Privacy Policy

1. Overview

OccuSpan is an enterprise occupational health and safety (OHS) platform operated by Work Healthy Australia Pty Ltd (ABN 30 094 368 162), a company incorporated in New South Wales, Australia ("WHA", "we", "us").

Who is involved

OccuSpan operates within a three-party relationship:

• Client Organisations — employing organisations that subscribe to OccuSpan and contract with WHA to deliver occupational health programs to their workforce. The Client Organisation pays for the service and deploys authorised OHS managers, health managers, and registered clinicians as Platform Users.
• Platform Users — OHS managers, health managers, and AHPRA-registered clinicians employed or engaged by the Client Organisation who access OccuSpan to manage occupational health programs and clinical records.
• Workers / Patients — employees of the Client Organisation who receive occupational health services delivered through WHA. Workers are not direct users of OccuSpan; their health data is managed on the platform by authorised clinical staff. The financial relationship is between WHA and the employer. WHA nonetheless owes a duty of care to every worker whose health information it holds and manages.

Consent as the foundation

Before any worker's health data is collected or entered into OccuSpan, WHA obtains the worker's informed written consent via a Treatment Consent Form that is stored digitally against their patient file and renewed every six months. That consent form sets out, in plain language, what data is collected, how it is used, who it may be shared with, and the worker's rights. Consent is the primary legal basis for all collection and use of health information on this platform.

Applicable law

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Because we process health information, we also observe the Health Records and Information Privacy Act 2002 (NSW) and equivalent state legislation applicable to the jurisdictions in which our clients operate.

2. Information We Collect

2.1 Platform User accounts

When an authorised user is provisioned on OccuSpan, we collect their work email address, full name, and role within their organisation. For AHPRA-registered clinicians, we also hold their registration number and expiry date. Authentication is managed via Supabase Auth.

2.2 Worker / patient health records

All health data collected about workers is collected with the worker's explicit prior consent (see Treatment Consent Form, Section 1). The following categories of information may be collected:

• Identity and contact fields (encrypted at rest with AES-256-GCM): full name, date of birth, email address, mobile number, residential address.
• Employment information: job title, department, site, employment type, employee ID.
• Clinical records: presenting complaints, body region, injury mechanism (coded to Safe Work Australia categories), symptom trajectory, range of motion measurements, neurological findings, diagnostic assessments.
• Treatment records: modalities applied, session dates, return-to-work status, functional outcome scores (VAS pain scale), biopsychosocial flags.
• Psychosocial survey responses (COPSOQ III, PSC-12, K10, NMQ-E) collected from workforce cohorts. Individual responses are never disclosed to line managers. Group results are suppressed unless the respondent count meets a minimum anonymity threshold (default: 7 respondents).
• Workers compensation claim metadata (where provided by the Client Organisation): injury year/month, injury type, claim status, cost bands. No individual claimant identity is stored in the claims dataset.

All of the above constitutes health information as defined in APP 3.3 and the Privacy Act 1988, subject to heightened obligations.

2.3 Knowledge base documents

Platform Users may upload clinical reports, outcome summaries, and case management documents to a private organisational knowledge base. These documents pass through a server-side de-identification pipeline before any content is indexed or forwarded to third-party AI services. Personal identifiers are replaced with anonymous placeholders. The original uploaded file is not retained after text extraction is complete.

2.4 AI-assisted features

OccuSpan provides AI-assisted case consultation and clinical documentation features. When these features are used, de-identified text only is transmitted to an external language model API (see Section 6). The de-identification pipeline runs server-side before any content leaves our infrastructure. Raw personal information is never transmitted to AI service providers.

2.5 Usage and operational data

We collect standard server logs, authentication timestamps, AI token usage counts (no message content), and consent records. Cookies are limited to those strictly necessary for session management (see Section 8).

3. How We Use Your Information

3.1 Primary purpose — clinical care and OHS program delivery

The primary purpose for which worker health information is collected is the delivery of occupational health services, injury prevention and management programs, and return-to-work support. All uses of health information within this primary purpose are authorised by the worker's explicit informed consent.

3.2 Disclosure to relevant stakeholders

The Treatment Consent Form explicitly authorises WHA to discuss a worker's injury and clinical progress with relevant and qualified stakeholders involved in their occupational rehabilitation. This may include:

• The worker's employer (Client Organisation) — for the purpose of workplace modification, return-to-work planning, and program reporting.
• The workers compensation insurer — where a workers compensation claim is active.
• The worker's treating team — general practitioner, specialist, physiotherapist, or other AHPRA-registered practitioners involved in their care.
• Independent Medical Examiners (IME) — where required for the worker's compensation process.
• Other qualified OHS professionals — where case conferencing or multi-disciplinary input supports the worker's rehabilitation.

Disclosure is limited to what is necessary and relevant for each stakeholder's role in the worker's care or rehabilitation. Individual health information is never disclosed to a worker's direct line manager without the worker's specific additional consent.

