Privacy at Work

Privacy at Work and COVID-19

The COVID-19 pandemic is presenting a range of privacy challenges at work. Health information about a worker can be particularly sensitive and must be handled appropriately by employers. However, privacy laws do not prohibit the collection, use and disclosure of health information to the extent that it is necessary to prevent and manage COVID-19 risks at work.

It is crucial for employers to have clear workplace policies and processes that ensure that personal and health information is only collected when necessary, stored securely, and used or disclosed only for lawful and proper purposes, including to ensure the health and safety of workers and others. Policies should also consider and assess any privacy issues arising from changed working arrangements.

Privacy laws

Employers collect, disclose, use and store personal and health information about employees frequently for many different purposes. Privacy obligations vary depending on whether the employer is public or private and the jurisdiction the employer is in.1 

Generally, employers are obliged not to use or disclose personal or health information other than for the purpose it was collected, unless the consent of the worker is provided. Even if consent is not provided, there are exemptions allowing use or disclosure in certain limited circumstances – for example, to prevent imminent harm to someone.

‘Personal information’ is defined by the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether written or not. ‘Health information’ is a subset of personal information, and is defined as information or an opinion about an individual’s health (including an illness, disability or injury) at any point in time; or an individual’s expressed wishes about the future provision of health services, or a health service provided, or to be provided, to an individual. ‘Use’ and ‘disclosure’ of information are not the same thing. An entity ‘uses’ information when it handles information within the entity but retains effective control over the information. For example, a manager sharing information with a payroll staff member to ensure payment of an entitlement to an employee. An entity ‘discloses’ personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control. For example, a HR person sharing information about an employee with a person or body external to the organisation.

Work health and safety obligations

Employers have a general obligation to ensure the health and safety of workers and others, so far as reasonably practicable. This means employers must take all reasonable steps to limit the work-related spread of COVID-19. In order to take such steps, employers may need to collect information from workers and visitors about their potential exposure to COVID-19 in order to identify, assess and control risks of infection.

WHS laws include a specific obligation to provide ‘any information necessary’ to protect all persons (including workers and others, such as visitors) from risks to their health and safety arising from work.2 In addition, employers must consult, confer and provide access to information to HSRs relating to the health and safety of the workers in the HSR’s workgroup.3 An employer can provide an HSR with access to personal or medical information concerning a worker only with a worker’s consent, unless the information does not identify the worker and could not reasonably be expected to lead to the identification of the worker.4

What information can or should an emplyer collect in relation to COVID-19?

Employers can collect information that is reasonably necessary to meet their obligations under WHS laws to identify risk and implement appropriate controls to prevent or manage COVID-19 in line with Department of Health guidelines. This could include collecting information from workers and visitors about close contact with confirmed or potential cases, or recent overseas travel.

What information can or should an employer use or disclose?

Where vaccinations are mandatory for specific jobs, the employer will need to know the worker’s vaccination status. There is no reason for the employer to have access to a workers Australian Immunization Record or medical records. It is sufficient for the employer to ask to view documentation of vaccination, which the employer then marks off on a register to indicate same. 

In order to comply with privacy laws, personal and health information should only be used or disclosed by employers on a ‘need-to-know’ basis. Employers should collect, use or disclose only the minimum amount of personal or health information reasonably necessary to prevent or manage COVID-19. Workers and HSRs need to be advised of how the employer will handle personal or health information in responding to any potential or actual case of COVID-19. This is means employers must have clear processes and designated staff members with responsibility for handling these matters, and secure information storage methods.

If a worker is confirmed to have COVID-19, employers must ensure the worker is supported not to return to work while they are infectious. Notification should be made to, and guidance sought from, the relevant Health Department and WHS regulator in their jurisdiction. It may be necessary to share the identity of the worker with others at the workplace in order to identify those who have had close contact with a confirmed case.

HSRs should be notified of the existence of a confirmed case and consulted on appropriate control measures. In order to comply with privacy obligations, a confirmed case’s identity should be shared with others strictly on a ‘need-to-know’ basis, even if consent has been provided by the worker. This is particularly important because discrimination, harassment and abuse have been targeted at those who have contracted coronavirus. This may undermine the health and safety of the worker in question as well as HSR and employer efforts to effectively manage the situation.

Your health and safety rights

Every worker has the right to healthy and safe work. Elected Health and Safety Representatives [HSRs] also have powers and rights under health and safety law.

If you feel immediately unsafe at work, you can stop the unsafe work – but you must be available for other safe duties. Before taking this action, talk to your union delegate and HSR. 

HSRs have the power to direct work to cease if there is an immediate or imminent risk to health and safety. Everyone must be available to perform alternate safe duties and if they can, HSRs must try to consult with management before issuing the cases work. HSRs may also Issue a Provisional Improvement Notice (PIN) requiring the PCBU/employer to take certain actions.  HSRs must have consulted with the PCBU/employer about the health and safety issue.

Under WHS law these rights exist only after the HSR has attended an approved training course. So, training is essential. In Victoria, HSRs have these rights as soon as they are elected, regardless of whether they have been trained.


1 The Commonwealth Privacy Act 1988 sets out standards for the handling, holding, use, accessing and correction of personal information. The Privacy Act does not cover businesses with a turnover of less than $3 million, or apply to private sector employers’ handling of employee records directly related to the employment relationship. However, State privacy laws may still apply to employee records notwithstanding these exemptions. For example, the Health Records Act 2001 (Vic) applies to private sector organisations that handle employees’ health information. For these reasons it is essential to obtain a commitment that any health information is not stored on employee records.

2 Model WHS Act, s 19(3)(f)

3 Model WHS Act, s 70(1)(c)

4 Model WHS Act s 71(2)

Support when you need it