What Medical Information Can Employers Ask For In Australia?

When an employee is unwell, injured or returning from extended leave, it’s natural to want enough information to manage rosters, safety and productivity.

But in Australia, health information is highly protected. As a business owner, you need to balance your duty to keep the workplace safe with your employees’ right to privacy.

In this guide, we’ll break down exactly what medical information you can ask for, when you can request it, and how to handle it lawfully under Australian workplace and privacy laws.

Our goal is to help you get the information you genuinely need to run your business - without overstepping legal boundaries.

What Counts As “Medical Information” In Australia?

Under the Privacy Act 1988 (Cth), health information is “sensitive information.” This includes details about a person’s health, illness, injury, disability, medical treatment, test results, and even opinions about a person’s health status.

Because it’s sensitive, there are extra rules about when you can collect it, how much you can collect, and how you must store and use it.

As an employer, the key principle is data minimisation: only ask for the minimum information that is reasonably necessary for your business functions (for example, to manage leave, assess fitness for work, or meet workplace health and safety obligations).

What Medical Information Can You Lawfully Ask For (And When)?

1) Evidence For Paid Personal/Carer’s Leave

Under the Fair Work framework, you can request “evidence that would satisfy a reasonable person” that the employee is unfit for work due to illness or injury. Common evidence includes a medical certificate or a statutory declaration.

You generally should not ask for a diagnosis. What you reasonably need is confirmation that the employee is (a) unfit for work, and (b) the expected duration. If the certificate doesn’t include a timeframe, you can request clarification on return-to-work timing.

If you’re unsure about when you can request evidence, see when employers can ask for a medical certificate.

2) Functional Information To Manage Safety And Duties

You may request information about an employee’s functional capacity, restrictions and suitable duties to keep the workplace safe and to plan work. For example, you can ask:

• Are there any temporary restrictions (e.g. lifting limits, standing time, operating machinery)?
• What adjustments are recommended and for how long?
• What is the anticipated timeframe for a return to full duties?

This type of functional information is usually appropriate to meet your work health and safety duties without needing specific diagnoses.

3) Medical Clearance To Return To Work

If an employee is returning after an injury or extended illness, it’s reasonable to require a medical clearance stating they’re fit for their inherent requirements (with or without adjustments). This can be part of a safe, staged return-to-work plan.

There are limits to what you can require, and any request should be proportionate and anchored to genuine safety or operational needs. For more detail, read when employers can request medical clearance to return to work.

4) Information Needed To Consider Reasonable Adjustments

Employers must not discriminate on the basis of disability and should consider reasonable adjustments so the employee can perform the role’s inherent requirements. You can ask for enough medical information to properly assess adjustments (e.g. modified duties or hours), but again, keep requests targeted to capacity, not diagnosis.

5) Pre‑Employment Health Questions (Inherent Requirements Only)

Pre-employment health questions should be limited to whether the candidate can perform the inherent requirements of the role safely, with or without adjustments. Avoid general health questions that are not connected to the role, as they risk discrimination.

6) Workers’ Compensation And Injury Management

Where a workers’ compensation claim is involved, additional information may be requested or exchanged with the insurer in line with the relevant state or territory scheme. Stick to the scheme rules and collect only what’s needed to manage the claim and return-to-work process.

What Medical Information Is Usually Off-Limits?

Even if you’re acting with good intentions, some requests go too far. In most cases, you should avoid:

• Asking for a diagnosis, detailed medical history or test results unless there is a very clear and lawful reason tied to safety or inherent requirements.
• Requesting open-ended authority to access full medical records - if you need information from a treating practitioner, use a specific, narrow consent form.
• Collecting health information “just in case” without a current, genuine need.

If you believe you need further detail, consider whether a functional assessment or independent medical examination (IME) is more appropriate, and get legal advice before proceeding.

How To Ask For Medical Information The Right Way

Start With “Lawful And Reasonable”

Your directions and requests to employees must be lawful and reasonable. That means your request should be:

• Connected to a legitimate business need (e.g. safety, rostering, managing leave, return to work).
• Proportionate - ask for the least intrusive information that still meets the need.
• Consistent with any policies, employment contracts and applicable industrial instruments.

Use Clear, Narrow Requests

Frame requests around functionality and timing, not diagnosis. For example: “Please provide a medical certificate confirming unfitness for work from to ” or “Please ask your doctor to outline any temporary restrictions and the expected review date.”

Get Specific Consent When Needed

If you need to communicate directly with a treating practitioner, obtain written, time-limited consent that identifies the specific information you’re seeking. A documented process protects both you and your employee. Many employers implement a simple Medical Release Consent Form for this purpose.

Tell Employees Why You’re Asking

Be transparent. Explain how the information will be used, who will have access to it, and how it will be stored. This is both good practice and a privacy law requirement (more on that below).

Know What To Do If The Information Is Insufficient

If a certificate or report doesn’t give enough detail to meet your safety or planning needs, you can request further clarification, or in limited cases, arrange an IME. Keep a written record of why further information is necessary and ensure your request is proportionate.

Privacy Law Essentials: Collecting And Storing Health Information

Even if you have a legitimate reason to collect medical information, you still need to handle it correctly under the Australian Privacy Principles (APPs) in the Privacy Act.

Collect Only What’s Necessary

Collect the minimum amount of health information that’s reasonably necessary for your functions (e.g. assessing fitness for work, planning adjustments, processing leave). Avoid collecting information you don’t need.

Get Consent (And Make It Informed)

In most cases, you need the employee’s consent to collect health information. Consent should be informed, voluntary, specific and current. This is especially important if you want to speak to their treating practitioner or obtain a report.

