Privacy legislation

Does it affect my rights as an OHS rep?

The simple answer is NO.

The rights you have under the Victorian Occupational Health and Safety Act (2004) to have access to information as follows:

s69 Other obligations of employers to health and safety representatives

(1) An employer, any of whose employees are members of a designated work group must—

(a) allow a health and safety representative for the designated work group to have access to information that the employer has relating to—

(i) actual or potential hazards arising from the conduct of the undertaking of the employer or the plant or substances used for the purposes of that undertaking; and

(ii) the health and safety of the members of the designated work group, or persons mentioned in section 44(1)(e) or 48(1)(e) whom the health and safety representative is authorised to represent;

Section 69 (1)(a)(ii) is limited though when it comes to personal medical information by s69 (2):

(2) Despite subsection (1), an employer must not allow a health and safety representative to have access to any medical information concerning an employee without the employee's consent unless the information is in a form—

(a) that does not identify the employee; or
(b) from which the employee's identity cannot reasonably be ascertained.

The VTHC believes these rights are not affected by Victorian or Commonwealth privacy legislation -

  • Privacy Act 1988 (Commonwealth),
  • Privacy and Data Protection Act 2014 (Victoria) - designed to protect all information held by the Victorian public sector; and
  • Health Records Act 2001.

It is not uncommon for reps to report that their employer has refused them access to all sorts of information (to which they have a right), claiming that the 'Privacy Act' prohibits them from making this information available.

Examples include:

  • an employer refusing to notify the reps when an accident occurred, claiming that it was illegal for the company to release the names of any workers who had been injured in that, or any, accident. The reps only found out something had gone wrong when they noticed that a fellow worker wasn't around and started asking questions!
  • a large employer 'blanking out' the name of the person involved and a number of important details (such as the location and actions taken to address the problem) on incident reports before providing these to the rep, claiming this was 'personal' information.

Unfortunately, there are some employers who will come up with creative excuses for not complying with their legal duties under the Act.

How information is dealt with is covered by the Information Privacy Principles 

IPP 2 covers Use and Disclosure of Information:

2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless—

(a) both of the following apply—

(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

(b) the individual has consented to the use or disclosure; or

(c) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual—

(i) it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and
(ii) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information; or

(d) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent—

(i) a serious threat to an individual’s life, health, safety or welfare; or
(ii) a serious threat to public health, public safety or public welfare; or

Based on discussions with the Office of the Australian Information Commissioner, employers refusing to provide information to HSRs based on a vague 'privacy' excuse is a misuse of the legislation. It also provided the following advice:

  • The Privacy Act was designed primarily to protect an individual's PRIVATE information - for example, someone's personal medical records ('health information' - see below).
  • The sort of information the employer should provide to allow the rep to inspect under Section 58(1)(a)(ii) - ie that an incident has occurred, the names of people involved, outcomes (eg first aid administered, ambulance called, WorkSafe notified, etc) - is not that covered by the Privacy Act. OHS reps are entitled to access a wide range of information under the OHS Act.
  • Section 58(1)(a)(ii) of the Occupational Health and Safety Act (2004) explicitly gives OHS reps the right to IMMEDIATELY investigate "an accident, hazardous situation, dangerous occurrence or immediate risk". Implicitly, this means the employer MUST NOTIFY the rep/s that something has occurred.
  • The employer must allow the OHS rep to have access to information on actual or potential hazards [Section 69(1)(a)(i)] AND on the health and safety of members of the DWG [Section69(1)(a)(ii)]
  • Furthermore, the medical records of an individual are protected under the Act, unless the individual gives permission (see Sections 69(2)] .

What is 'health information'?

The following is from an OAIC publication:

All personal information collected in the course of providing a health service is considered health information under the Privacy Act.

'Health information' under the Privacy Act includes:

  • personal information about the health or disability (at any time) of an individual, their expressed wishes about their future health treatment or health services provided or to be provided to them
  • other personal information collected to provide, or in providing a health service. This includes personal details such as a patient's name, address, admission and discharge dates, billing information and Medicare number
  • information relating to physical or biological samples, where it can be linked to a patient (for example if they are labelled with the patient's name or other identifier)
  • other personal information collected in connection with an individual's donation of their organs or tissues
  • genetic information about an individual in a form that is, or could be, predictive of the health of that individual or a genetic relative.

