Skip to main content

Disclaimer: Educational purposes only. Not legal advice. Consult a qualified NZ legal practitioner for your specific circumstances.

SimplifiedLaw.co.nz
general

Employment privacy: Can bosses demand to see your medical records?

Key Takeaway

In New Zealand, employers generally cannot demand full access to an employee's medical records due to privacy laws. They can, however, request relevant health information, such as medical certificates or fitness-for-work assessments, when there's a lawful purpose, like managing sick leave or ensuring workplace health and safety. Information requested must be necessary and directly related to the employment.

Employment Privacy: Can Employers Demand Medical Records in New Zealand?

In New Zealand, an employee's medical records are considered highly sensitive personal information, protected by privacy laws. While employers have obligations related to managing sick leave and ensuring workplace health and safety, their ability to access an employee's medical information is limited and governed by specific legal principles.

General Principles of Privacy for Medical Information

The collection, use, and disclosure of personal information, including health information, are primarily governed by the Privacy Act 2020. Under this Act, an agency (which includes employers) must adhere to information privacy principles when handling personal data [Source: Privacy Act 2020, s 22]. Personal information refers to information about an identifiable individual [Source: Privacy Act 2020, s 7]. Health information falls under this definition and is considered particularly sensitive.

An employer must generally only collect personal information for a lawful purpose connected with their functions or activities, and the collection must be necessary for that purpose [Source: Privacy Act 2020, s 22, Principle 1]. Information should ideally be collected directly from the individual concerned [Source: Privacy Act 2020, s 22, Principle 3].

When Can an Employer Request Health Information?

Employers may request certain health information in specific circumstances, but this does not typically extend to demanding access to an employee's full medical records. The key is that the request must be for a lawful purpose and necessary for the employment relationship.

1. Managing Sick Leave

If an employee takes sick leave, an employer may ask for proof of illness or injury if the sick leave is for three or more consecutive calendar days, or if the employer has reasonable grounds to suspect the sick leave is not genuine. This proof is usually a medical certificate from a medical practitioner [Source: Holidays Act 2003, s 68]. A medical certificate typically confirms the employee's inability to work for a specified period and may indicate the general nature of the illness or injury, but it does not usually provide detailed medical history or diagnoses.

2. Fitness for Work Assessments

If an employer has genuine concerns about an employee's ability to perform their job safely due to a health condition, or if the employee's health condition might pose a risk to themselves or others in the workplace, they may request a fitness-for-work assessment. This assessment is usually conducted by an independent medical professional, often chosen by the employer, but with the employee's consent. The focus of such an assessment is typically on the employee's functional capacity and how their health condition impacts their ability to perform specific job duties, rather than a full medical history [Source: Privacy Act 2020, s 22, Principle 1]. The information provided to the employer should be limited to what is relevant and necessary for work purposes.

3. Health and Safety Obligations

Under the Health and Safety at Work Act 2015, a Person Conducting a Business or Undertaking (PCBU) (which includes employers) has a primary duty to ensure, so far as is reasonably practicable, the health and safety of workers [Source: Health and Safety at Work Act 2015, s 36]. This duty may, in some cases, necessitate obtaining health information relevant to managing workplace risks. For example, if a specific role requires certain physical capabilities or involves exposure to hazards, pre-employment or periodic medical checks related to those specific risks might be justified. Again, the information requested must be relevant and necessary for managing health and safety risks and should not be a general demand for medical records [Source: Privacy Act 2020, s 22, Principle 1].

What Information Can Be Requested?

When health information is requested, it should be limited to what is relevant and necessary for the specific purpose. An employer is generally entitled to know about an employee's capacity to do their job, any limitations, and any adjustments that might be required. They are typically not entitled to detailed medical diagnoses or the employee's full medical history unless there are exceptional circumstances where such detailed information is directly relevant and essential for their lawful purpose [Source: Privacy Act 2020, s 22, Principle 1].

Employee Rights Regarding Medical Information

Employees have several rights concerning their medical information:

  • Right to Privacy: Employees have a right to the privacy of their personal information, including health records [Source: Privacy Act 2020, s 22].
  • Consent: Generally, an employer should obtain an employee's consent before collecting health information, especially from a third party like a doctor. The employee should be informed about why the information is being collected and how it will be used [Source: Privacy Act 2020, s 22, Principle 3].
  • Access to Information: An employee has the right to request access to any personal information an employer holds about them [Source: Privacy Act 2020, s 22, Principle 6].
  • Correction of Information: If an employee believes the information held by the employer is inaccurate, they can request its correction [Source: Privacy Act 2020, s 22, Principle 7].
  • Complaints: If an employee believes their privacy rights have been breached, they can make a complaint to the Privacy Commissioner [Source: Privacy Act 2020, s 67].

Employer Obligations Regarding Medical Information

When an employer collects health information, they must:

  • Limit Collection: Collect only the personal information that is necessary for a lawful purpose connected with their functions [Source: Privacy Act 2020, s 22, Principle 1].
  • Inform the Employee: Make the employee aware of the fact that the information is being collected, the purpose of collection, and the intended recipients of the information [Source: Privacy Act 2020, s 22, Principle 3].
  • Secure Storage: Ensure that the information is protected by reasonable security safeguards against loss, unauthorised access, or disclosure [Source: Privacy Act 2020, s 22, Principle 5].
  • Limited Use: Use the information only for the purpose for which it was collected, or for a directly related purpose [Source: Privacy Act 2020, s 22, Principle 10].
  • Limited Disclosure: Not disclose the information to third parties unless an exception under the Privacy Act 2020 applies, or the employee has consented to the disclosure [Source: Privacy Act 2020, s 22, Principle 11].

When to Seek Independent Legal Advice

Individuals facing requests for medical information from their employer, or employers seeking to understand their obligations, should consider seeking independent legal advice. The Privacy Commissioner provides guidance on privacy matters, and Community Law Centres offer free legal help. Individuals can also contact WorkSafe New Zealand for health and safety inquiries.

Key Resources