GroundCtrl Platform Privacy Policy
Date: 4 December 2025
1. About Sample Assist and the GroundCtrl Platform
Sample Assist Pty Ltd ABN 88 678 801 691 (Sample Assist, us, we or our) operates a digital platform to facilitate and manage health surveillance for mining and heavy industry (GroundCtrl Platform). The GroundCtrl Platform is a digital platform comprised of mobile and website applications:
• GroundCtrl provides a secure digital platform for managing worker health-related information, including medical assessments, surveillance records, and compliance documentation.
• The platform enables authorised organisations and medical providers to record, store, and update health surveillance data through integrated mobile and web applications.
• GroundCtrl facilitates the scheduling, coordination, and tracking of workplace health assessments while maintaining strict access, privacy and audit controls.
• GroundCtrl processes health information solely for the purpose of supporting occupational health, safety, and legislative compliance requirements.
Sample Assist provides services via the GroundCtrl Platform to its customers.
Sample Assist does not provide services directly to employees, contractors, or other individuals engaged by our customers. Access to the GroundCtrl Platform is provided solely through the customer (the employer, medical provider or contracting entity).
Where required by an employer for the purpose of managing workplace health surveillance, medical assessments, or related health compliance activities, an employee or contractor may be directed by their employer to download the Digital Employment Medical Passport (also referred to as the Worker Passport).
As part of this process, the individual may be required to create a profile and provide personal information, which may include identity details, health or medical information, and informed consent prior to participating in any assessment, surveillance activity, or biological sample collection.
An employer may also require its workforce to accept the employer’s own privacy policy and terms of use in connection with their use of the GroundCtrl Platform.
2. About this Privacy Policy
2.1 Introduction
Sample Assist is committed to complying with the Privacy Act (and any other health records or privacy laws applicable to Sample Assist or the GroundCtrl Platform) and respecting the privacy of the personal information of persons with whom we interact.
This Privacy Policy sets out:
• the personal information (including health information) that Sample Assist collects via the GroundCtrl Platform;
•the ways that personal information is collected, stored, used, disclosed and otherwise handled; and
• your rights to access your personal information, to have your personal information corrected and your rights if you wish to make a compliant.
You may access Sample Assist’s Privacy Policy, which governs the handling of personal information collected in connection with GroundCtrl, including when you visit the GroundCtrl website, contact us by email or telephone, or otherwise engage with us in circumstances that are not related to your access or use of the GroundCtrl Platform.
2.2 To Whom and When this Policy Applies
This Privacy Policy applies to:
• our customers and their representatives (unless we have agreed a separate privacy policy with a customer in respect of the customer’s access to and use of the GroudnCtrl Platform);
• employees;
• providers; and
• contractors.
As specified in Section 1, our customers may also require employees and representatives to accept their privacy policies. Sample Assist is not responsible for the privacy policies of our customers or our customers’ collection, use, storage and disclosure of any personal information they may collect and does not accept any liability for our customers’ failure to comply with their privacy obligations under the Privacy Act or any other applicable laws.
2.3 Terms Used in this Privacy Policy
In addition to the terms defined in section 1, the following terms are used in this Privacy Policy:
A company, clinic or other business organisation other than a lab that provides sample collection services, sample transportation or other services in connection with workplace drug testing but excluding biological sample testing and production of pathology and laboratory reports relating to the tests.
Any person who is authorised on behalf of our customer to receive reports.
An agency, RTO, a lab or an employer.
A representative of a customer.
A company, business, government department, government agency, government corporation, individual or other organisation of any type that employs or engages employees and requires those employees to undergo health surveillance medicals as part of their employment.
A company or other business organisation that tests biological samples and produces reports relating to tests it has conducted. A lab may also provide sample collection services, sample transportation or other services in connection with workplace drug testing.
Privacy Act 1988 (Cth) as amended.
Personal information as defined in the Privacy Act.
Registered Training Organisation.
Any person employed by a customer or engaged as contractor of a customer who is required to access and use a mobile and website applications that form part of the GroundCtrl Platform to administer the customer’s health surveillance program including by providing administrative services, sample collection, sample transportation, sample testing and reporting services.
Registered Training Organisation.
The person reading this Privacy Policy and who will be accessing and using one or more apps or websites which form part of the GroundCtrl Platform.
