Must HR Keep Your Medical Certificate Confidential?
HR should treat a medical certificate as sensitive, private workplace information and limit access to people who genuinely need it for leave, payroll, safety, capacity or another lawful employment purpose. It should not be circulated casually, discussed with uninvolved colleagues or stored in an open team folder.
The precise legal answer is more nuanced than saying every employer is covered identically by the federal Privacy Act. Private-sector employers can have an employee-record exemption for handling directly related current or former employee records, while Australian Government, state, territory, public-sector and contractor arrangements can be governed differently.
Fair Work record rules describe employee records as private and confidential and generally limit access. Contracts, enterprise agreements, policies, confidentiality duties, discrimination law, health-record laws and state or territory privacy law may also affect how information must be managed.
This page focuses on HR handling after a certificate is supplied. For general evidence rules, read Medical Certificate Rules in Australia. The guide to medical certificates and patient privacy covers the clinical and workplace boundary.
This is general information, not legal advice about a particular disclosure or data breach. The applicable law depends on the employer, location, employment relationship, record holder and purpose. Seek privacy or employment advice where sensitive information has been misused.
Key Points
Medical Certificates
Sick Leave Certificate
Choose this option if you are unable to work due to illness or injury, including mental health issues or stress.
Available for $16.90
Apply NowCarer's Leave Certificate
Choose this option if you are unable to attend work because you need to care for a family member or someone in your household.
Available for $16.90
Apply NowWhy a Medical Certificate Is Sensitive
A certificate can reveal that a person had an illness, injury or caring responsibility, the dates involved, practitioner identity and sometimes functional restrictions or diagnosis. Even minimal wording is health-related information and can cause embarrassment, stigma or harm if shared inappropriately.
HR may need the document to verify leave, meet record obligations or coordinate capacity processes. That need does not mean every manager, scheduler or colleague requires the full certificate.
A sensible system separates the clinical document from ordinary roster discussions. Managers can be told approved dates and necessary restrictions without receiving unrelated medical detail.
Fair Work Employee Records
The Fair Work record-keeping fact sheet says employee records are private and confidential. It states that generally only the employee, employer and relevant payroll staff can access them, subject to specified access by inspectors and organisation officials.
That does not mean every document must be held by payroll or that no authorised workplace participant can ever see capacity information. The employer should define access according to purpose and legal requirements.
Records must also be accurate and not altered except to correct an error. HR should preserve the original certificate and keep any verification notes separate and factual.
The Private-Sector Employee-Record Exemption
The OAIC’s employee-record exemption guidance explains that a private-sector employer’s act or practice can be exempt from the Australian Privacy Principles when directly related to a current or former employment relationship and an employee record it holds.
Health information and leave information can form part of an employee record. However, the exemption has boundaries. Using employee medical information for a purpose unrelated to the employment relationship does not automatically fall within it.
It is therefore inaccurate to say the federal Privacy Act always applies to HR in the same way, and equally inaccurate to say employee health information has no protection. Other laws, duties and workplace obligations can still apply.
Public-Sector and State or Territory Differences
The OAIC employment privacy page says Australian Government and Norfolk Island administration employee records are covered by the federal Privacy Act, while private-sector employee records are treated differently.
State and territory public-sector agencies are generally outside the federal Privacy Act and may be covered by local privacy or health-record legislation. The regulator and complaint pathway depend on the jurisdiction and employer type.
Employees should not choose a complaint body solely from an online article. Identify who employs them, who disclosed the record and which system held it first.
Why Choose Dociva?
| Features | Dociva | Medical Certificate in Clinics |
|---|---|---|
| Are they certified? | ||
| Are they legal? | ||
| Are they valid? | ||
| Accepted by employers, schools, universities? | ||
| Available anytime | ||
| Cost effective | ||
| Reduced wait time | ||
| Reduced exposure to illness |
Contractors, Insurers and External HR Platforms
The OAIC notes that contractors and subcontractors handling another employer’s employee information are unlikely to receive the employer’s employee-record exemption merely because they provide HR, medical, training or superannuation services.
A cloud HR platform, external consultant, occupational provider or workers compensation insurer may have its own privacy obligations, contract terms and legal basis for collection. The employer should perform access control, data-processing and breach-response checks before sending certificates.
Employees can ask which external parties receive their documents, where information is stored and whether only the necessary fields are transferred.
Who Inside the Workplace Needs Access?
HR or payroll may need identity, incapacity dates and evidence status to process leave. A direct manager may need absence dates, contact arrangements and functional restrictions. A safety or return-to-work coordinator may need more specific capacity information.
Most colleagues need only operational information such as “Sam is unavailable until Thursday”. They ordinarily do not need the certificate, practitioner details or reason for illness.
Senior status does not create unlimited need-to-know access. Employers should use role-based permissions, audit logs and documented escalation for exceptional access.
Does HR Need Your Diagnosis?
An ordinary certificate often establishes that a person was unfit and gives dates without naming the condition. A diagnosis may be relevant for infection control, safety-critical capacity, adjustments or workers compensation, but the purpose should be identified.
Read Does a Medical Certificate Need to State Your Diagnosis? before assuming detailed disclosure is standard.
