Privacy Policy

Steady Steps Education (“we”, “us”, “our”) is a school reengagement consultancy that works with parents and carers of children experiencing school non-attendance. We are committed to protecting the privacy of everyone whose information we handle, including your child.

This policy explains, in plain language:

• what personal information we collect and why
• how we collect, use, store and share that information
• what platforms and technology we use to deliver our services
• how we keep your information safe
• your rights to access, correct or complain about your information

This policy has been prepared to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs), and the Notifiable Data Breaches scheme. Because we offer services nationally via telehealth, the privacy and health records laws of the state or territory where you live may also apply.

By engaging our services, you confirm that you have read and understood this policy. Where we collect sensitive or health information, we will ask for your express consent before or at the time of collection.

Steady Steps Education is operated by Richard Amery as a sole trader (ABN 35 256 217 184), based in Victoria, Australia. We provide school reengagement consultation and parent coaching via telehealth (Zoom) to families across Australia.

We work exclusively with parents and carers and we do not provide direct services to children. However, we do collect personal and health information about children through standardised questionnaires completed by the child, their parents and (with consent) their teachers.

In this policy, “you” and “your” refers to our clients (parents and carers) and, where relevant, to the children whose information we collect.

3.1 About Parents and Carers

We collect:

• Your name, email, phone number and address
• Family structure and household details relevant to the consultation
• Information about your concerns, goals and your child’s school attendance situation
• Information about your parenting approaches, family routines and communication patterns
• Your responses to parent-version questionnaires (CBCL, PSES-SR, GF-FAD)
• Payment and billing information (processed securely via Stripe and we never see your full card number)
• Records of our communications (email, phone, video sessions)
• Anything else you choose to share with us during consultations

3.2 About Your Child

To understand what is driving your child’s school non-attendance and to develop a tailored plan, we collect:

• Name, age, date of birth and gender
• School name, year level and attendance history
• Responses to questionnaires completed by your child, including the School Refusal Assessment Scale (SRAS-R), Strengths and Difficulties Questionnaire (SDQ), and Revised Child Anxiety and Depression Scale (RCADS-25)
• Information about your child’s emotional wellbeing, behaviour, social difficulties and mental health as it relates to school non-attendance
• Details of any involvement with psychologists, psychiatrists, paediatricians or other health professionals
• Academic history, strengths and challenges at school
• Information from teachers or school staff (only with your written consent)

3.3 Sensitive and Health Information

Some of the information we collect is classified as sensitive information under the Privacy Act and as health information under both the Privacy Act and the Health Records Act 2001 (Vic). This includes:

• Information about your child’s mental health, including symptoms of anxiety, depression, or emotional and behavioural difficulties
• Questionnaire results that indicate how your child is functioning psychologically and behaviourally
• Information about your child’s involvement with mental health or health services
• Information about family circumstances that may relate to health or wellbeing

We only collect this type of information with your express consent and where it is reasonably necessary for providing our services. You can withdraw your consent at any time, but this may affect our ability to continue working with you.

3.4 Website Information

If you visit our website, we may collect:

• Information you submit through contact or booking forms
• Technical information like your IP address, browser type and how you use our site
• Cookie data (see Section 14)

4.1 Directly from You

Most information comes directly from you when you engage our services, fill in intake forms, complete questionnaires, communicate with us, or make a payment.

Your child provides information directly when they complete self-report questionnaires under your supervision. This is voluntary and requires your consent.

4.2 From Third Parties (With Your Consent)

With your written consent, we may collect information from:

• Your child’s school or teachers
• Your child’s GP, psychologist, psychiatrist, paediatrician or other health professionals
• Allied health professionals or support services involved in your child’s care

We will not contact or collect information from any third party without your written consent, unless we are required to by law.

4.3 Through Technology

We also collect information through our website and the platforms we use to deliver services (Zanda Health and Zoom). These are explained in Section 8.

4.4 Information We Didn’t Ask For

If we receive personal information that we didn’t ask for and wouldn’t have been entitled to collect, we will either destroy it or de-identify it as soon as practicable, unless it is contained in a Commonwealth record or it is lawful to keep it.

