Echo Pilot Participant Information & Privacy Notice

Last updated: 09 December 2025

This notice explains how Echo and your employer collect, use and protect your information when you join the Echo pilot and receive Echo check-ins.

Please read it carefully before you decide whether to take part.

1. Who is responsible for your information?

For the Echo pilot there are usually two main parties:

  • Your employer – the company you work for. They are responsible for meeting their legal duties to manage work health and safety (including psychosocial risks) and for how they use insights from Echo in their business.
  • Echo – the company that provides the Echo check-in service (referred to as “Echo”, “we”, “us”). We are responsible for designing and running the Echo service and for protecting the information we handle to deliver it.

In most cases:

  • Echo acts as a service provider to your employer, and
  • your employer is the primary decision-maker about how Echo is used to support work health and safety and people management.

Echo currently qualifies as a small business operator under the Privacy Act 1988 (Cth), which means it is generally exempt from many of the Act’s obligations that apply to larger organisations. However:

  • personal information is critical to Echo’s service (we cannot operate without it),
  • we do not sell or rent personal information, and we do not use Echo pilot data to market products or services to you, and
  • Echo chooses to handle personal information as if the Australian Privacy Principles (APPs) apply in full, including the rules for collection, use, disclosure, security and access.

Your employer may also be bound by the Privacy Act and/or other local privacy or surveillance laws.

If you work outside Australia, local laws (such as the EU/UK GDPR) may give you additional rights. We aim to meet or exceed those standards where reasonably possible.

2. What is Echo and why are you being invited?

Echo is a short, structured check-in (usually around 90 seconds) delivered by phone, WhatsApp or similar channels. It asks about:

  • how work feels day-to-day
  • safety and psychosocial risks (for example workload, conflict, support, fatigue)
  • other factors that affect wellbeing and performance.

Your employer is running the Echo pilot to help them:

  • better understand psychosocial and human-factor risks in real time
  • meet their duty to manage psychosocial hazards and protect workers’ health and safety so far as is reasonably practicable
  • respond earlier to emerging issues instead of waiting for incidents, complaints or surveys.

You are free to choose whether to participate. Participation in Echo is voluntary and separate from your employment contract. Echo is not a condition of your employment, pay, roster, promotion, access to WHS protections or any other employment benefit.

Your employer should also tell you how Echo fits with its WHS processes, psychosocial risk management, workplace surveillance policy (if any) and complaint / grievance procedures.

3. How Echo works in practice

If you opt in:

  1. Echo will contact you at agreed times (for example around the start or end of shifts) for short check-ins.

  2. You respond to a small number of questions using your voice and/or simple rating scales.

  3. Echo records your Echo calls and converts them to text so we can analyse them.

    Echo analyses your responses using a combination of:

    • human-centred question design
    • statistical analysis and
    • machine-learning models (for example, to identify patterns and risk signals).

    Where we use automated tools to help identify possible risks, we aim to have a human review serious risk flags before decisions or escalations that affect you.

  4. Echo then:

    • gives you simple reflections or prompts you can use to take action, and
    • feeds your employer anonymised, grouped insights at team, location or organisational level.

Managers and executives see patterns and trends, not raw recordings of individual workers, except in narrow safety or legal exception cases explained in section 7.

Echo is not a crisis or counselling service and does not replace medical care, emergency services or your employer’s Employee Assistance Program (EAP). If you are in immediate danger or at risk of harm, contact emergency services (000 in Australia), your EAP or local crisis support services.

4. What types of information do we collect?

When you participate in the Echo pilot, Echo and your employer may collect and process:

4.1 Information you provide directly

  • Your spoken answers in Echo calls or voice notes.
  • Your responses to in-app or message-based questions (e.g. ratings, yes/no, short text).
  • Any optional information you choose to share about:
    • your experiences at work
    • your wellbeing or mental health
    • relationships, conflict or concerns at work
    • suggestions for improving safety or the workplace.

This may include sensitive information (for example health information or union involvement) under Australian law, and “special category data” under GDPR-style laws. Handling this kind of information normally requires a higher level of protection and, in many countries, explicit consent.

4.2 Basic work and contact details

To run the pilot, Echo usually receives from your employer:

  • your name
  • work contact details (e.g. mobile number, email or messaging handle)
  • team, role, location or site
  • roster or shift patterns (where needed for scheduling)
  • manager and reporting line.

We normally receive this information from your employer, not directly from you.

These details are used to contact you, to link your check-ins to the right work context, and to build aggregated insights at the right team/site level.

4.3 Technical and usage information

When you use Echo, we may also collect:

  • call metadata (time, duration, channel)
  • basic device or network information (for example type of phone, country, connection quality)
  • interaction data (for example whether you answered a call, skipped a question or opted out).

This helps us deliver, secure and improve the service.