An employee can ask whether functional information would answer the workplace question without revealing more clinical history than necessary. A practitioner should not omit information required by law or necessary for a safe opinion, but routine curiosity is not a clinical purpose.
Secure Submission and Storage
Employees should use the designated HR portal, secure email address or other approved channel. Sending a certificate to a large group chat, communal inbox or personal messaging account increases the risk of accidental access and makes retention harder to manage.
HR should use restricted folders, strong access controls, secure transfer, retention schedules and a process for former staff access removal. Downloaded copies should not remain indefinitely on managers’ desktops or phones.
Calendar entries and roster notes also need care. A secure certificate can still be undermined if its diagnosis is copied into a shared shift comment, meeting invitation or absence spreadsheet. Operational systems should use neutral, minimal wording and direct authorised staff to the restricted record only when necessary.
The employee should keep the original or a clear copy and note when and how it was submitted. The guide to when to give a certificate to your employer includes a submission checklist.
Book Online Consultation
Get Expert Medical Advice Today
Convenient and Affordable Online Consultations
Connect with trusted, licensed healthcare professionals to receive expert medical advice, obtain verified medical leave certificates for work or personal needs, and access personalised treatment plans designed to address your specific health concerns. Enjoy the convenience of high-quality healthcare services delivered directly to you, eliminating the need for travel or long waiting times—all from the comfort and privacy of your own home.
Standard Consultation
Ideal for addressing general health concerns, prescription renewals, and obtaining medical certificates for urgent short-term health needs or minor illnesses.
Duration: 8 minutes
Book Now
Extended Consultation
Recommended for more detailed discussions, chronic condition management, or when additional time is required to address your health needs.
Duration: 15 minutes
Book Now
Can HR Share the Certificate With a Manager?
Some internal sharing can be legitimate where the manager needs information to approve leave, plan work or implement restrictions. The full document should not be shared automatically when a limited summary will do.
HR can communicate the supported absence period and approved work restrictions while withholding unrelated diagnosis or consultation detail. The correct boundary depends on the workplace process and reason for disclosure.
If a manager requests the entire certificate, HR should ask what decision requires it and whether access is authorised under policy and law.
Contacting the Issuing Clinic
An employer may seek to verify whether a certificate is genuine. That does not give it access to the patient’s appointment notes, diagnosis, medicines or treatment plan.
The issuing practice should verify the caller’s identity and protect patient confidentiality. Additional relevant information ordinarily needs the patient’s express consent unless another lawful basis applies.
Read Can My Employer Call My Doctor? and employer verification with the issuing clinic for the distinction between authenticity and clinical disclosure.
The Clinic’s Privacy Duties Are Separate
The OAIC health information guidance explains that health service providers usually need consent or another lawful basis to collect and disclose health information and must explain how they handle it.
A patient giving a certificate to HR does not necessarily consent to the clinic releasing the whole medical record. The certificate is a defined communication, not a blank authority.
Questions about Dociva’s handling of patient information are governed by its healthcare privacy processes, separately from what an employer does after receiving a document.
Electronic Signatures and Document Metadata
An electronic certificate can contain a practitioner’s name, signature, provider information, verification feature and document metadata. HR should protect those elements because they can be misused to impersonate a practitioner or fabricate documents.
Verification copies should not be posted publicly or forwarded to unrelated people. The article on whether a medical certificate needs a doctor’s signature explains legitimate electronic formats.
Suspected forgery should be investigated through a controlled process. Public accusations can expose both patient and practitioner information unnecessarily.
If Confidentiality Is Breached
Practical Steps for HR
Collect only what the organisation needs, tell employees why, and provide one secure submission route. Separate leave processing from broader capacity assessment so routine certificates do not become unrestricted health files.
Train managers not to ask for diagnosis details in group messages. Review user permissions, third-party contracts, retention rules and breach response at regular intervals.
When a document needs verification, use a standard authenticity process and record the minimum outcome rather than collecting extra clinical information.
More of Our Services
Using Dociva
Dociva currently offers sick-leave, carer's leave, study and multi-day medical certificate request pathways. Any issued certificate follows an Australian registered medical practitioner's independent assessment; an application does not guarantee a document.
Dociva does not control how an employer stores a certificate after the patient supplies it. Dociva will not disclose unrelated patient information to an employer merely because it calls and will follow applicable verification, consent and privacy processes.
For a current illness affecting work, review the medical certificate application. Submit any resulting document only through the employer’s authorised secure channel.
Frequently Asked Questions (FAQs)
It may share information genuinely needed for leave, capacity or safety, but should consider whether a limited summary is enough instead of the full document.
No. A private-sector employee-record exemption can apply to directly related handling, but its limits and other laws still need consideration.
Casual disclosure to uninvolved colleagues is inappropriate. Any safety communication should be limited to relevant, authorised information.
Not simply because HR asks. The clinic needs consent or another lawful basis and should limit any disclosure to the authorised purpose.
No. Use the designated secure HR, payroll or manager channel and avoid unnecessary recipients.
Document it, ask the employer to contain access, identify the record holder and obtain advice about the correct workplace or privacy complaint path.