5.1 Our Main Purposes

We use your information to:

• Provide our school reengagement consultation and parent coaching services
• Administer and score questionnaires so we can understand what is driving your child’s school non-attendance and develop a tailored plan
• Communicate with you about appointments, progress and recommendations
• Develop individualised strategies, support plans and parent guides
• Process your payments and keep financial records
• Identify when your child may need to see a registered health professional, and help facilitate that referral (with your consent)
• Liaise with your child’s school or other professionals (with your written consent)

5.2 Other Related Purposes

We may also use your information for purposes that are directly related to the above and that you would reasonably expect, including:

• Improving the quality of our services (using de-identified data only)
• Responding to your enquiries, feedback or complaints
• Meeting our legal obligations, including mandatory reporting to child protection authorities
• Defending or establishing legal claims
• Meeting our obligations under the National Code of Conduct for Unregistered Health Practitioners

We will not use your information for an unrelated purpose unless we have your consent or are required to by law.

We do not sell, rent or trade your personal information. We only share it in the following situations:

6.1 With Your Consent

If you give us written consent, we may share relevant information with your child’s school, GP, psychologist or other professionals to support a coordinated approach.

6.2 Our Service Providers

We share information with the platforms we use to run our business (Zanda Health, Zoom, and Stripe). These are described in detail in Section 8.

6.3 Where Required by Law

We may be required to share information in certain situations, including:

• Mandatory reporting: If we believe a child is at risk of significant harm, we must report to child protection authorities. This overrides confidentiality.
• Court orders: If we receive a court order or subpoena requiring disclosure.
• Serious threats: If disclosure is necessary to prevent or reduce a serious and imminent threat to someone’s life, health or safety.
• Health complaints investigations: If required in connection with an investigation by a health complaints body.

We do not use your information for marketing purposes unless you specifically opt in. If you do opt in, you can opt out at any time by contacting us or clicking the unsubscribe link in any email.

We will never use your child’s information for marketing.

We rely on several third-party platforms to deliver our services. Here is what each one does, what information it handles, and where the data may be stored:

We use BizzyAI, an AI tool within Zanda Health to transcribe our consultation sessions and generate session summaries. Here is what you need to know:

9.1 What It Does

• BizzyAI listens to our session and creates a written transcript in real time
• It produces a summary of the session for our records
• The transcript and summary may contain sensitive information discussed during the session, including information about your child’s mental health and behaviour.

9.2 Your Rights

We will always ask for your express consent before using BizzyAI in any session. You have the right to:

• Say no to AI transcription for any or all sessions, without it affecting the quality of service
• Ask us to turn it off at any point during a session
• Request a copy of any AI-generated transcript or summary
• Request that transcription data be deleted

If you decline, we will take notes manually instead.

9.3 Important Information About Data

• BizzyAI is built into Zanda Health and processes session audio and transcripts within Zanda's secure cloud infrastructure, hosted on Amazon Web Services (AWS) in Australia
• Zanda Health does not use Customer Data to train or fine-tune AI models, and does not share data with AI model providers for training purposes
• We will let you know if there are any material changes to how BizzyAI or Zanda Health handles your data

Some of the platforms we use may process or store your information overseas, including in the United States (see Section 8). Australian privacy law requires us to take reasonable steps to make sure overseas recipients protect your information to the same standard as the Australian Privacy Principles.

We do this by:

• Reviewing the privacy policies and terms of all platforms we use
• Where possible, entering into agreements that require overseas providers to protect your information consistently with the APPs
• Checking whether the overseas country has privacy protections similar to Australia’s
• Telling you about overseas transfers through this policy and our consent forms

When you engage our services and consent to the use of these platforms, you acknowledge that some of your information may be processed overseas. We will continue to take reasonable steps to protect your information regardless of where it is processed.

We take reasonable steps to make sure the information we hold is accurate, up-to-date, complete and relevant. If any of your details change, or if you think something we have on file is wrong, please let us know and we will correct it promptly.

We take the security of your information seriously. Our measures include:

• Storing electronic records on password-protected, encrypted systems (Zanda Health)
• Using multi-factor authentication to access platforms containing personal and health information
• Limiting access to your information to the Service Provider only (we are a sole practitioner)
• Using encrypted communication channels for sensitive information
• Regularly reviewing our security practices
• Requiring our third-party providers to maintain appropriate security standards

No system is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If you become aware of any breach or unauthorised access, please contact us immediately.

We keep information only for as long as we need it, or as required by law:

After these periods, records are securely destroyed.  Electronic records are permanently deleted, and any physical records are shredded.

Our website may use cookies (small text files stored on your device) to help it work properly and to understand how visitors use the site. These may include:

• Essential cookies: needed for the website and booking system to function
• Analytics cookies: collect anonymous, aggregated data about how people use our site so we can improve it
• Third-party cookies: set by services built into our website (e.g. the booking system or payment processor)

You can set your browser to block cookies, but some parts of the website may not work properly if you do. We choose the most privacy-protective settings available for any analytics tools we use.

