1. ABOUT THIS POLICY
1.1 Purpose
Dr Kristen Lovric is committed to ensuring privacy and confidentiality of personal information and must comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) as well as other privacy laws that govern how service providers such as Dr Kristen Lovric handles your personal information (including but not limited to client mental health information).
The purpose of this Privacy Policy is to clearly communicate for your understanding what information Dr Kristen Lovric holds about you and how she endeavours to handle your personal information.
This Privacy Policy applies to Dr Kristen Lovric’s business as a sole trader.
1.2 To whom this policy applies
This Privacy Policy applies to Dr Kristen Lovric’s collection, use and disclosure of personal information from clients and visitors, next-of-kin, nominated support persons, referring doctors, Accredited Health Professionals, contractors, suppliers, and service providers engaged, employees and other representatives/individuals engaged by or providing services to Dr Kristen Lovric.
In relation to employees of Dr Kristen Lovric, this Privacy Policy will apply only to the extent that the collection, use or disclosure of that personal information does not fall within the definition of an exempt practice pursuant to section 7B(3) of the Privacy Act 1988 (Cth).

1.3 Currency
This Privacy Policy was last updated in April 2024 and is subject to change. The most up-to-date copy will be published on Dr Kristen Lovric’s website or can be obtained by contacting her on the details set out at the end of this policy.

2. HOW PERSONAL INFORMATION IS HANDLED
2.1 Legal Obligations
As an allied health service provider, Dr Kristen Lovric is required to comply with the APPs under the Privacy Act 1988 (Cth).
The APPs regulate how Dr Kristen Lovric may collect, use, disclose and store personal information and how individuals may access and correct personal information which Dr Kristen Lovric holds about them. For ease of reference, this Privacy Policy sets out Dr Kristen Lovric’s position with respect to patient and any other individuals’ personal information separately.
2.2 Terms used
In this Privacy Policy, she uses the terms:
"Personal information" which as defined in the Privacy Act 1988 (Cth) means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, and recorded in a material form or not.
Personal information also includes 'sensitive information' such as your race, religion, political opinions or sexual preferences, and health information. 'Sensitive information' attracts a higher privacy standard under the Privacy Act 1988 (Cth) and is subject to additional protective mechanisms.
“Health information" as it is defined in the Privacy Act 1988 (Cth) is a subtype of ‘personal information’ which means information or an opinion about the health or a disability (at any time) of an individual or an individual's expressed wishes about the future provision of health services to them or a health service provided.
“Primary purpose” means the specific function for which the information is collected. Any other use or disclosure of personal information is known as the “secondary purpose”.
2.3 From whom information is collected
2.3.1 Clients
To provide you with the health related services requested, Dr Kristen Lovric will need to collect and use your personal information. Provision of incomplete or inaccurate information to her or withholding of personal health information from her may impact her ability to be able to provide you with optimal services.
2.3.2 Third parties
To enable Dr Kristen Lovric to engage with you for the primary purpose, Dr Kristen Lovric may need to collect and use your personal information where relevant. As above, if she is provided with incomplete or inaccurate information or personal information is withhold she we may not be able to engage with you as required to meet that primary purpose.
2.3.3 Anonymity and pseudonymity
Under certain circumstances, you may have the option of dealing with Dr Kristen Lovric anonymously or by using a pseudonym; however, this may limit the services able to be provided to you if it is impracticable.
2.4 Information collected
2.4.1 Clients
Dr Kristen Lovric collects personal information from you that is reasonably necessary to provide you with health care services and for administrative and internal business purposes related to your attendance/service provision at a Dr Kristen Lovric facility. As discussed, this may include collecting information about your health history, family history, your ethnic background or your current lifestyle to assist in diagnosing and treating your concerns. Typically, she will collect your health information directly from you. Sometimes, she may need to collect information about you from a third party such as a relative or another health service provider. She will only do this if you have consented for her to collect your information in this way or where it is not reasonable/practical for collection of this information directly from you, such as where your health may be at risk and she need your personal information in the case of an emergency. In some circumstances, Dr Kristen Lovric may also access/collect information from an electronic Government record repository such as the Australian Immunization Register or MyHealth Record (collectively ‘Government Record’) in accordance with any access controls that you have set within each system (as applicable) to any extent required for optimising service provision. If you do not want Dr Kristen Lovric to access personal information stored in your Government Record, it is your responsibility to modify the access controls as required.
2.4.2 Third parties
Dr Kristen Lovric also collects from third parties personal information that is reasonably necessary to engage with you for the primary purpose, for Dr Kristen Lovric’s functions or activities and for administrative and internal business purposes related to your dealings with Dr Kristen Lovric.
Regarding individuals employed or engaged by Dr Kristen Lovric, individuals providing services to Dr Kristen Lovric, this may include sensitive information including criminal record and health information. As discussed, she will usually collect your personal information from you directly, but she may under some circumstances collect information about you from a third party where it is not reasonable or practical for her to collect this information directly. Sensitive information will not be collected without your consent unless authorised by law.
2.5 Data storage
Dr Kristen Lovric may store the personal information she collects from you in various forms, while complying with the APPs, this and associated Privacy Policies. Her website is powered and secured by Wix whose privacy policy can be accessed here: https://www.wix.com/about/privacy. Data is also stored and secured by powerdiary whose privacy policy can also be accessed here: https://www.powerdiary.com/privacy-policy/.
2.5.1 Clients
Storage of personal information may be in physical (paper) or electronic (through an electronic medical record system or storage of personal information) at a Dr Kristen Lovric facility.
2.5.2 Third parties
As with storage of data collected directly from clients, personal information collected from third parties may be stored in various forms including electronically via various data management software or systems in accordance with Dr Kristen Lovric’s business practices, and depending on the primary purpose of your engagement. Her website is powered and secured by Wix whose privacy policy can be accessed here: https://www.wix.com/about/privacy. Data is also stored and secured by powerdiary whose privacy policy can also be accessed here: https://www.powerdiary.com/privacy-policy/.
2.6 Uses of information
Dr Kristen Lovric only uses personal information for the primary purpose for which it was given, unless one of the following applies reasonably expected, with your express consent, disclosure is required/authorised by criminal or other law, disclosure will prevent or lessen a serious and/or imminent threat. Dr Kristen Lovric may use or disclose your personal information as specified above via electronic processes, where available and relevant.
The following provides examples but not an exhaustive list of related secondary purposes for which Dr Kristen Lovric may use your personal information.
(a) Use among health professionals to provide your treatment