Medical Review Officer. A medical practitioner who is authorised and qualified to review, interpret and validate medical assessment results, including results from drug and alcohol testing, and who may issue determinations, clarifications or recommendations as part of the customer’s health surveillance program.
Any healthcare professional or organisation engaged by a customer to deliver medical or health related services. This includes doctors, nurses, medical practitioners, clinics, medical centres, pathology providers, allied health professionals, and any other entity or individual authorised to conduct assessments, examinations, sample collections, testing or reporting as part of the customer’s health surveillance program.
2.4 Changes to Privacy Policy and Continued Engagement With Us
This Privacy Policy came into effect on the date specified above.
From time to time, Sample Assist may need to change this Privacy Policy, without notice. If we do, we will post the updated Privacy Policy on the GroundCtrl Website and the GroundCtrl Platform. You should review this Privacy Policy from time to time to review any changes. Any revised Privacy Policy, once published on the GroundCtrl Platform and GroundCtrl Website will apply to all personal information that is specified in this Privacy Policy.
By continuing to use the GroundCtrl Website and GroundCtrl Platform, you accept this Privacy Policy as it applies from time to time.
2.5 What Happens if You Do Not Accept the Privacy Policy or Provide Personal Information
If you do not wish to submit personal information when first required or you do not wish us to collect your personal information when we are first required to do so, you may not be able to access or use the GroundCtrl Platform mobile and web applications for which your personal information is required. This may detrimentally affect:
• your employer’s ability to conduct workplace health surveillance;
• the ability of agencies and providers to provide services in relation to workplace health surveillance; and
• our ability to provide services to our customers and comply with our contractual obligations to our customers.
3. The Personal Information We Collect, How We Collect It and How we Use it
3.1 Introduction
The personal information that Sample Assist collects about you via the GroundCtrl Platform and the manner in which we collect the personal information depends on the capacity in which you access and use the GroundCtrl Platform.Generally, Sample Assist collects personal information via the GroundCtrl Platform which enables us to do the following:
• to allow customers to undertake workplace health surveillance using the GroundCtrl Platform;
• to provide services to our customers; and
• to support our business operations and enable the existing and future functionality of the GroundCtrl Platform.
We collect personal information directly from you or from our customers.
3.2 Types of Personal Information
In addition to the general information described section 3.1, the personal information Sample Assist collects via the GroundCtrl Platform is set out below for the GroundCtrl Platform.
Personal Information GroundCtrl Collects
From Whom GroundCtrl Collects Personal Information
How the Personal Information Is Used by GroundCtrl
Account Creation and Login
• Name;
• Email address
• Mobile number
• Password
• Two-factor authentication
• Profile photograph
Date of birth;
Company or contractor affiliation; Employee or contractor ID; Job role and site location; Provider identifiers (AHPRA, clinic ID, MRO ID, Coal Services ID); Audit logs; Account activity logs
We collect this information directly from the user, or from the employer, provider or customer representative
To verify identity, authenticate users, establish access permissions, secure the platform, and maintain audit and activity logs
Digital Employment Medical Passport
• Name;
• Email address;
• Mobile number
• Password;
• Two-factor authentication;
• Profile photograph;
• Date of birth;
• Company or contractor affiliation;
• Employee or contractor ID;
• Job role
• and site location;
• Provider identifiers;
• (AHPRA, clinic ID, MRO ID, Coal
• Services ID);
• Audit logs;
• Account activity logs;
We collect this information from employees and contractors as authorised by their employer
To establish a portable, secure health and employment record; schedule assessments; determine fitness for work; and support employer and industry compliance
No personal information is collected directly by this module
Displays information collected from other modules to provide compliance and health surveillance visibility
• Appointment details;
• Worker name and identifier;
• Assessment type;
• Provider assigned;
• Dates and times of appointments;
• Attendance status
We collect this information from employees, contractors, providers and employers
To schedule, manage and track health surveillance appointments and update attendance information
• Assessment requests;
Appointment outcomes;
Medical clearance decisions;
Provider notes;
Clinical summaries;
Uploaded medical certificates or reports;
Work restrictions or conditions
We collect this information from employees and contractors as authorised by their employer
To establish a portable, secure health and employment record; schedule assessments; determine fitness for work; and support employer and industry compliance
• Assessment requests;
• Appointment outcomes;
• Medical clearance decisions;
• Provider notes;
• Clinical summaries;
• Uploaded medical certificates or reports;
• Work restrictions or conditions;
We collect this information from medical providers, employees, contractors and employers
To record medical assessment outcomes, determine fitness for work and support employer compliance
• Older 45 assessment information;
• Respiratory test results;
• Hearing test results;
• Coal mine worker medical results;