Under the Notifiable Data Breaches scheme in the Privacy Act 1988, we must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if there is a data breach likely to cause serious harm.

If we become aware of a suspected or actual breach, we will:

• Act quickly to contain it and reduce any harm
• Assess within 30 days whether it is likely to cause serious harm
• If it is, notify the OAIC and all affected individuals as soon as possible
• Tell you what happened, what information was involved, and what steps you can take to protect yourself

We also comply with any notification requirements under the Health Records Act 2001 (Vic) for breaches involving health information.

You can make a general enquiry through our website or by phone without giving your name. However, if you want to use our consultation services, we will need your name and contact details. We cannot provide personalised services or maintain proper records without them.

17.1 Seeing What We Hold

You have the right to ask us for a copy of the personal information we hold about you and your child. Just contact us using the details in Section 23. We will respond within 30 days and may need to verify your identity first.

We do not charge for making a request, although we may charge a reasonable fee if the request is unusually complex.

In limited cases, we may refuse access where the law allows, for example if providing the information would seriously threaten someone’s safety, or would unreasonably affect another person’s privacy. If we refuse, we will explain why in writing.

17.2 Fixing Mistakes

If you think any information we hold is wrong, incomplete or out of date, let us know and we will correct it within 30 days. If we refuse, we will explain why and you can ask us to attach a note to the record with the correction you requested.

If we have already shared the incorrect information with someone else, we will take reasonable steps to notify them of the correction if you ask us to.

We take extra care with information about children:

• Parental consent is always required. We will not collect any information about your child without your express consent as their parent or guardian.
• Shared parental responsibility. If parental responsibility is shared, we rely on the enrolling parent’s confirmation that they have authority to consent. We may ask for evidence of consent arrangements where family law orders are in place.
• Adolescent input. For children aged 14 and over, we may ask for the young person’s agreement to take part in the assessment. If they decline, the assessment cannot go ahead.
• No direct contact. Your child completes questionnaires under your supervision. We do not have direct contact with children.
• Purpose limitation. Your child’s health information is used solely to inform the parent consultation and develop a reengagement plan. It is not used for anything else.
• Longer retention. Records about children are kept for at least 7 years from last contact or until the child turns 25, whichever is longer.

We have legal obligations under child protection laws. If, during the course of working with your family, we form a reasonable belief that a child is at risk of significant harm (including physical, sexual or emotional abuse, or neglect), we are required to report this to the relevant state or territory child protection authority.

This obligation:

• Overrides the confidentiality provisions in this policy and in our Service Agreement
• Applies regardless of which state or territory you live in
• May not require us to inform you before making the report, if doing so would place the child at further risk

Because we work with families across Australia, the mandatory reporting laws of the state or territory where the child lives will determine the specific obligations.

Because we are based in Victoria and collect health information, the Health Records Act 2001 (Vic) also applies to health information we collect from Victorian residents. The Health Privacy Principles (HPPs) in that Act provide additional protections, including rules about how we collect, use, store and give access to health information.

If you are a Victorian resident and have a concern about how we have handled your health information, you can complain to the Health Complaints Commissioner (see Section 21).

21.1 Complaining to Us

If you have a concern about how we have handled your information, please contact us (see Section 23). Tell us what happened and include any supporting information. We will:

• Acknowledge your complaint within 7 business days
• Investigate and respond within 30 days
• Let you know if we need more time

21.2 External Complaints

If you are not happy with our response, you can complain to:

• Office of the Australian Information Commissioner (OAIC): for complaints under the Privacy Act. Visit www.oaic.gov.au or call 1300 363 992
• Health Complaints Commissioner (Victoria): for complaints about health information handling. Visit www.hcc.vic.gov.au or call 1300 582 113
• Your state or territory health complaints body: if you live outside Victoria, you may be able to complain to the equivalent body in your jurisdiction.

We do not use government-issued identifiers (like Medicare numbers or tax file numbers) as our own way of identifying you, unless required by law.

If you have questions about this policy, want to access or correct your information, withdraw consent, or make a complaint:

Steady Steps Education

ABN: 35 256 217 184
Email: richard@steadystepseducation.com.au
Phone: 0421 995 458
Address: PO Box 3200 Prahran East VIC 3181

We may update this policy from time to time. If we do, we will publish the updated version on our website with the new effective date.

If we make significant changes to how we handle your information, we will email you before the changes take effect and, where required, ask for fresh consent.

This policy should be read together with the Steady Steps Education Service Agreement and any separate consent forms provided to you.