Dr Kristen Lovric may consult or send health information with supervisors and other expert allied health professionals (local or remote including outside of her facilities) when determining your diagnosis or treatment. Dr Kristen Lovric may also refer you to other health service providers for further treatment during and following your treatment and may disclose your personal information to the extent required for any such referral including electronically. Your personal information will only be disclosed or made available including electronically to those health care workers involved in, or consulted in relation to, your treatment and associated administration, maintaining confidentiality where possible, in accordance with law and to the extent required to meet that purpose. These allied health professionals may also share your personal information in the provision of assessment and/or your treatment.
(b) Assessment for provision of health care services
If you are referred to Dr Kristen Lovric by your doctor, and you have previously consulted Dr Kristen Lovric, she may, subject to the period passed between service provision, use the personal information such as your address and contact details held from your previous consultation to streamline the referral process. Dr Kristen Lovric may collect your personal information for the purpose of assessing your suitability for health care services at or from a Dr Kristen Lovric facility. Your personal information whether or not your proceed may still be stored for a limited period of time before destruction. Where your assessment has been conducted at the request of a Health Practitioner, Dr Kristen Lovric may report the outcome of the assessment to that Health Practitioner as relevant to any ongoing care. Where you undergo assessment by a third party provider during your treatment with Dr Kristen Lovric for the purpose of transferring your care to that third party, Dr Kristen Lovric may disclose your personal information to the third party provider for that purpose.
(c) Your general practitioner
Dr Kristen Lovric will usually send summaries to your referring medical practitioner or nominated general practitioner. This is in accordance with long-standing health industry practice and is intended to inform your doctor of information that may be relevant to any ongoing care and may electronic in form. If you do not want her to provide summaries to your nominated general practitioner you must let her know. Alternatively, if your nominated general practitioner has changed or your general practitioner's details have changed following previous consultation, you must let Dr Kristen Lovric know.
(d) Other third party providers