• Provider declarations;
• Worker identifiers
We collect this information from Coal Services providers and from workers undergoing assessments
To support statutory coal industry medical assessments and ensure compliance with relevant legislation
• Uploaded medical certificates;
• Past medical assessments;
• Provider notes;
• Treatment plans;
• Clinical summaries;
• Supporting documents
We collect this information from employees, contractors and medical providers
To store and maintain medical documentation required for employment, injury management and ongoing health surveillance
• Injury reports;
• Incident descriptions;
• Medical certificates;
• Treatment notes;
• Rehabilitation plans;
• Capacity assessments;
• Return-to-work plans
We collect this information from employees, contractors, medical providers and employers
To support injury management, rehabilitation coordination and compliance with workplace injury obligations
• Donor identity;
• Consent records;
• Chain of custody information;
• Sample collection details;
• Screening and confirmation test results;
• Refusal or non-compliance records;
• MRO review outcomes
We collect this information from employees, contractors, collectors, laboratories and MROs
To facilitate workplace drug and alcohol testing, record test results and support MRO review processes
• Exposure monitoring results:
• dust;
• noise;
• vibration;
• air quality;
• Sampling notes;
• Worker identifiers
We collect this information from providers and workers participating in assessments
To record occupational hygiene surveillance outcomes and support employer risk management processes
• Fatigue assessment results;
• Worker declarations;
• Provider or supervisor notes;
• Journey PlansWork and;
• Home Related location information
We collect this information from employees, contractors, supervisors and providers
To assess and record fatigue risk and support employer fatigue mitigation processes
3.3 Data Sets
The GroundCtrl Platform also collects a range of data sets which are used for application functionality, personalisation, product improvement and user identification. These data sets include:
• Contact information data (name, email, phone number);
• health related data (medications and medical history, test results);
• geo-location data (precise and coarse);
• user generated content data (audio, photos, text);
• user identification data (verified identity, signature, application id);
• user support data (such as name, email, phone number, system ID or User ID of representative requesting user support on behalf of customer);
and training candidate data (such as name, email, phone number, system ID or User ID of representative to be trained on behalf of customer).
This information is collected from the customer or from the representative.
3.4 Cookies, Tracking and Measurement Software
The GroundCtrl Platform uses cookies and similar technologies (such as Google Analytics, web beacons and proprietary measurement software) to analyse trends, administer our services, diagnose problems, improve the quality of our products and services, track users' use of the Sample Assist Platform.
A cookie is a small text file that the GroundCtrl Platform and its associated applications may place on your device to store information. We may use persistent cookies (which remain on your computer even after you close your browser) to store information that may speed up your use of the GroundCtrl Platform applications for any of your future visits to the GroundCtrl Platform and its associated applications. We may also use session cookies (which no longer remain after you end your browsing session) to help manage the display and presentation of information on the Sample Assist Platform web apps.
You may refuse to use cookies, web beacons or some of the proprietary measurement software features by selecting the appropriate settings on your browser or the settings section of your mobile or tablet device. However, please note that if you do this, you may not be able to use the full functionality of the GroundCtrl Platform and therefore, impact on a customer’s ability to conduct its workplace health surveillance program (s).
4. Additional Information About How Personal Information Is Used and Disclosed
4.1 General Comments
As specified in section 3, the primary purposes for which Sample Assist collects personal information via the GroundCtrl Platform are to enable the functionality of the GroundCtrl Platform, provide services to our customers and to support the operation of our business.Sample Assist may disclose personal information to its related bodies corporate located in Australia and we will require each related body corporate to comply with this Privacy Policy in respect of the personal information disclosed to it.
4.2 Customers and Their Representatives
Sample Assist will use personal information of representatives for the primary purposes of providing the GroundCtrl Platform and services to the customer you represent and support ongoing business operations and enabling the existing and future functionality of the GroundCtrl Platform. This includes:
• monitoring the use of the GroundCtrl Platform and our services by the customer you represent and its employees, contractors, providers and agents;
• issuing invoices to the customer you represent;
• communicating with you about:the customer’s relationship with us;
• our goods and services;
• our own marketing;
• investigating any issues or complaints about, or made by, the customer, you or another individual;
• if we have reason to suspect that you or the customer or another individual are in breach of any of our terms and conditions or have been otherwise engaged in any unlawful activity;
• to provide customer support;
• and any other purposes which are required or authorised by any laws (including the Privacy Act).
