MALU HEALTH GROUP PTY LTD
Privacy Policy
Effective Date: 24 February 2026
1. Our Commitment to Your Privacy
Sunny Steps Psychology & Supervision Pty Ltd (ABN 57 647 748 150) is part of Malu Health Group Pty Ltd (ABN 15 682 104 089).
Sunny Steps provides psychology services, behavioural support and capacity-building supports, including services delivered under the National Disability Insurance Scheme (NDIS).
We understand that accessing therapeutic or behavioural support services often involves sharing deeply personal information about you, your child or the person you support. Protecting that information is central to the trust you place in us.
This Privacy Policy explains how we collect, use, store and disclose personal and health information in accordance with:
The Privacy Act 1988 (Cth)
The Australian Privacy Principles (APPs)
Applicable State health records legislation
The My Health Records Act 2012 (Cth) (where relevant)
The Notifiable Data Breaches Scheme
NDIS Information Handling Operational Guidelines and Practice Standards
2. Who This Policy Applies To
This Policy applies to:
Clients and NDIS participants receiving psychology, therapeutic or behavioural supports
Training and supervision services
Parents, guardians and responsible persons
Carers and family members involved in care
Support coordinators and other service providers (where relevant)
It also applies to all personal and health information collected or managed by Sunny Steps, including information collected through telehealth and digital systems.
3. What Information We Collect
To provide psychology, behavioural support and capacity-building services, we may collect:
Personal information
Name, date of birth and contact details
Address and emergency contact details
Medicare number and healthcare identifiers
NDIS number and plan details
Health fund and billing information
Health and support information (sensitive information)
Mental health history
Behavioural history and functional assessments
Positive Behaviour Support Plans
Risk assessments
Clinical notes and progress reports
Family, social and educational history where relevant
Medical history
Legal documentation and history where relevant
Information relating to disability, support needs and goals
We may also collect information about guardians or responsible persons where services are provided to children or participants requiring supported decision-making.
4. How We Collect Information
We collect information:
When you register with our service
During consultations (in person or via telehealth)
Through intake forms and assessments
When you communicate with us via phone, email, SMS or website enquiry
From referring practitioners, schools, allied health providers or support coordinators (with consent)
From guardians or responsible persons where appropriate
Where reasonable and practicable, we collect information directly from you or your authorised representative.
5. Why We Collect and Use Your Information
Our primary purpose for collecting your information is to provide psychology, behavioural support and capacity-building services.
We may also use your information to:
Develop Behaviour Support Plans
Coordinate supports with other providers
Communicate with families, carers and support coordinators (with consent)
Manage appointments and billing
Process Medicare, Victims of Crime or NDIS claims
Meet legal, regulatory and Medicare / Victims of Crime / NDIS reporting obligations
Conduct clinical governance, audits and quality assurance
Provide staff training (using de-identified information where possible)
Improve our services and strengthen information security systems
If certain information is not provided, we may be unable to deliver appropriate supports.
6. When We Share Your Information
We only share personal or health information where necessary and appropriate.
We may disclose your information:
With your consent
To other healthcare providers involved in your care
To NDIS, Medicare or funding bodies for claim processing and compliance
To support coordinators or authorised representatives
When required or authorised by law (including mandatory reporting obligations)
To lessen or prevent a serious threat to life, health or safety
In connection with a business restructure within the Malu Health Group, subject to strict confidentiality obligations
We do not sell personal or health information.
7. NDIS Participants
Where you receive services under the NDIS, we comply with the NDIS Information Handling Operational Guidelines and NDIS Practice Standards.
As part of the NDIS Approved Quality Auditors Scheme, participants may be included in audit sampling under an opt-out model. If you do not wish to participate, your decision will be documented and respected.
If you have a complaint about NDIS services, you may contact:
NDIS Quality and Safeguards Commission
Telephone: 1800 035 544
Website: www.ndiscommission.gov.au
Email: contactcentre@ndiscommission.gov.au
8. Cross-Border Disclosure
Sunny Steps generally stores information within Australia.
Where third-party technology providers process information overseas, we take reasonable steps to ensure appropriate safeguards are in place consistent with Australian privacy laws.
9. Data Security and Continuous Improvement
We take reasonable steps to protect your information from misuse, interference, loss, unauthorised access, modification or disclosure.
Our safeguards include:
Secure electronic clinical record systems
Role-based access controls
Encryption and cybersecurity safeguards
Physical security measures
Confidentiality obligations for all staff
We continuously review and strengthen our systems and processes to enhance the protection of client and participant information.
10. Access and Correction
You have the right to:
Request access to personal or health information
Request correction of inaccurate or incomplete information
Requests must be made in writing. We will respond within a reasonable timeframe (generally within 30 days)
11. Data Breaches
If a privacy breach occurs involving unauthorised access, disclosure, loss or destruction of personal information, we will:
Contain and assess the breach promptly
Notify affected individuals where required
Notify the Office of the Australian Information Commissioner (OAIC) where necessary
Take steps to prevent recurrence
12. Website and Cookies
When you visit our website, we may collect limited technical information such as your IP address, browser type and pages visited to improve website performance and security.
13. Privacy Complaints
If you have concerns about how your information has been handled, please contact:
Att: Privacy Officer
Sunny Steps Psychology & Supervision Pty Ltd
Shop1-3/28 Donald St
Hamilton NSW 2303
Australia
Email: privacy@malu.health
If you are not satisfied with our response, you may contact:
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Telephone: 1300 363 992
Website: www.oaic.gov.au
Email: enquiries@oaic.gov.au
