Why Most Employers Are Wasting Their Health Data
The average mid-size Australian employer with 500 workers generates health data from at least eight separate sources: pre-employment medicals, annual health surveillance, workers compensation claims, return-to-work medical certificates, drug and alcohol test results, EAP referral and utilisation data, absence management systems, and ad hoc health checks. Almost none of it is connected.
Claims data sits in the insurer portal. Surveillance records are in the OH provider's system. Absence data is in payroll. The result: a high-risk manual handling role in warehouse operations has three separate medical events in twelve months, but no one connects the pattern because the data lives in silos.
A 2024 Safe Work Australia analysis found that musculoskeletal injuries account for 37% of serious workers compensation claims — and most have 6–18 months of precursor events (near misses, short-duration absences, physiotherapy referrals) that, if tracked, would have predicted the serious injury. The data exists. It is just not connected.
The Legal Framework You Cannot Ignore
Three Acts govern how Australian employers collect and handle health data. Understanding which applies — and when — is non-negotiable.
| Legislation | What it governs | Key obligation |
|---|---|---|
| Privacy Act 1988 (Cth) | Collection, storage, use, and disclosure of health information | Explicit consent; purpose limitation (APP 3, 6); secure storage (APP 11) |
| WHS Act 2011 (model Act) | Health surveillance for hazardous substance exposures | 30-year record retention; worker access to own records; regulator notification for certain results |
| Disability Discrimination Act 1992 (Cth) | Use of health data in employment decisions | Cannot use health findings to exclude workers unless inherent job requirements defence applies |
| Fair Work Act 2009 (Cth) | Adverse action linked to health or disability status | Termination or demotion triggered by health data without lawful basis = general protections breach |
The WHS Regulations 2017 (clause 37) create a mandatory health surveillance obligation for 22 scheduled hazardous substances, including lead, benzene, crystalline silica, isocyanates, and mercury. This is not optional for covered workplaces — it is a prosecutable duty. The regulator (e.g., SafeWork NSW, WorkSafe Victoria) can request surveillance records during an inspection, and failure to produce them within 30 days is an offence.
The Four Types of Workplace Health Data — and What Each Is For
Not all health data serves the same purpose. Conflating them is how employers end up using fitness-for-work data to manage performance, which is both legally wrong and operationally counterproductive.
1. Pre-placement / fitness-for-work data
Determines whether a worker can safely perform specific inherent requirements at the time of assessment. Results flow to the OH provider and a fitness conclusion flows to HR — diagnosis stays with the clinician.
Examples: Musculoskeletal screen, audiogram, vision test, functional capacity
2. Health surveillance data
Regulatory obligation for hazardous substance exposures. Longitudinal — same tests repeated annually or biannually to detect biological effect before clinical disease develops.
Examples: Blood lead, urinary chromium, spirometry, audiometric surveillance
3. Injury and absence data
Operational and actuarial. Feeds workers compensation claims management, return-to-work planning, and aggregate risk analysis. Individual records are medical-in-confidence.
Examples: Workers comp claims, medical certificates, RTW progress reports, near-miss reports
4. Population health / wellness data
Voluntary. Used to understand workforce health risk at aggregate level — not individual. Feeds health promotion programs, chronic disease prevention initiatives.
Examples: Biometric screenings, health risk assessments, mental health surveys, EAP utilisation (de-identified)
How to Set Up a Compliant Data Collection System
A compliant system is not complicated — it requires six deliberate design choices that most organisations skip because they seem administrative.
- 1
Define collection purpose before you collect
Under APP 3, you must notify the worker of the primary purpose of collection before or at the time of collection. "Occupational health assessment for fitness for the role of X" is sufficient. "General health check" is not — it is too vague to ground lawful secondary use.
- 2
Separate the data stores
Clinical records (diagnosis, treatment, test results) must be held by the OH provider or in a clinically governed system — not in HR software. HR receives fitness conclusions only. This is the single most common compliance failure in mid-market employers.
- 3
Obtain explicit written consent
Health information is sensitive under the Privacy Act 1988. Implied consent (showing up to a medical) is not sufficient. Workers must sign a clear consent form that states what data will be collected, who will hold it, who will see it, and how long it will be retained.
- 4
Set role-based access controls
The OH nurse or physician: full clinical record. HR business partner: fitness conclusion only. Line manager: nil health data, only work capacity (what duties can be performed). This must be enforced technically — not just by policy.
- 5
Establish retention and destruction schedules
Hazardous substance surveillance: 30 years. Workers compensation: 7 years post-claim (state-dependent). Drug and alcohol testing under AS 4308:2023 and AS 4760:2019: minimum 7 years. Everything else: follow your Privacy Management Plan and destroy securely at end of life.
- 6
Create a de-identification threshold for reporting
No aggregate report should go to leadership if the group size is fewer than 10 workers — a single person in a small team can be re-identified from health risk categories alone. For very small teams, suppress cell data or roll up to a higher reporting level.