If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment at a Dr Kristen Lovric facility, she will generally require an authorisation from you to provide a copy. However, she may provide information about your health records to another medical practitioner or health facility without your consent in the event of an emergency, you are not able to provide consent or as approved or authorised by law.
(e) Relatives, guardian, close friends or legal representative
She may provide information about you to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney with your consent, under an enduring power of attorney or who you have appointed your enduring guardian.
(f) Contracted services
Dr Kristen Lovric may engage services under contracts with third parties. Where you receive services under any such arrangements, Dr Kristen Lovric will provide your personal information as required under those contracts.
(g) MyHealth Record
For clients who participate in the Commonwealth Department of Health MyHealth Record program, Dr Kristen Lovric may upload personal information electronically unless you opt out.
(h) Invitation to participate in research
At times Dr Kristen Lovric may become aware of research which may be relevant to your concerns. Dr Kristen Lovric may use your personal information to assess your suitability for participation in the research to provide initial information about the research. Other than as authorised by law, Dr Kristen Lovric will not disclose your personal information to the researcher without your consent.
(i) Other common uses
To provide optimal treatment conditions she may also use your personal information where necessary for quality assurance processes, accreditation or compliance, audits, risk management, client satisfaction, invoicing, billing and account management, debt collection, liaison with your health fund, Medicare, or another payer and, compliance in accordance with law such as in response to a subpoena, standard (e.g., appointment) reminders via text message or email, or any other business analytics.
(j) Other uses with your consent

With your consent she may also use your information for other purposes such as including research, statistical analysis, and to improve and personalise her service offerings.
(k) Accessing Dr Kristen Lovric facilities and associated services provided at Dr Kristen Lovric facilities
Dr Kristen Lovric may collect personal information including details such as your name, email address and telephone number to facilitate your access to her facilities and associated services. You may opt to decline provision of personal information for this purpose but access to the facility or service may not be granted.
(l) Camera surveillance systems
Dr Kristen Lovric may use camera surveillance systems, at her facilities for the purpose of maintaining the safety and security of its staff, clients, and other attendees to those facilities. Dr Kristen Lovric's camera surveillance systems may, but will not always, collect and store personal information while complying with the APPs and this Privacy Policy.
(m) Contractors under agreement
Dr Kristen Lovric may provide, or allow access to, personal information to contractors/staff engaged to provide professional services to Dr Kristen Lovric’s business or to contractors to whom aspects of her services are outsourced whom she requires to also comply with the Privacy Act 1988 (Cth) etcetera and where applicable her Privacy Policy.
(n) Clinical research
Dr Kristen Lovric collects personal information contained within ethics review applications made to Human Research Ethics Committees for the purpose of managing the ethics review application.
2.7 Access to and correction of your personal information
You have a right to have access to the personal information that she holds about you. You can also request an amendment should you believe that it contains inaccurate information. Dr Kristen Lovric will allow access or make the requested changes unless there is a reason under the Privacy Act 1988 (Cth) or other relevant law to refuse such access or refuse to make the requested changes. If she does not agree to change your personal information in accordance with your request, she will permit you to make a statement of the requested changes and she will enclose this with your personal information. Should you wish to obtain access to or request changes to your personal information held by Dr Kristen Lovric you can ask for her (see details below) to give you more detailed information about the access and correction procedure. Dr Kristen Lovric may recover reasonable costs associated with supplying this information to you.
2.8 Data quality
Dr Kristen Lovric will take reasonable steps to ensure that your personal information which she may collect, use or disclose is accurate, and complete.
2.9 Data security
Dr Kristen Lovric will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. Her website is powered and secured by Wix whose privacy policy can be accessed here: https://www.wix.com/about/privacy. Data is also stored and secured by powerdiary whose privacy policy can also be accessed here: https://www.powerdiary.com/privacy-policy/. 
Dr Kristen Lovric will destroy any of your information which is in its possession or control and which is no longer needed for the purpose for which it was collected provided Dr Kristen Lovric is not required under an Australian law or otherwise to retain the information.
2.10 Cross border disclosure
Dr Kristen Lovric may enter arrangements with third parties to store data she collects or to access the data to provide services such as data processing, and such data may include personal information, outside of Australia. Dr Kristen Lovric will take reasonable steps to ensure that the third parties do not substantially breach the APPs and are of an acceptable standard and approved by Dr Kristen Lovric.