Sample Assist will only disclose your personal information to third parties where this is reasonably necessary to enable us to operate our business or provide the customer you represent with our services and the use of the GroundCtrl Platform, or as is otherwise required or authorised by any laws (including the Privacy Act);
The types of third parties to whom we may generally disclose your personal information to for the above purposes include:
•Google in connection with cloud infrastructure services provided to us;
•AWS in connection with cloud infrastructure services provided to us;
•texting service providers;
• employee management or HR software providers;
• clinical practice management software;
• laboratory information management systems;
• subscription and mailing providers;
• our accounting billing and related financial functions;
• employer safety management systems;
• our external professional advisers, such as legal advisors or accountants.
4.3 Disclosure Generally
In addition to any specific rights of disclosure specified above, Sample Assist may also disclose your personal information:
• as required by the Privacy Act and other legislation;
• to courts, tribunals, regulatory authorities and law enforcement officers;
• as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
• other persons notified to you at the time we collect your personal information, who you give your consent to, or to whom we are authorised or required by law to make such disclosure;
• and regulatory bodies responsible for maintaining compliance and standards in workplace drug testing
4.4 De-identified Information
Sample Assist may use de-identified personal information for the following purposes:
• recording and assessment of internet usage across the GroundCtrl Platform;
industry and academic research;
• data analytics (including by monitoring aggregate metrics such as total number of visitors, traffic and demographic patterns);
• statistical purposes;
• security (including preventing various types of data processing abuse attempts and block suspicious behaviour);
• creating, training and implementing machine learning models and artificial intelligence;
• quality assurance;
• policy generation;
• reviewing, modifying and upgrading the Sample Assist Platform including improving user experience; and
• creating new services or products.
5. Security of Personal Information
Sample Assist will take all reasonable precautions to protect your personal information from unauthorised access or disclosure, or misuse or loss. Some of these precautions include:
• appropriately securing our physical facilities, systems and electronic networks with at least standard industry protections;
• undergoing regular external security assessments and auditing such independent penetration testing;
• using standard industry encryption methods when storing and transferring Personal Information;
• I mplementing monitoring and access controls that regulate who can access particular information;
• requiring our team and service providers to comply with confidentiality obligations before they access personal information;
• conducting background checks on our staff before they commence work for us;
• reviewing changes to the Sample Assist Platform to ensure these meet our privacy and security commitments;
• using artificial intelligence to monitor and manage User and Entity Behaviour Analytics; and
• ensuring all our staff use multi-factor authentication, secure bio metric sign ins and User Specific Application PINs when accessing our system.
6. Location of Personal Information
All personal information held by Sample Assist on the GroundCtrl Platform is stored in Australia. Before disclosing personal information to an entity or person located overseas, Sample Assist takes steps to ensure that the recipients of such information do not breach the Australian Privacy Principles in relation to the information, by including relevant contractual provisions.
7. Retention of Personal Information
Sample Assist will only retain personal information for as long as necessary to fulfil Sample Assist’s contractual obligations to its customers and otherwise comply with the purposes specified in this Privacy Policy unless a longer retention period is required or permitted under applicable law.To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we handle your personal information and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.
Sample Assist may retain de-identified personal information for as long as it considers necessary or appropriate.
8. Opting Out
You have the right to opt out of collection of your personal information and/or its use or disclosure in accordance with this Privacy Policy. Opting out has the same consequences on our customers and ourselves as specified in section 2.5. Given this, we recommend that you discuss your intention to opt out with the employer, agency or lab by whom you are employed or engaged before making a request.
9. Withdrawal of Consent
Where we have obtained your express consent to handle your personal information, or your consent to send you information, you may withdraw your consent at any time and we will cease to carry out the particular activity to which you previously consented unless we consider that there is an alternative reason to justify our continued handling of your personal information for this purpose. In this case, we will inform you if we have an alternate reason to continue to use your personal information.