Health information could include information held in any form, including paper, electronic and visual information. Examples include:

  • information about an individual's physical or mental health
  • notes of an individual's symptoms or diagnosis and the treatment given
  • specialist reports and test results
  • appointment and billing details
  • prescriptions and other pharmaceutical purchases
  • dental records
  • records held by a fitness club about an individual
  • an individual's healthcare identifier when it is collected to provide a health service
  • any other personal information (such as information about an individual's date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.

So, from the above, it is clear that the sort of information in an incident or injury report is not 'health' or 'medical' information and consequently an employer cannot refuse to provide this on the basis of 'privacy'.

If you have any questions about the Privacy Act, call the Office of the Australian Information Commissioner on 1300 363 992. It also has a website with information, guidance on the Australian Privacy Principles and access to the full text of the legislation.

In Victoria: the Office of the Victorian Information Commissioner has a website and can be contacted on 1300 666 444.

What WorkSafe Victoria says:

When the VTHC first raised this issue WorkSafe Victoria, this is the advice the regulator provided:

"WorkSafe Victoria's view ... is that the various privacy laws, both Commonwealth and Victorian, do not prevent health and safety representatives' access to information, or issues being discussed at health and safety committee meetings. WorkSafe's view is that Section 69(2) of our OHS Act provides adequate protection for privacy in relation to employees' medical details."

Note: Section 69(2) of OHS Act provides that an employer can only supply medical information to an OHS rep in a form which does not identify an individual worker UNLESS that worker has consented. OHS reps need to make sure that members of their designated work groups provide their consent.

VCAT decision on HSR getting requested information

As HSRs know, the employer has a duty to provide them with access to information concerning hazards, health and safety of DWG members - under s69(1). However, under s69(2) the employer cannot give the HSR access to any medical information concerning an employee without the employee's consent unless the information is in a form that either does not identify the employee; or from which the employee's identity cannot reasonably be ascertained.

It has been the experience of many HSRs that when they have asked their employer to provide them with information such as what incidents their DWGs members have been involved in, or the names of DWG members who have been injured, their employer has refused. The reasons given vary from 'you don't need to know' through to 'this is medical information' to 'this information - the names of workers -  is covered by privacy legislation.' We disagree with these responses: names are not covered by 'privacy' when the workers are members of the DWG; informing the HSR that there has been an incident, who was involved and what injuries they suffered is not 'medical information' and finally, an HSR does need to know this information in order to be able to exercise their rights (eg to undertake an inspection, to identify what the hazards and risks are in order to raise these for resolution with their employer on behalf of their DWG, and so on).

Unfortunately, on too many occasions, WorkSafe inspectors have agreed with the employer - cancelling a PIN issued by the HSR when the employer refused to supply this information. Last year this happened to an HSR, who then appealed the inspector's decision through WorkSafe's Internal Review process. Surprisingly, or perhaps not surprisingly, IR agreed with the inspector's decision to cancel the PIN.

The HSR, and his union, were not going to give up, however, and took the case up at VCAT. In a great outcome, VCAT decided that the HSR did, in fact, have the right to this information. In this case, it involved getting more information on, including the names, of DWG members who had been assaulted. VCAT took into account a range of issues: the OHS Act and why it provides HSRs with the right to access information, Privacy laws, and more. This was a great decision and will hopefully affect how employers and WorkSafe inspectors respond to requests from HSRs for information.  

Read more: Griffiths v Victorian Workcover Authority - WorkSafe Victoria (Review and Regulation) [2021] VCAT 561 (1 June 2021)

What to do...

If you are having similar problems in your workplace, raise the issue at the OHS Committee level to establish a formal protocol on notifying reps immediately in the event of an accident, dangerous occurrence, etc, and to guarantee access to information as provided for in the OHS Act.

Make sure you also contact your union to keep them informed of what has been going on in your workplace and for further information and advice.

Last updated March 2024