Does it affect my rights as an OHS rep?
The simple answer is NO.
The rights you have under the Victorian Occupational Health and Safety Act (2004) to have access to information as follows:
s69 Other obligations of employers to health and safety representatives
(1) An employer, any of whose employees are members of a designated work group must—
(a) allow a health and safety representative for the designated work group to have access to information that the employer has relating to—
(i) actual or potential hazards arising from the conduct of the undertaking of the employer or the plant or substances used for the purposes of that undertaking; and
(ii) the health and safety of the members of the designated work group, or persons mentioned in section 44(1)(e) or 48(1)(e) whom the health and safety representative is authorised to represent;
Section 69 (1)(a)(ii) is limited though when it comes to personal medical information by s69 (2):
(2) Despite subsection (1), an employer must not allow a health and safety representative to have access to any medical information concerning an employee without the employee's consent unless the information is in a form—
(a) that does not identify the employee; or
(b) from which the employee's identity cannot reasonably be ascertained.
The VTHC believes these rights are not affected by Victorian or Commonwealth privacy legislation -
- Privacy Act 1988 (Commonwealth),
- Privacy and Data Protection Act 2014 (Victoria) - designed to protect all information held by the Victorian public sector; and
- Health Records Act 2001.
It is not uncommon for reps to report that their employer has refused them access to all sorts of information (to which they have a right), claiming that the 'Privacy Act' prohibits them from making this information available.
- an employer refusing to notify the reps when an accident occurred, claiming that it was illegal for the company to release the names of any workers who had been injured in that, or any, accident. The reps only found out something had gone wrong when they noticed that a fellow worker wasn't around and started asking questions!
- a large employer 'blanking out' the name of the person involved and a number of important details (such as the location and actions taken to address the problem) on incident reports before providing these to the rep, claiming this was 'personal' information.
Unfortunately, there are some employers who will come up with creative excuses for not complying with their legal duties under the Act.
How information is dealt with is covered by the Information Privacy Principles
IPP 2 covers Use and Disclosure of Information:
2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—
(a) both of the following apply—
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual—
(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and
(ii) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information; or
(d) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent—
(i) a serious threat to an individual’s life, health, safety or welfare; or
(ii) a serious threat to public health, public safety or public welfare; or
In light of the COVID-19 pandemic, the Office of the Victorian Information Commissioner (OVIC) has released guidelines These make the following points in relation to Information Privacy Principles (IPPs):
Use and disclosure of personal and health information for purposes related to COVID-19
IPP 2 and HPP 2, which govern the use and disclosure of personal and health information respectively, state that organisations should only use and disclose personal or health information for the primary purpose for which it was collected or for one of the permitted secondary purposes outlined in those provisions.
Threat to public health or safety
Under IPP 2.1(d)(ii), organisations can use and disclose personal information for a secondary purpose in the absence of consent where they reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to public health, public safety or public welfare. HPP 2.2(h)(ii) contains a similar permission for the secondary use and disclosure of health information.
As the World Health Organisation has declared the outbreak of COVID-19 a pandemic, and the Victorian Government has declared a State of Emergency in Victoria, using and disclosing personal and health information under IPP 2.1(d)(ii) and HPP 2.2(h)(ii) to prevent or manage the virus is likely permissible. Organisations must reassess this position once the spread of the virus has subsided, as the threat may no longer meet the ‘serious’ threshold required to share personal and health information under this exception after the emergency has passed.
The principles apply not only during this pandemic, but at other times as well, so any information, even if covered by the privacy laws, which may be necessary to lessen/prevent a serious risk to both 'an individual' (ie I would say 'a worker' is included) or the public's health, safety or welfare.
Based on discussions with the Office of the Australian Information Commissioner, employers refusing to provide information to HSRs based on a vague 'privacy' excuse is a misuse of the legislation. It also provided the following advice:
- The Privacy Act was designed primarily to protect an individual's PRIVATE information - for example, someone's personal medical records ('health information' - see below).
- The sort of information the employer should provide to allow the rep to inspect under Section 58(1)(a)(ii) - ie that an incident has occurred, the names of people involved, outcomes (eg first aid administered, ambulance called, WorkSafe notified, etc) - is not that covered by the Privacy Act. OHS reps are entitled to access a wide range of information under the OHS Act.
- Section 58(1)(a)(ii) of the Occupational Health and Safety Act (2004) explicitly gives OHS reps the right to IMMEDIATELY investigate "an accident, hazardous situation, dangerous occurrence or immediate risk". Implicitly, this means the employer MUST NOTIFY the rep/s that something has occurred.
- The employer must allow the OHS rep to have access to information on actual or potential hazards [Section 69(1)(a)(i)] AND on the health and safety of members of the DWG [Section69(1)(a)(ii)]
- Furthermore, the medical records of an individual are protected under the Act, unless the individual gives permission (see Sections 69(2)] .
What is 'health information'?
The following is from an OAIC publication:
All personal information collected in the course of providing a health service is considered health information under the Privacy Act.
'Health information' under the Privacy Act includes:
- personal information about the health or disability (at any time) of an individual, their expressed wishes about their future health treatment or health services provided or to be provided to them
- other personal information collected to provide, or in providing a health service. This includes personal details such as a patient's name, address, admission and discharge dates, billing information and Medicare number
- information relating to physical or biological samples, where it can be linked to a patient (for example if they are labelled with the patient's name or other identifier)
- other personal information collected in connection with an individual's donation of their organs or tissues
- genetic information about an individual in a form that is, or could be, predictive of the health of that individual or a genetic relative.
Health information could include information held in any form, including paper, electronic and visual information. Examples include:
- information about an individual's physical or mental health
- notes of an individual's symptoms or diagnosis and the treatment given
- specialist reports and test results
- appointment and billing details
- prescriptions and other pharmaceutical purchases
- dental records
- records held by a fitness club about an individual
- an individual's healthcare identifier when it is collected to provide a health service
- any other personal information (such as information about an individual's date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.
So, from the above, it is clear that the sort of information in an incident or injury report is not 'health' or 'medical' information and consequently an employer cannot refuse to provide this on the basis of 'privacy'.
If you have any questions about the Privacy Act, call the Office of the Australian Information Commissioner on 1300 363 992. It also has a website with information, guidance on the Australian Privacy Principles and access to the full text of the legislation.
In Victoria: the Office of the Victorian Information Commissioner has a website and can be contacted on 1300 666 444.
What WorkSafe Victoria says:
When the VTHC first raised this issue WorkSafe Victoria, this is the advice the regulator provided:
"WorkSafe Victoria's view ... is that the various privacy laws, both Commonwealth and Victorian, do not prevent health and safety representatives' access to information, or issues being discussed at health and safety committee meetings. WorkSafe's view is that Section 31(3) provides adequate protection for privacy in relation to employees' medical details."
Note: Section 69(2) of OHS Act provides that an employer can only supply medical information to an OHS rep in a form which does not identify an individual worker UNLESS that worker has consented. OHS reps need to make sure that members of their designated work groups provide their consent.
What to do...
If you are having similar problems in your workplace, raise the issue at the OHS Committee level to establish a formal protocol on notifying reps immediately in the event of an accident, dangerous occurrence, etc, and to guarantee access to information as provided for in the OHS Act.
Make sure you also contact your union to keep them informed of what has been going on in your workplace and for further information and advice.
Last updated July 2020