3.3 Workforce health reporting

Aggregated, de-identified data is used to generate cohort-level analytics and workforce health reports for the Client Organisation. Reports present population-level findings only; no individual worker can be identified in any report provided to the employer. The Treatment Consent Form covers this use.

3.4 AI-assisted clinical documentation and case guidance

De-identified case data is processed by a large language model to produce structured treatment note suggestions and case management guidance. These outputs are advisory aids for qualified health professionals and do not constitute clinical diagnoses or treatment prescriptions. All AI outputs are reviewed by the treating clinician before any action is taken.

3.5 Survey intelligence

Psychosocial survey responses are aggregated and presented at the group level only. Results are suppressed where the respondent count falls below the minimum anonymity threshold. Individual responses are never accessible to any person other than OHS clinical staff with a legitimate clinical reason.

3.6 Platform security and audit

Access logs, authentication records, and consent records are retained for security monitoring and regulatory compliance purposes.

4. Data Security

We implement the following technical and organisational security controls:

• Encryption in transit: All data transferred between users and the platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive personal fields (full name, date of birth, email address, phone number, residential address) are encrypted at the application layer using AES-256-GCM with per-field unique initialisation vectors before being written to the database.
• Access controls: Row-level security is enforced at the database layer. Each organisation's data is isolated. Role-based access controls restrict what each user role may read or modify. Line managers have no access to individual clinical records.
• Survey anonymity: Individual psychosocial survey responses are never accessible to line managers. Group results are suppressed below the minimum anonymity threshold.
• De-identification before AI transmission: Personal identifiers are removed by a server-side pipeline before any content is forwarded to external AI services. Raw personal data is never sent to third-party model providers.
• Audit logging: Material data operations (access grants, erasure requests, data exports) are logged in an append-only audit table.
• Consent records: Every instance of consent acceptance is recorded with a timestamp, policy version, and user identifier. Consent is renewed every six months.

If you have reason to believe a security incident has occurred, contact us immediately at privacy@workhealthyaus.com.au.

5. Data Residency

The primary database and authentication service for OccuSpan is hosted on Supabase in the AWS ap-southeast-2 (Sydney, Australia) region. Patient and worker health records, clinical encounter data, and survey responses are stored in this region.

Application hosting is provided by Vercel, which may process request data through edge nodes in multiple regions. Vercel does not store health records.

De-identified text only (with personal identifiers removed prior to transmission) is processed by AI services located in the United States (see Section 6). Workers are informed of this processing in the Treatment Consent Form. This cross-border disclosure is also governed by contractual data processing agreements with each provider.

6. Third-Party Services and Sub-processors

We engage the following sub-processors. Each is subject to contractual obligations consistent with Australian privacy law. Where sub-processors are located overseas, cross-border disclosure is authorised by the worker's Treatment Consent Form and governed by data processing agreements.

7. Your Rights

Workers and patients whose information we hold have the following rights under the Privacy Act 1988 (Cth), regardless of the fact that occupational health services are funded by their employer rather than by them directly. WHA's duty of care to every worker extends to their privacy rights.

• Access (APP 12): You may request access to personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for requests requiring significant effort to fulfil.
• Correction (APP 13): If you believe personal information we hold is inaccurate, out of date, or incomplete, you may request correction.
• Withdraw consent: You may withdraw your consent to the collection and use of your health information at any time by contacting us at the address below. Withdrawal of consent will affect WHA's ability to continue providing occupational health services; your employer will be notified that services cannot continue in the absence of consent.
• Complaints: If you believe we have breached an Australian Privacy Principle, you may lodge a complaint with us first. If we do not resolve it to your satisfaction within 30 days, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Workers should direct access, correction, and consent enquiries to WHA directly using the contact details in Section 10. You do not need to go through your employer.

Note for users in the European Union or United Kingdom

OccuSpan is not currently marketed to organisations in the EU or UK. If we onboard EU or UK clients in the future, we will comply with the GDPR and UK GDPR and will update this policy accordingly.

8. Cookies

OccuSpan uses strictly necessary session cookies only. These are set by Supabase Auth to maintain the authenticated session and are required for the platform to function. They are not used for advertising, cross-site tracking, or analytics profiling.

We do not use third-party tracking cookies, marketing pixels, or behavioural analytics tools on OccuSpan.

9. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify account administrators and affected workers by email at least 30 days before the change takes effect. Continued use of OccuSpan after the effective date constitutes acceptance of the updated policy. Prior versions are available on request.

10. Contact

Workers, patients, Platform Users, and Client Organisations may direct all privacy enquiries — including access requests, correction requests, consent withdrawal, and breach reports — directly to:

We aim to acknowledge all privacy enquiries within 5 business days and resolve them within 30 days. Workers may contact us directly without going through their employer.