Withdrawing your consent to our use of your personal information has the same consequences on our customers and ourselves as specified in section 2.5. Given this, we recommend that you discuss your intention to opt out with the employer, agency or lab by whom you are employed or engaged before making a request.
10. Accessing, Correcting and Updating Personal Information
Depending on the capacity in which you are accessing the GroundCtrl Platform and the user rights that our customer has given you, you may have authority to access, correct and/or update the personal information we hold about you.Irrespective of whether you have been allocated rights to access, correct and update your personal information, you have the right to contact Sample Assist to request access to, correction of and/or updating of the personal information we hold about you and to request a copy of the personal information we hold about you.
In some instances, we may be unable to give you access to or a copy of the person information you have requested. If this is the case, we will provide you with a written explanation of the reasons for our rejection of your request.Please be aware that in some instances we may be legally required to keep an historical copy of the information that you have asked to be corrected or updated.
11. De-identification
You have the right to request that Sample Assist de-identifies the personal information we hold about you. Requesting de-identification of the personal information we hold about you has the same consequences on our customers and ourselves as specified in section 2.5. Given this, we recommend that you discuss your intent to request de-identification of the personal information with the employer, agency, provider or lab by whom you are employed or engaged before making a request.
You should also be aware that in some instances we may be required to keep historical versions of personal information to allow us to provide contracted services to our customer or to comply with legal requirements. If this is the case, we will provide you with a written explanation of the reasons for our rejection of your request.
12. Deletion
Depending on the capacity in which you are accessing the GroundCtrl Platform and the user rights that our customer has given you, you may have authority to delete the personal information we hold about you.Irrespective of whether you have been allocated rights to delete the personal information we hold about you, you have the right to request that Sample Assist deletes it. Requesting deletion of the personal information we hold about you has the same consequences on our customers and ourselves as specified in section 2.5. Given this, we recommend that you discuss your intent to delete or request deletion of the personal information with the employer, agency or lab by whom you are employed or engaged before deleting the personal information or making a request to delete it.
You should also be aware that in some instances we may be required to keep historical versions of personal information to allow us to provide contracted services to our customer or to comply with legal requirements. If this is the case, we will provide you with a written explanation of the reasons for our rejection of your request.
13. Making Requests under Sections 8, 9,10, 11 and 12 and Processing
If you wish to contact Sample Assist to make a request under sections 8, 9 10 or 11, please contact us using the contact details in section 13.
We will generally comply with the following timelines:
• acknowledging your request – within 2 working days of receipt of a written request;
• providing you with access – within 14 days of receipt of a written request;
• correcting errors– within 14 days of receipt of a written request;
• updating personal information – within 14 days of receipt of a written request;
• providing a copy of the personal information we hold about you – within 14 days of receipt of a written request;
• de-identifying personal information – within 14 days of receipt of a written request;
• deletion of personal information – within 14 days of receipt of a written request; and
• other matters – within 28 days of receipt of a written request.
Sample Assist will notify you if we cannot meet the timings specified above and provide new timing.There is no fee for submitting a request and we do not intend to charge a fee for dealing with your requests. However, if after undertaking a preliminary review of the personal information we hold about you, we conclude that the volume is extensive, we reserve the right to charge a reasonable fee for undertaking the action you have requested. We will inform you of the proposed fee before undertaking any action other than the preliminary review and will not take any further action until you have paid the fee.
14. Contacting Us and Complaints
In addition to contacting us for the reasons described in section 12, you may contact us if:you would like to request access, correction, updating, de-identification or deletion to or of the personal information we hold about you or withdraw your consent to our use of the personal information;you have any questions, concerns or feedback about this Privacy Policy, the personal information we collect or how we handle the personal information we hold about you; oryou wish to complain about our decision to reject a request you have made for access, correction, updating, de-identification or deletion to or of the personal information we hold about you.You may contact us by using one of the following options:
DIGITAL PROTECTION OFFICER
Platform
via the GroundCtrl Platform.
Website
via our website: by completing an online contact form.
Email
dpo@sampleasisst.com.
Post
Sample Assist Pty LtdSuite 9, iAccelerate (Building 239), Innovation CampusSquires WayNorth Wollongong NSW 2500AUSTRALIA
If you are not satisfied with our response to any complaint you have made, you may contact the Office of the Australian Information Commissioner to seek advice or make a complaint via the contact details available on the website at www.oaic.gov.au.
%20250p.png)