Provide Collection Notices

When you collect health information, let employees know what you’re collecting, why, how you’ll store it and who you’ll share it with. Many businesses support this transparency through a Privacy Collection Notice alongside a company-wide Privacy Policy.

Secure Storage And Restricted Access

Store medical information securely (e.g. restricted HR files) and limit access to personnel with a genuine need to know. Build this into your internal processes and staff training.

Retention And Destruction

Keep health information only as long as you need it for lawful purposes (and any required retention period), then securely destroy or de-identify it.

Employment Law Intersections You Should Know

Personal/Carer’s Leave Evidence Rules

You can have a clear policy requiring evidence for sick leave, including on the first day, as long as it’s reasonable and applied consistently. The Fair Work approach is “evidence that would satisfy a reasonable person”. If you’re building or updating your leave practices, make sure your Employment Contract and policies align with the evidence you intend to require.

Return-To-Work Clearances

It’s often reasonable to require clearance before returning after an injury or extended illness - particularly for safety-critical roles. Reasonableness depends on the role, risks and history. For practical guidance, see medical return-to-work clearances.

Anti-Discrimination And Reasonable Adjustments

You’ll need enough information to consider reasonable adjustments for employees with disabilities or ongoing medical conditions, but keep it targeted to functional capacity and risks. Avoid questions that are not tied to the role’s inherent requirements.

Work Health And Safety (WHS)

Your WHS duties may justify collecting limited, functional medical information to manage risks. Document your risk assessment and why the information is needed. Over-collection can still breach privacy obligations.

Privacy In The Workplace

Consider a policy framework that helps staff understand the boundaries around health information, including an Employee Privacy Handbook and a clear internal process for handling medical certificates, functional reports and return-to-work documentation.

Independent Medical Examinations (IMEs): When Are They Appropriate?

Sometimes, you’ll receive medical information that’s unclear, conflicting, or insufficient to assess safety or inherent requirements. In limited cases, directing an employee to attend an IME can be lawful and reasonable, especially for safety-critical roles or protracted return-to-work planning.

Before arranging an IME, consider:

• Have you clearly explained what information you need and why?
• Is there a less intrusive way to get the information (e.g. clarification from the treating practitioner with specific consent)?
• Is the scope of the IME tightly defined and proportionate to the risk?
• Do your contracts and policies support the direction?

IMEs should not be a fishing expedition for diagnoses or unrelated medical history. Keep them focused on functional capacity and inherent requirements.

Practical Policies, Documents And Processes To Put In Place

A strong, consistent framework makes these situations easier and more compliant. Consider the following:

• Employment Contracts: Set expectations around providing reasonable evidence for leave, fitness for work requirements, and compliance with safety directions. Use a robust Employment Contract tailored to your business.
• Workplace Policies: A clear sick leave, fitness-for-work and privacy policy helps managers and staff know what to expect. Many employers include rules in an Employee Privacy Handbook.
• Privacy Framework: Publish a Privacy Policy and provide a Privacy Collection Notice when collecting health information.
• Consent Forms: When you need to liaise with a treating practitioner, use a narrow, time‑limited Medical Release Consent Form so everyone is clear on what is being shared and why.
• Return-To-Work Templates: Create simple templates for medical clearance requests, suitable duties plans and review dates.
• Training For Managers: Teach leaders how to ask for information respectfully, what to do with it, and when to escalate or seek legal advice.

Step-By-Step: Handling A Health Information Request

Step 1: Identify The Purpose

Be clear on why you need the information (e.g. approving leave, managing safety, planning adjustments).

Step 2: Choose The Least Intrusive Option

Ask for functional details and timing first (not diagnosis). Use a standard medical certificate or short-form letter from a doctor where possible.

Step 3: Explain Your Request

Tell the employee what you’re asking for, why you need it, who will see it and how it will be stored. Reference your policies for consistency.

Step 4: Obtain Consent If Needed

If you need to speak with a doctor or receive a report, use a targeted written consent and limit the scope.

Step 5: Review And Act Proportionately

Use the information solely for the stated purpose. If it’s insufficient, decide whether clarification or, in limited cases, an IME is appropriate.

Step 6: Securely Store And Periodically Review

Keep the information secure, limit access, and schedule a future review or deletion when it’s no longer required.

Common Pitfalls (And How To Avoid Them)

• Over‑collecting information: Stick to the minimum necessary details. Diagnosis is rarely required.
• Open‑ended access requests: Avoid blanket access to medical records. Use specific, narrow consent requests.
• Inconsistent practices: Apply your approach consistently to reduce risk of disputes or discrimination claims.
• Poor storage and access controls: Treat medical documents as highly confidential. Restrict access to HR or designated managers only.
• Unclear contracts and policies: Align expectations in your Employment Contract and policy suite, and make sure your team understands them.
• Skipping transparency: Always explain what you’re collecting, why and how it will be used, ideally supported by your Privacy Policy and collection notices.

Key Takeaways

• You can ask for medical information that’s reasonably necessary for your business needs - typically functional capacity, restrictions and timing - not a detailed diagnosis.
• Evidence for sick leave should satisfy a reasonable person, and medical clearance for return to work can be reasonable where safety or inherent requirements are in play.
• Health information is sensitive information under privacy law, so collect the minimum necessary, obtain informed consent where required, be transparent, and store it securely.
• Align your Employment Contract, policies and manager training so requests are consistent, respectful and compliant.
• If information is unclear or insufficient, seek targeted clarification first; consider an IME only in limited, justified cases and keep it proportionate.
• A practical framework - Privacy Policy, Privacy Collection Notice and a Medical Release Consent Form - will help you handle medical information lawfully and efficiently.

If you’d like a consultation on what medical information an employer can ask for in Australia - and help setting up the right contracts, forms and policies - you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.