Privacy Impact Assessment

Echo's comprehensive privacy statement covering data processing, controls, and compliance measures for workplace psychosocial risk management.

echo-pia-statement-v1.0-2025-09-10.pdf

Summary

Echo runs voice or text check-ins by phone, SMS or WhatsApp to surface early indicators of psychosocial risk, fatigue and engagement. Supervisors see anonymised cohort trends, risk scores and trajectories in a dashboard aligned to ISO 45003; boards receive a quarterly compliance / assurance pack. Individual coaching is private to each worker. Managers never see raw conversations, and cohort views enforce a minimum group size to reduce re-identification.

Consent-first No raw audio to managers Cohort minimum enforced Export/Delete available

Purpose and scope

  • Purpose: Identify and reduce psychosocial and fatigue risks, improve team engagement, and evidence proactive controls to meet duties consistent with ISO 45003 guidance.
  • In scope: Voice and text check-ins; risk scoring and trajectories; supervisor ISO 45003 + Engagement dashboard; board "readiness/compliance" pack.
  • Out of scope (this draft): Insurer/broker products or sharing.

Personal data processed (by feature)

  • Worker check-ins: short phone/WhatsApp calls or SMS/WhatsApp pulses; free-text or structured responses.
  • Derived signals: sentiment/prosody from voice, brief micro-psychometrics (dripped BFI-2 items), and simple engagement markers.
  • Context: roster/shift, team, site, incident/near-miss metadata where provided.
  • Dashboard outputs: team/crew risk levels, trajectories, participation and time-to-intervention; ISO 45003 readiness indicators. No raw audio, no individual "personality" labels to managers.

Data flow at a glance

Workers interact via phone call or text (SMS/WhatsApp). Audio is converted to features for analysis; by default raw audio is not shown to managers and is either not stored or deleted after processing (customer-configurable). Text responses are stored as message objects. Processing occurs in Echo's cloud environment in the region chosen per tenant. Supervisors and boards access aggregated dashboards via a secure web app. Echo uses vetted service providers for telephony and cloud infrastructure; a current list and locations are maintained in the sub-processor register available on request. Identifiable worker data does not leave the tenant environment except under the narrow safety exceptions described below.

Lawful basis and necessity (AU context)

Echo processes personal information to help employers manage psychosocial health and safety risk in line with workplace duties. Participation in check-ins is voluntary and based on informed, revocable consent. Where wellbeing indicators qualify as health information, Echo collects and uses them only with explicit consent and for the limited purposes described here. Aggregated, de-identified analytics are used to generate cohort trends for supervisors and board reporting; Echo outputs are not used on their own for disciplinary or employment decisions. Workers can withdraw at any time; withdrawal stops new collection and personal coaching without affecting access to existing safety reporting channels.

"Who sees what"

Role Access Level Data Types
Workers Personal access only Own insights, nudges, and "what Echo stores about me" page with export/delete
Supervisors/HSE Cohort-level analytics Cohort heatmaps, leading indicators, risk scores/trajectories, time-to-intervention. No raw voice. Cohort views suppressed below minimum group size
Board/Risk Aggregated reporting Quarterly ISO 45003 readiness and control coverage; no individual data

Automated analysis and fairness

Models combine trait × state × context features to predict risk and show why a risk is changing, with explainable drivers surfaced to managers. Echo commits to fairness/bias reviews shared with customers. Human review governs any escalation.

Privacy-by-design controls

  • Minimum necessary: management sees trends and cohorts, not raw conversations.
  • Two-stream design: private coaching to individuals; anonymised cohort analytics to management.
  • Consent first: plain-English 10-second opt-ins; opt-out always available; mute/reschedule controls.
  • Worker transparency: export/delete for personal data.

Configurable "privacy dials" (customer-set)

Presets define identity visibility, aggregation level, escalation rules, cadence and retention (e.g., union-strict vs standard vs high-hazard). Defaults bias toward anonymity and shorter retention.

Safety exceptions

Narrow, predefined and auditable exceptions permit naming/escalation only for imminent harm scenarios (e.g., credible threats of self-harm, violence, intoxication at work, critical fatigue). Paths are transparent to the worker.

Residual risk

Despite the controls above, residual risks remain (for example, misclassification of sentiment, manager over-interpretation of cohort trends, or re-identification in very small groups). Echo tracks these in a risk register with owners and mitigations, and provides customers a status summary on request.

Retention and deletion

Retention aligns to the chosen privacy profile (illustrative: 6, 12 or 24 months by risk context). Individuals can trigger export/delete; organisational deletes propagate through stores. Exact timelines are configurable per customer profile.

Security

Encryption in transit and at rest; regional data residency on request; admin audit logs; annual red-team and penetration testing; ISO 27001 program in progress. Third-party testing occurs at least annually; certifications and summaries of findings are available under NDA.

Data sharing and transfers

No sharing of identifiable worker data with management dashboards. No external sharing in this scope. Cross-customer learning relies on derived or synthetic features, not raw voice; regional residency is supported on request. Identifiable worker data is not shared outside the tenant environment. A current sub-processor register with locations is available on request.

Engagement approach (why workers participate)

Voice-first, short interactions in worker-friendly windows; plain talk, not HR jargon; feedback closes the loop so workers see impact. Typical pilots show 60–70% monthly actives.

Governance, approval and review

Echo maintains privacy profiles per tenant, logs administrative access, and publishes summaries of its PIA and fairness audits to customers.

Governance Item Details
Approval This statement and the underlying PIA were approved by: Fletcher Young, Chief Product Officer
Review Cadence At least annually; on any material change to features, data flows, processors or legal obligations; and after any privacy incident
Next Scheduled Review 31 July 2026

Contact

  • Controller/Provider: Echo (details to be inserted for each tenant relationship)
  • Privacy contact: hello@echo-control.com
Contact us for more information Privacy & Trust