Turning Health Data Into Workforce Intelligence
This is where organisations leave real value on the table. Individual records are medical-in-confidence. Aggregate patterns are organisational intelligence — and they are yours to act on.
A distribution centre with 200 workers might have 14 workers compensation claims in twelve months, costing $380,000 in direct costs and an estimated $1.14 million in indirect costs (the standard 3:1 multiplier used by Safe Work Australia). That number is alarming. But the question leadership should be asking is: where in the operation are those claims clustering? What tasks, shifts, or tenure groups are over-represented?
A population health analysis integrating injury data, absence data, and task exposure data typically reveals that 70–80% of claims come from 20–30% of job roles or work areas. That is not a personnel problem — it is a systems problem. And it is solvable through ergonomics redesign, task rotation, and targeted health surveillance.
The analysis works because you are not looking at individuals. You are looking at distributions, rates, and trends — the kind of data that can go to a safety committee, a board risk report, or a workers compensation insurer without any privacy exposure.
The Three Mistakes That Create Legal Exposure
Most breaches are not malicious — they are process failures. These three are the most common in Australian workplaces.
Mistake 1: Sharing fitness-for-work diagnoses with managers
Risk: Privacy Act 1988 breach (APP 6 secondary use); potential Disability Discrimination Act 1992 claim if the disclosure influences a management decision
Fix: Train every HR business partner on the difference between a fitness conclusion and a clinical finding. The OH provider sends fitness status — not diagnosis — to HR.
Mistake 2: Using health data to performance-manage absence
Risk: Fair Work Act 2009 general protections breach; adverse action linked to health status is one of the most litigated employment claims in the Federal Circuit Court
Fix: Absence management conversations should reference attendance patterns and operational impact — not health conditions. If a medical capacity question arises, refer to an independent medical examiner.
Mistake 3: Retaining records past mandatory periods then failing to destroy them
Risk: APP 11 requires health data to be destroyed or de-identified when no longer needed for the primary purpose. Holding stale records indefinitely increases breach exposure if a system is compromised.
Fix: Schedule automated destruction reviews in your HRIS and OH system annually. Document every destruction event.
Frequently Asked Questions
What laws govern workplace health data collection in Australia?
Three primary frameworks apply: the Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs), which classify health information as sensitive data requiring explicit consent; the Work Health and Safety Act 2011 (model WHS Act), which creates the duty to monitor health hazard exposures; and the Disability Discrimination Act 1992 (Cth), which restricts how health data can influence employment decisions. State-based WHS legislation (e.g., the Work Health and Safety Act 2011 (NSW)) mirrors the model Act in most jurisdictions.
Can employers share individual health data with managers?
Generally no. Under APP 6, health information collected for occupational health purposes can only be used for that primary purpose — not disclosed to line managers — unless the worker consents in writing or disclosure is required by law. Fitness-for-work conclusions (e.g., "cleared for full duties") may be shared, but diagnoses and clinical findings must not be.
What is health surveillance and when is it legally required?
Health surveillance is systematic monitoring of workers for early signs of work-related illness or injury. Under clause 37 of the model WHS Regulations 2017, health surveillance is mandatory where workers are exposed to scheduled hazardous substances (including lead, benzene, asbestos, isocyanates, and crystalline silica) at or above defined action levels. Employers must retain health surveillance records for 30 years.
How should employers handle aggregate workforce health reports?
Aggregate reports — such as injury rates by department, absenteeism trends, or health risk stratification — are the correct vehicle for sharing health intelligence with leadership. Reports should be de-identified so no individual can be identified (typically requiring group sizes of at least 10), stored with access controls, and framed around system-level interventions rather than individual performance management.
How long must workplace health records be retained in Australia?
Retention periods vary by record type. Health surveillance records for hazardous substance exposures: 30 years from last entry (model WHS Regulations 2017, clause 50). Workers compensation medical records: typically 7 years post-claim (varies by state). Drug and alcohol testing records under AS 4308:2023 and AS 4760:2019: industry best practice is 7 years. General OH records should follow the organisation's data retention policy and be destroyed securely at end of life.
What is the difference between health monitoring and health surveillance?
Health monitoring is a broad term for ongoing observation of workforce health indicators — it includes absence rates, injury metrics, EAP utilisation, and voluntary wellness screenings. Health surveillance is a defined legal obligation under the model WHS Regulations 2017: it specifically tracks biological markers of hazardous substance exposure (e.g., blood lead levels, spirometry for silica-exposed workers). Health surveillance records have mandatory retention and reporting obligations; health monitoring records are governed by the Privacy Act 1988 and employer policy.
Related Resources
Population Health Intelligence
Connect your workforce health data sources into a single risk picture.
Health Surveillance Requirements in Australia
Which substances trigger mandatory surveillance and what records you must keep.
Privacy and Workplace Health Information
APP obligations, consent requirements, and how to handle sensitive health records.
Workers Compensation Data Analytics
How to use claims data to find cost drivers and design preventive interventions.