When we disclose your information

 

We will not disclose your personal or health information to third parties without your consent, except in the following circumstances. 

 

  • Continuity of Care - Sharing reports or updates with your GP, Specialist, or other allied health professionals directly involved in your care, where you have authorised us to do so. This may also include sharing reports with other stakeholders such as schools or teachers where you have authorised us to do so. 

  • Funding bodies - providing necessary reports or billing information to NDIS, Medicare, or insurance providers for the purpose of funding or rebates or meeting funding body requirements. 

  • Legal & Safety Requirements - Some permitted exceptions to this apply, including where we are legally required to disclose, or disclosure is required to protect the personal safety of any individual or the public. Where we are legally compelled or authorised to do so (e.g., subpoena, mandatory reporting of child harm, or professional duty of care to prevent a serious threat to life, health or safety).

 

Your information is kept strictly confidential. However, we are legally required to disclose information without your consent if we reasonably suspect a child or vulnerable person is at risk of harm, in compliance with our mandatory reporting obligations under the Child Protection Act 1999 (Qld) and the Child Safe Organisations Act 2024 (Qld). 

 

We do not sell, rent or trade personal information to third parties for marketing purposes or other purposes not listed above. 

5. Storage and Security of Your information

 

We take the security of your clinical records and personal information very seriously. We take all reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Your data is stored and handled across different secure platforms depending on how you interact with Megan’s Music. Your information may be stored in secure electronic databases and locked physical filing systems. 

 

Digital Security  

We utilise password-protected, encrypted, and complaint allied health management practice software (such as Splose or Halaxy). We chose Australian-based practice managed systems, where data is currently encrypted and hosted locally on secure cloud servers within Australia. 

External Platforms and Data Transit 

When you interact with us outside of our clinical software, your data may be processed by trusted global infrastructure providers. Teaching, administrative and communication data may handle overseas transit. 

  • Teaching software (if applicable): My Music Staff has been used for storing music lesson data, where the practice management system has not been used. 

  • Website and Forms: Our website is hosted by Wix. When you submit a contact form, data is processed using Wix’s secure multi-cloud infrastructure which may back up data outside of Australia (primarily in the United States and Ireland). No sensitive clinical health records are stored on our website. 

  • Email & Social Media: Standard email inquiries and business workflows are processed through Google. If you contact us via social media, data is processed through Meta. 

  • End-to End Encryption: For participants who strictly prefer End-to-End (E2E) encrypted email communications, we can provide a Proton Mail address upon request (though this is not our default administrative email). 

 

Some of these global platforms may process, back up, or store administrative data on secure servers located outside Australia (including but not limited to Switzerland, the United States, and Europe). To the extent your personal information is stored on an overseas server, Megan’s Music will take such steps as are reasonable to ensure that your information is kept securely and treated confidentially, in accordance with Megan’s Music requirements under the relevant privacy laws. By engaging our services, you consent to  this overseas data transit for administrative purposes. 

 

Website, Cookies, and Infrastructure

The security of personal information is very important to us. We take all reasonable precautions to protect the personal information that we hold from misuse, loss, unauthorised access, modification or disclosure. 

 

Our website has SSL (Secure Sockets Layer) certificate installed (currently hosted through Wix) - a standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remains private. 

 

Cookies 

A cookie is a small piece of data created by a website and stored by your web browser. Cookies make it possible for a website to keep track of your actions and preferences over time. Our website may be configured to use cookies to make your visit more enjoyable, but you do not need to accept cookies to use our website. 

 

Links to Third-Party Websites and Social Media

Our website may contain links to websites or applications owned or operated by third parties, and incorporates interfaces to certain social media platforms (Facebook, WhatsApp, and Instagram).

 

We take no responsibility for the privacy practices, tracking mechanisms, or content of such websites. Please click with caution. Before interacting with these interfaces, we advise you to read the privacy policy of those specific third-party applications or websites carefully. 

 

Device Security

We utilise secure mobile devices and digital platforms to manage everyday business communications (calls, texts, and emails). To protect against hardware loss or failure, device backups (including contact logs, messages or media files) are stored using  reputable, enterprise-grade third-party cloud storage providers, encrypted both in transit and at rest. We use strict device-level access controls, including multi-factor authentication  (MFA) and biometric or strong password locks. The third-party cloud providers we utilise host data on global  server networks. By engaging our services, you acknowledge that your encrypted data may transit or be stored on servers located outside of Australia (such as the United States). 

Third-Party Applications 

During music therapy interventions, we may use third party music applications that record, process or store a participant’s voice, image, or music. Where these applications are used, we will discuss this with you beforehand. Participants may choose to use their own personal device for these applications, or review the specific privacy policies of those third-party applications prior to use. 

 

Data Retention

In accordance with health regulations and professional standards for music therapy: 

Adults: We retain clinical records for a minimum of 7 years from the date of last service. 

Children: Records for clients who are minors are securely retained until the individual turns 25 years of age

Exceptions to destruction: We may retain records for longer periods, or indefinitely, where mandated or required by law. This includes, but is not limited to, records relating to child safety, protection, and welfare, records relevant to ongoing or anticipated legal proceedings, insurance claims or where a formal government legal disposal freeze applies. 

 

Data Breaches

While we maintain robust security protocols to prevent data mishandling. In the event of a security incident, we will immediately conduct an assessment. In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth), if we determine that an eligible data breach has occurred - meaning personal or sensitive information was accessed or disclosed in a way that is likely to result in serious harm to an individual - we will promptly notify the affected individuals and the Office of the Australian Information Commissioner (OAIC)

 

6. Accessing and Correcting Your Information

 

You have a right to request access to the personal and health information we hold about you. You can also request that we correct any information you believe is inaccurate, out of date, or incomplete. 

To request access or corrections, please contact us in writing using the details below: 

 

Music Therapy Requests: therapy@megansmusic.com.au

Music Education Requests: musiclessons@megansmusic.com.au

 

We will respond to your request within a reasonable timeframe (usually 30 days). Please note, we will need to verify your identity before releasing or updating any medical or personal records. 

  

7. Complaints

 

If you wish to make a complaint about our Privacy Policy or the way your information has been handled you may do so by lodging a formal complaint with us directly via the contact details below.

 

We take privacy complaints seriously and will investigate and attempt to resolve your concern promptly and in writing (usually within 30 days). 

 

If you are dissatisfied with our response, you have the right to escalate the complaint to an external regulatory body: 

 

The Office of the Australian Information Commissioner (OAIC)

For complaints regarding striict breaches of the Australian Privacy Principles or data handling. www.oaic.gov.au | 1300 363 992 

The Office of the Health Ombudsman (OHO) Queensland

For broader complaints regarding health service quality, practitioner conduct, or medical records management in Queensland.

www.oho.qld.gov.au | 133 OHO (133 646)

The NDIS Quality and Safeguards Commission

For NDIS Participants wishing to raise concerns or complaints regarding the quality, safety, or standards of NDIS-funded services and supports. 

www.ndiscommission.gov.au | 1800 035 544

 

8. How to Contact Us

 

For all data access requests, corrections, privacy-related complaints or if you have any queries or concerns about anything you have read in this Policy, please do not hesitate to contact us directly: 

 

Contact Person: Megan Murray

Role: Owner, Registered Music Therapist, and Music Teacher  

Business Name: Megan’s Music 

Address: PO BOX 5768 RED HILL ROCKHAMPTON QLD 4701

Music Therapy Email: therapy@megansmusic.com.au

Music Education Email: musiclessons@megansmusic.com.au

Phone: 0405 222 976 

bottom of page