3. DISCUSSING PRIVACY ISSUES
3.1 Contact
If you have questions or comments about this Privacy Policy, you can contact Dr Kristen Lovric. Please see the website contact page for Dr Kristen Lovric’s email and address.

3.2 Complaints
If Dr Kristen Lovric does not agree to provide you with access to your personal information or you have or a complaint about our information handling practices you can lodge a complaint with her or directly with the Office of the Australian Information Commissioner: www.oaic.gov.au

4. HOW YOUR PERSONAL INFORMATION IS HANDLED WHEN YOU VISIT THE WEBSITE
This section of her Privacy Policy explains how she handles your personal information which is collected from her website.
4.1 Collection
When you use her website, she does not attempt to identify you as an individual user and we will not collect personal information about you unless you specifically provide this to her. Sometimes, she may collect your personal information if you choose to provide this to her via an online form or by email, for example, if you complete your consent form online, submit a general enquiry via her contacts page, or register for an event. When you use her website, she uses analytics tools such as Google Analytics to record and log for statistical purposes and abuse/fraud prevention purposes the following information about your visit, such as your Internet Protocol address, domain name, date and time, information accessed, and web browser used. She is, however, obliged to allow law enforcement agencies and other government agencies with relevant legal authority to inspect her web server logs if warranted.
4.2 Links to third party websites
She may create links to third party websites and is not responsible for the content or privacy practices employed by websites.
4.3 Use and disclosure
She will only use personal information collected via her website for the purposes for which you have given her this information.
She will not use or disclose your personal information to other organisations or anyone else unless with your express consent, reasonably expected, authorised by law, disclosure will prevent or lessen a serious and/or imminent threat. If she receives your email address because you sent her an email message, the email will only be used or disclosed for the purpose for which you have provided.
4.5 Data quality
If she collects your personal information from her website, she will maintain and update your information as reasonably practical and necessary or when you advise Dr Kristen Lovric that your personal information has changed.
4.6 Data security
As discussed, Dr Kristen Lovric is committed to protecting the security of your personal information. Her website is powered and secured by Wix whose privacy policy can be accessed here: https://www.wix.com/about/privacy. She will take all reasonable steps to prevent your information from loss, misuse or alteration.
4.7 Access and correction
If you wish to obtain information about how to access or correct your personal information collected via her website, please refer to Access and Correction at Item 2.7 of this document.

​

5 DATA BREACH NOTIFICATION

5.1 Purpose

The purpose of this policy is to advise on Dr Kristen Lovric’s actions required if a data breach occurs.
 

5.2 Definitions

Data Breach describes circumstances when personal information that an entity holds is subject to unapproved access. This can be malicious action, human error, or a failure in handling or security. Personal Information is information about an identified individual or an individual who is identifiable from the information.
 

5.3 Policy

A data breach occurs when personal information that Dr Kristen Lovric holds is subject to unapproved access or disclosure or is lost. Data breaches can happen to any practice. Dr Kristen Lovric can reduce the impact of a data breach by effectively reducing the risk of harm to affected individuals, and by demonstrating accountability in their data breach response.
 

5.4 Procedure

Dr Kristen Lovric understand the importance of being transparent when a data breach occurs - whether or not it is likely to cause serious harm to impacted individuals. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that Dr Kristen Lovric takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in the practice’s personal information handling capability.

 

Examples of a Data Breach:

• Loss or theft of a physical device (such as a laptop or paper records)

• Unapproved access by another person

• Inadvertent disclosure due to human error, such as an email being sent to an incorrect address

• Disclosure to a third party due to an inadequate verification process

 

Responding to a Data Breach:

As data breaches can be caused or exacerbated by many factors, there is no single way of responding to a data breach. Each breach should be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks. Generally, the actions taken following a data breach should follow four key steps: 

1. Contain the data breach to prevent any further compromise of personal information

2. Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm

3. Notify individuals, government bodies and medical indemnity if required

4. Review the incident and consider what actions can be taken to prevent future breaches

Dr Kristen Lovric takes each data breach or suspected data breach seriously, and moves immediately to contain, assess and remediate the incident. Breaches that may initially seem immaterial may be significant when their full implications are assessed. Steps will be taken to contain, assess, and notify either simultaneously or in quick succession. In some cases, it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs. Dr Kristen Lovric determines how best to respond on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, additional steps may be taken that are specific to the nature of the breach.

​