Factsheets / Workplace Bullying and Discrimination / Privacy at Work

Privacy at Work

6 min read

Privacy laws

Employers collect, disclose, use and store personal and health information about employees frequently for many different purposes. Privacy obligations vary depending on whether the employer is public or private and the jurisdiction the employer is in.¹

Generally, employers are obliged not to use or disclose personal or health information other than for the purpose it was collected, unless the consent of the worker is provided. Even if consent is not provided, there are exemptions allowing use or disclosure in certain limited circumstances – for example, to prevent imminent harm to someone.

‘Personal information’ is defined by the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether written or not.

‘Health information’ is a subset of personal information, and is defined as information or an opinion about an individual’s health (including an illness, disability or injury) at any point in time; or an individual’s expressed wishes about the future provision of health services, or a health service provided, or to be provided, to an individual.

‘Use’ and ‘disclosure’ of information are not the same thing. An entity ‘uses’ information when it handles information within the entity but retains effective control over the information. For example, a manager sharing information with a payroll staff member to ensure payment of an entitlement to an employee.

An entity ‘discloses’ personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control. For example, a HR person sharing information about an employee with a person or body external to the organisation.

Work health and safety obligations

Employers have a general obligation to ensure the health and safety of workers and others, so far as reasonably practicable. This means employers must take all reasonable steps to limit the work-related spread of Covid-19. In order to take such steps, employers may need to collect information from workers and visitors about their potential exposure to Covid-19 in order to identify, assess and control risks of infection.

WHS laws include a specific obligation to provide ‘any information necessary’ to protect all persons (including workers and others, such as visitors) from risks to their health and safety arising from work.²

In addition, employers must consult, confer and provide access to information to HSRs relating to the health and safety of the workers in the HSR’s workgroup.³ An employer can provide an HSR with access to personal or medical information concerning a worker only with a worker’s consent, unless the information does not identify the worker and could not reasonably be expected to lead to the identification of the worker.⁴

What information can or should an employer use or disclose?

Where vaccinations are mandatory for specific jobs, the employer will need to know the worker’s vaccination status. There is no reason for the employer to have access to a workers Australian Immunization Record or medical records. It is sufficient for the employer to ask to view documentation of vaccination, which the employer then marks off on a register to indicate same.

In order to comply with privacy laws, personal and health information should only be used or disclosed by employers on a ‘need-to-know’ basis. Employers should collect, use or disclose only the minimum amount of personal or health information reasonably necessary to prevent or manage Covid-19. Workers and HSRs need to be advised of how the employer will handle personal or health information in responding to any potential or actual case of Covid-19. This is means employers must have clear processes and designated staff members with responsibility for handling these matters, and secure information storage methods.

If a worker is confirmed to have Covid-19, employers must ensure the worker is supported not to return to work while they are infectious. It may be necessary to share the identity of the worker with others at the workplace in order to identify those who have had close contact with a confirmed case.

HSRs should be notified of the existence of a confirmed case and consulted on appropriate control measures. In order to comply with privacy obligations, a confirmed case’s identity should be shared with others strictly on a ‘need-to-know’ basis, even if consent has been provided by the worker.

Your health and safety rights

Every worker has the right to healthy and safe work. Elected Health and Safety Representatives (HSRs) also have powers and rights under health and safety law.

If you feel immediately unsafe at work, you can stop the unsafe work – but you must be available for other safe duties. Before taking this action, talk to your union delegate and HSR.

¹ The Commonwealth Privacy Act 1988 sets out standards for the handling, holding, use, accessing and correction of personal information. The Privacy Act does not cover businesses with a turnover of less than $3 million, or apply to private sector employers’ handling of employee records directly related to the employment relationship. However, State privacy laws may still apply to employee records notwithstanding these exemptions. For example, the Health Records Act 2001 (Vic) applies to private sector organisations that handle employees’ health information. For these reasons it is essential to obtain a commitment that any health information is not stored on employee records.

² Model WHS Act, s 19(3)(f)

³ Model WHS Act, s 70(1)(c)

⁴ Model WHS Act s 71(2)

Are you already a union member?

Reach out to your union for more specific information about how you and your workmates can make the most of your rights at work.

Not yet a member?

Joining your union is the most powerful decision you can make to protect your rights at work.

Join your union