5. How we use your information

Echo and your employer use your information for the following purposes:

5.1 To deliver Echo check-ins to you

  • contacting you for scheduled or on-demand check-ins
  • recording and analysing your responses
  • showing or telling you personalised feedback, reflections or prompts that may help you manage your own work and wellbeing.

5.2 To help your employer manage psychosocial and safety risk

Your employer uses Echo insights to:

  • identify patterns of psychosocial risk (for example workload, conflict, poor support, fatigue) across teams or sites
  • plan and evaluate safety and wellbeing controls and interventions
  • meet their work health and safety duties to eliminate or minimise psychosocial risks so far as is reasonably practicable.

Echo provides these insights in aggregated or anonymised form (for example “Team A shows rising fatigue risk over the last four weeks”), not as a detailed profile of individual workers, except in the narrow circumstances in section 7.

Echo does not usually report segmented insights for groups smaller than 7 people, and we may further aggregate or suppress results where there is a reasonable risk that individuals could be identified from the data.

We also avoid including direct quotes or highly specific details in reports where they could reasonably identify an individual.

5.3 To maintain and improve Echo

We may use de-identified or aggregated data to:

  • test and tune our models
  • improve question design and alerts
  • monitor system accuracy, fairness and reliability
  • develop new features that support worker safety, wellbeing and inclusion.

Where we use your information in this way, we take steps to remove personal identifiers or apply privacy-enhancing techniques so that you are not reasonably identifiable. We use de-identified or aggregated information for model training and improvement where reasonably possible, and we do not use Echo pilot data to create marketing profiles about you or to advertise products or services to you.

5.4 To comply with law and manage serious risks

Echo and/or your employer may need to use and disclose your information to:

  • respond to an immediate risk of serious harm to you or another person
  • report or investigate serious safety incidents or unlawful behaviour
  • comply with work health and safety, employment, privacy or other applicable laws, codes of practice and regulator directions.

These situations are exceptional and are explained further in section 7.

5.5 Other purposes with your consent

If we want to use your identifiable information for a purpose not described in this notice, we will:

  • explain what we want to do and why, and
  • ask for your additional consent where required.

You can refuse or withdraw that additional consent without affecting your participation in the core pilot (unless that use is strictly necessary to deliver the service).

6. Legal basis for handling your information

6.1 Under Australian privacy law

Where the Privacy Act 1988 (Cth) applies, Echo and your employer generally rely on a combination of:

  • Your consent – when you opt in to the Echo pilot and agree to Echo collecting and using your information as described here, including any sensitive information you choose to share (such as information about your health, mental health or union involvement). Consent needs to be informed, voluntary, current and specific.
  • Work health and safety obligations – your employer has a legal duty to identify and manage psychosocial hazards and protect workers’ health and safety. Echo is one tool they use to help meet this duty.

In some circumstances, your employer’s handling of your “employee records” for purposes directly related to your employment is exempt from parts of the Privacy Act. However, that exemption is limited, is under active review, and does not apply to all uses or to all organisations.

The employee records exemption does not apply to Echo. Echo designs its service and internal standards as if the APPs apply in full, even where:

  • Echo may not yet be legally required to comply with all parts of the Privacy Act because of its size, or
  • your employer may be able to rely on an exemption for some of its handling of employee records.

6.2 Under international standards (e.g. GDPR)

In jurisdictions with GDPR-style laws, processing is usually based on:

  • your explicit consent to participate in Echo and share sensitive information, and
  • the employer’s legitimate interests in managing health, safety and organisational risk, balanced against your rights and reasonable expectations.

We do not make fully automated decisions about hiring, firing, promotion or discipline that are based solely on Echo data and have legal or similarly significant effects on you. Echo data may, however, be one input into broader WHS and people decisions alongside other information.

7. When might your information be shared in a way that identifies you?

Echo is designed so that routine reports to managers and executives do not include your name, voice, or direct quotes that identify you.

However, there are narrow situations where Echo or your employer may need to use or share information that identifies you, for example:

  • you describe a situation that suggests an immediate risk of serious harm to yourself or someone else
  • you report serious violence, harassment, discrimination, sexual misconduct or other unlawful behaviour
  • we reasonably believe disclosure is required to:
    • comply with a law, regulation, code of practice or regulator direction
    • prevent or respond to a serious threat to health or safety
    • investigate a serious incident or complaint.

In these cases, we may share relevant information with:

  • designated contacts at your employer (for example WHS, HR, or critical-incident contacts)
  • health, safety or other regulators, emergency services, or law enforcement where legally required.

Where it is safe and lawful to do so, we will:

  • inform you that an escalation is happening, and
  • share only the minimum necessary information to manage the risk.

All such exceptions are logged and subject to internal review. These situations are expected to be rare.

