I need to access my employee's medical records – do I need consent?

Knowing information, such as the medical background of an employee, helps employers adjust and accommodate them in the workplace – but there is a limit on the information companies are allowed to access before breaching privacy laws.

With regards to medical records, how much information can employers access and does the employee need to give consent whenever a company needs to access them?

Privacy vs personal information

The terms privacy and personal information are used closely to complement each other but do not share the same meaning. Privacy is the action of keeping certain information to themselves and a selected amount of selected people.

Meanwhile, personal information is the information that is used to identify an individual, such as name, addresses, phone numbers, bank account details, government identification numbers, academic records, and even medical background. It differs from the term privacy since privacy is the act that protects personal information from being shared with others without the consent of the owner.

Although it sounds like basic information that people share regularly, some personal information must remain private as people can use it for the wrong reasons, like blackmail, scams and identity theft. This sensitive information can include political opinions, religious or philosophical beliefs, trade union membership, criminal record, sexual orientation and medical history.

Privacy can also ease the worry and stress of someone prying into someone else’s information they wish not to share. Therefore, Commonwealth privacy laws have set restraints on collecting and handling private personal information.

Read more: How HR can help prevent data breaches

Australian laws on privacy

Australia takes privacy seriously and has set laws protecting employees’ information and the right to keep personal information like health and medical background.

The Privacy Act 1988 is the primary Australian legislation in protecting and handling employees' personal information. It covers the collection, use and disclosure of personal information in the federal public and private sectors.

Under the Privacy Act 1988, there are 13 Australian Privacy Principles (APP) that help protect sensitive personal information but not to the extent of restricting organizations with stringent policies. It includes guidelines on transparency, anonymity, collection, dealing, notifying, use, security, access, correction and quality of personal information. The APPs apply to government agencies and the private sector businesses that have an annual turnover of $3m or more, including private health service providers and some small businesses.

When a breach of an APP happens, the Office of the Australian Information Commissioner (OAIC) reviews and investigates the cases.

The Privacy Act is supported by other federal laws such as the Privacy Regulation 2013 and the Privacy (Credit Reporting) Code 2014. In addition, the states and territories also have their own privacy laws they follow alongside the Privacy Act, such as:

• New South Wales

• Privacy and Personal Information Protection Act 1998 (PPIP Act) for NSW public sector agencies, local councils and universities. It is handled by the NSW Information and Privacy Commission.
• Health Records and Information Privacy Act 2002 (HRIP Act) for NSW public sector agencies, local councils, universities, public sector health organisations, private sector organisations and health service providers.

• Victoria

• Privacy and Data Protection Act 2014 (PDP Act) for Victorian government organisations. It Is handled by the Office of the Victorian Information Commissioner.
• Health Records Act 2001 for protecting the health information of an individual. It is handled by the Office of the Health Services Commissioner.

• Queensland

• Queensland Information Privacy Act 2009 for Queensland Government agencies. It is handled by the Queensland Office of the Information Commissioner.
• Queensland’s Health Ombudsman handles complaints on health services and health service providers.

• Western Australia

• Freedom of Information Act 1992 which deals some privacy principles related to disclosure and amendment of personal information by WA state and local government agencies
• Health and Disability Services Complaints office handles complaints related to WA health and disability services

• South Australia

• South Australian privacy committee for SA government agencies.
• Health and Community Services Complaints Commissioner handles complaints on government, non-government and private health and community services.

• Tasmania

• Personal Information and Protection Act 2004 for the Tasmanian public sector and public hospitals. It is handled by the Tasmanian Ombudsman.

• ACT

• Information Privacy Act 2014 for ACT public sector agencies. It includes a set of Territory Privacy Principles (TPPs) that covers the storage, use and disclosure of personal information.
• Health Records (Privacy and Access) Act 1997 manages health records held by ACT government agencies and public hospitals. It is handled by the ACT Human Rights Commission.

• Northern Territory

• Information Act 2002 manages complaints relating to personal and health information privacy. It is handled by the Office of the Information Commissioner Northern Territory.

Can an employer access employees’ medical record?

Regarding accessing information on an employee’s medical background, employers are not allowed to request a copy of a medical record from a medical professional or agency without the consent of the employee.

However, an employer could request for an employee’s medical records only when it is needed to determine whether they are fit to work or perform moderated duties. The information an employer could access is limited as the Privacy Act does not allow companies to request for full medical history records of an employee.

An employer could also request for a medical certificate when an employee files an accrued paid sick leave when they are sick. The medical certificate proves that the employee is unfit to work due to a personal illness or injury.

Trish Low, previous national leader – equal opportunity and training at Herbert Smith Freehills, told HC employers have the right to question an employee’s medical clearance in certain cases.

“If your employee is cleared to come back to work but you're genuinely worried that it's not safe for them to do so, you can get a second medical opinion. You do have the right to direct them to a medical professional and you can choose the doctor.” Low said.

Requesting a second medical opinion assures employers they’re not putting the employee’s health at risk when they return to work, which could make the employer liable if the from a workers’ compensation point of view if ever the employee reinjured themselves on the job.

Read more: When can you require an employee to undergo an independent medical examination?

Employers and employees alike should have an understanding of the privacy laws of their state to avoid any legal breaches in the future that could be costly in legal fees and ruin the image and relationship of the employee and employer. Being aware and compliant with policies about privacy can help build trust between the two parties that can boost motivation and loyalty in the workplace.