Privacy legislation

Does it affect my rights as an OHS rep? The simple answer is NO.

The rights you have under the Victorian Occupational Health and Safety Act (2004) to have access to information as follows:

s69 Other obligations of employers to health and safety representatives

(1) An employer, any of whose employees are members of a designated work group must—

(a) allow a health and safety representative for the designated work group to have access to information that the employer has relating to—

(i) actual or potential hazards arising from the conduct of the undertaking of the employer or the plant or substances used for the purposes of that undertaking; and

(ii) the health and safety of the members of the designated work group, or persons mentioned in section 44(1)(e) or 48(1)(e) whom the health and safety representative is authorised to represent;

Section69(1)(a)(ii) is limited though when it comes to personal medical information by s69(2):

(2) Despite subsection (1), an employer must not allow a health and safety representative to have access to any medical information concerning an employee without the employee's consent unless the information is in a form—

(a) that does not identify the employee; or
(b) from which the employee's identity cannot reasonably be ascertained.

We believe these rights are not affected by Victorian or Commonwealth privacy legislation -

  • Privacy Act 1988 (Commonwealth),
  • Privacy and Data Protection Act 2014 (Victoria) - designed to protect all information held by the Victorian public sector; and
  • Health Records Act 2001.

It is not uncommon for reps to report that their employer has refused them access to all sorts of information (to which they have a right), claiming that the 'Privacy Act' prohibits them from making this information available.

Examples include:

  • an employer refusing to notify the reps when an accident occurred, claiming that it was illegal for the company to release the names of any workers who had been injured in that, or any, accident. The reps only found out something had gone wrong when they noticed that a fellow worker wasn't around and started asking questions!
  • a large employer 'blanking out' the name of the person involved and a number of important details (such as the location and actions taken to address the problem) on incident reports before providing these to the rep, claiming this was 'personal' information.

Unfortunately, there are some employers who will come up with creative excuses for not complying with their legal duties under the Act.

Based on discussions with the Office of the Australian Information Commissioner, this is a misuse of the legislation. It also provided the following advice:

  • The Privacy Act was designed primarily to protect an individual's PRIVATE information - for example, someone's personal medical records ('health information' - see below).
  • The sort of information the employer should provide to allow the rep to inspect under Section 58(1)(a)(ii) - ie that an incident has occurred, the names of people involved, outcomes (eg first aid administered, ambulance called, WorkSafe notified, etc) - is not that covered by the Privacy Act. OHS reps are entitled to access a wide range of information under the OHS Act.
  • Section 58(1)(a)(ii) of the Occupational Health and Safety Act (2004) explicitly gives OHS reps the right to IMMEDIATELY investigate "an accident, hazardous situation, dangerous occurrence or immediate risk". Implicitly, this means the employer MUST NOTIFY the rep/s that something has occurred.
  • The employer must allow the OHS rep to have access to information on actual or potential hazards [Section 69(1)(a)(i)] AND on the health and safety of members of the DWG [Section69(1)(a)(ii)]
  • Furthermore, the medical records of an individual are protected under the Act, unless the individual gives permission (see Sections 69(2)] .

What is 'health information'?

The following is from an OAIC publication:

All personal information collected in the course of providing a health service is considered health information under the Privacy Act.

'Health information' under the Privacy Act includes:

  • personal information about the health or disability (at any time) of an individual, their expressed wishes about their future health treatment or health services provided or to be provided to them
  • other personal information collected to provide, or in providing a health service. This includes personal details such as a patient's name, address, admission and discharge dates, billing information and Medicare number
  • information relating to physical or biological samples, where it can be linked to a patient (for example if they are labelled with the patient's name or other identifier)
  • other personal information collected in connection with an individual's donation of their organs or tissues
  • genetic information about an individual in a form that is, or could be, predictive of the health of that individual or a genetic relative.

Health information could include information held in any form, including paper, electronic and visual information. Examples include:

  • information about an individual's physical or mental health
  • notes of an individual's symptoms or diagnosis and the treatment given
  • specialist reports and test results
  • appointment and billing details
  • prescriptions and other pharmaceutical purchases
  • dental records
  • records held by a fitness club about an individual
  • an individual's healthcare identifier when it is collected to provide a health service
  • any other personal information (such as information about an individual's date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.

So, from the above, it is clear that the sort of information in an incident or injury report is not 'health' or 'medical' information and consequently an employer cannot refuse to provide this on the basis of 'privacy'.

If you have any questions about the Privacy Act, call the Office of the Australian Information Commissioner on 1300 363 992. It also has a website with information, guidance on the Australian Privacy Principles and access to the full text of the legislation.

In Victoria: the Office of the Victorian Information Commissioner has a website and can be contacted on 1300 666 444.

What WorkSafe Victoria says:

When the VTHC first raised this issue WorkSafe Victoria, this is the advice the regulator provided:

"WorkSafe Victoria's view ... is that the various privacy laws, both Commonwealth and Victorian, do not prevent health and safety representatives' access to information, or issues being discussed at health and safety committee meetings. WorkSafe's view is that Section 31(3) provides adequate protection for privacy in relation to employees' medical details."

Note: Section 69(2) of OHS Act provides that an employer can only supply medical information to an OHS rep in a form which does not identify an individual worker UNLESS that worker has consented. OHS reps need to make sure that members of their designated work groups provide their consent.

What to do...

If you are having similar problems in your workplace, raise the issue at the OHS Committee level to establish a formal protocol on notifying reps immediately in the event of an accident, dangerous occurrence, etc, and to guarantee access to information as provided for in the OHS Act.

Make sure you also contact your union to keep them informed of what has been going on in your workplace and for further information and advice.

Last updated May 2018