Echo is not a crisis service, and you should contact emergency services, your EAP or local crisis support services if you or someone else is in immediate danger.

8. Who else can access your information?

In addition to your employer, we may share your information with:

  • Echo staff and contractors who need access to deliver the service and are bound by confidentiality obligations.
  • Technology and infrastructure providers (for example cloud hosting, telephony, analytics tools) that process information on our behalf under written data-processing agreements that:
    • limit their use of the information to providing services to Echo, and
    • require them to protect your information using appropriate security and confidentiality safeguards.
  • Professional advisers (for example legal or security advisers) where reasonably necessary to manage risk, resolve disputes or comply with law.

We do not sell or rent your personal information to third parties. We do not use Echo pilot data to target advertising to you.

9. Where your information is stored and sent

Echo may store or process your information on secure systems located in Australia or in other countries with robust data-protection frameworks, such as in the European Union or the United States.

Where we transfer personal information outside the country where it was collected, we take reasonable steps to ensure that:

  • the recipient is subject to privacy laws or contractual obligations that offer a level of protection comparable to the APPs or GDPR-style standards, and
  • appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) are in place where required.

Echo remains responsible, under Australian privacy law where it applies, for taking reasonable steps to ensure that overseas recipients do not breach the APPs in relation to your personal information.

A current list of Echo’s core sub-processors and their locations is available here: Echo Core Services and Sub-Processors.

10. How long we keep your information

We keep personal information only for as long as it is reasonably needed for the purposes described in this notice, including:

  • to run the Echo pilot
  • to provide your employer with insights and evidence over a defined period
  • to meet legal, regulatory, insurance or record-keeping requirements.

Your employer and Echo agree on specific retention periods for the pilot (for example how long call audio, transcripts and risk indicators are kept). These retention periods are generally measured in months or years, not indefinitely. After those periods:

  • information may be deleted, irreversibly anonymised, or
  • retained in aggregated form that does not reasonably identify you.

You can ask Echo or your employer for more detail about the retention period that applies to your Echo pilot (see section 13).

11. Your choices and controls

11.1 Participating or withdrawing

  • Participation in Echo is voluntary.
  • You may decline to join the pilot.
  • If you join, you can opt out at any time by:
    • using the opt-out option in an Echo interaction (where available), or
    • contacting Echo or your employer using the details in section 13.

Opting out will stop future check-ins. It will not normally remove information already included in anonymised or aggregated reports, but we can discuss options where you have particular concerns.

Your decision to participate or not participate must not disadvantage you in your employment. Your employer must not take adverse action against you because you decline to participate, choose to opt out, or raise concerns in good faith.

11.2 Choosing what to share

You do not have to answer every question. You can:

  • skip any check-in or individual question
  • avoid sharing information you are not comfortable sharing in that channel
  • raise issues through other workplace channels instead if you prefer (for example HSRs, WHS representatives, HR or grievance processes).

12. Your privacy rights

Depending on where you work and which laws apply, you may have rights to:

  • access the personal information that Echo holds about you
  • correct inaccurate or incomplete information
  • request deletion of certain information (subject to legal and operational limits)
  • object to or restrict certain types of processing (for example use for model training)
  • withdraw consent where we rely on your consent.

Some of these rights may be limited by the employee records exemption in the Australian Privacy Act for your employer, or by other local laws. That exemption does not apply to Echo.

Echo will respond to your requests in line with applicable law and our contractual obligations to your employer. Where a request relates mainly to your employer’s systems or records, we may ask you to contact them directly or may forward your request to them.

You can make a request using the contact details in section 13.

You can also read the broader Echo Privacy Policy here: [insert link to Echo Privacy Policy].

13. How to contact us or raise concerns

If you have questions or concerns about Echo or this notice, or you want to exercise your privacy rights, you can contact:

You can also contact:

You can also contact your employer’s WHS / HR / Privacy contact.

If you are not satisfied with our response, you may have the right to lodge a complaint with:

  • the Office of the Australian Information Commissioner (OAIC) for privacy issues in Australia, and/or
  • the relevant work health and safety regulator in your state or territory for WHS/psychosocial concerns, and/or
  • the relevant data-protection authority in your country (for example an EU or UK supervisory authority).

Your employer should also inform you how to raise WHS and workplace complaints internally (for example via HSRs, WHS committees, grievance procedures or whistleblowing channels).

14. Changes to this notice

We may update this notice from time to time, for example to reflect:

  • changes in the Echo service
  • changes in the law or regulator guidance
  • feedback from workers, unions, health and safety representatives or regulators.

When we make material changes, we will:

  • update the “Last updated” date at the top, and
  • take reasonable steps to notify participants (for example via email, SMS, in-app notice or through your employer).

If the changes materially affect how we use your information, we may ask you to review the updated notice and confirm your consent again.