Who has access to your Personal Medical Information?

As an employee you may have found yourself involved in the debate on “medical testing” and your personal medical information to see if you are fit to do the job you have applied for. And in many cases these medical tests are somewhat invasive and often a bit embarrassing.

And although there is nothing preventing a company to enforce medical screening of staff if it is done according to the law, there are some cases where your personal medical information are made public without your consent.

And the biggest culprits of disclosing your personal medical information could be your company Safety Officer or consultant.

The Safety File syndrome has been labeled as the “best legal scam ever designed” and it is this syndrome that have resulted in so many “Safety Officers” insisting on your personal medical information being made available in the file. And they will tell you that it is a legal requirement. Yet, that is not true at all.

Let’s look at the Safety File first. Where can you find it? Well, if you work in construction, it is likely to be somewhere in a site office collecting dust amongst 100’s of other files containing copies of ID’s, results of hearing tests, blood tests, lung function tests, drug tests etc etc. So everyone who has access to the site office, indirectly has access to your personal medical information.

But what does the law say? Most of these data crimes are committed in the name of “compliance” by someone who does not quite understand their own jobs.

Under the Construction Regulations a contractor must ensure that their employees are certified medically fit to work by an occupational health practitioner and this certificate must be issued in the form of Annexure 3 to the regulations. The regulation only says that every contractor must ensure that all his or her employees have a valid medical certificate of fitness specific to the construction work to be performed and issued by an occupational health practitioner in the form of Annexure 3. It does not say the medical information must be included.

And that is the ONLY document your employer is entitled to have! Nothing more!! The rest is confidential between you and your medical practitioner.

If your Safety Officer insists to see the Annexure 3 AND your medical examinations, he or she is in direct breach of the Protection of Personal Information Act (4 of 2013), firstly, because of the unlawful collection of personal medical information,  secondly the unlawful storage and distribution of your information and thirdly, for failing to properly secure and protect your personal data from unauthorised use.

Now they probably will tell you that the POPI also says that it does not apply if the purpose of collecting your personal medical information is for the administration of an Act of parliament. And while this is true to some extent, the Act they will refer to, does not have such an administrative requirement and the argument is thus invalid.

In addition, the Bill of Rights provides you the ultimate protection of privacy and any action by your employer will be an infringement of your rights.

In other instances, like where you work with Asbestos, Lead, Chemicals or Biological Agents, medical screening is also required. But there is no requirement in any law that states this information must be kept in a “Safety File”.

Even big companies are guilty of this breach of data protection and privacy. Some JSE Listed companies have been mentioned by concerned individuals.

So what can you as employee do?

Firstly, the first person who has access to your personal medical information is your medical practitioner. There is no other way that information can fall into public domain if not first released by your medical practitioner.

Lodge a complaint with the SA Health Professions Council against your medical practitioner for unlawful disclosure of your medical information. Please ensure you approach the correct Board when lodging your complaint.

What does the OHSAct say about confidentiality of Personal medical Information?

Section 36 prohibits the disclosure of any information of another person unless it meets the requirements of this section. These requirements are:

  1. Disclosure must be for the purpose of the administration of the Act. We have covered the requirements above.
  2. Disclosure must be for the administration of justice. Here it is notable to mention the Promotion of Administrative Justice Act (PAJA), which came out after the OHS Act. Any administrative justice must therefore be done in accordance with the PAJA. A requirement to include medical information in a safety file is not subject to PAJA as it is a mere contractual requirement and not a legal requirement. Case law to this effect is quite clear.
  3. Disclosure must be at the request of a H&S Representative or Committee entitled to the information.

The last point opens a new debate. When is a H&S Rep entitled to medical information of an employee? The short answer is hardly ever, but it could be a bona fide reason if the H&S rep has reason to believe the employee is over-exposed to a risk and the employer is with-holding such a fact.

In any event, you has employee, must give permission for your personal medical information to be used by another person, other than a medical practitioner in the performance of his/her duties. (Be careful of a “small print clause” in your contract of employment where you give such permission.)

You can also lodge a complaint with your H&S Rep if your personal medical information has been disclosed without your permission. Ask your H&S Rep to report it to the Regional Office of the Department of Labour.

You can also report your OHP or Safety Officer on, a free platform to name and shame unethical and incompetent practitioners.

The National Information Regulator is the administrators of the POPI Act and the Promotion of Access to Information Act, 2000 (Act 2 of 2000).

Sheqafrica is Africa's largest online Magazine for the Risk & Compliance profession. It is co-owned by Net-IX and the Sheqafrica Corporate Services(Pty)Ltd.

Jessica van Zyl

Independent Contributors and Media Partners:
Patrick Deale - Labour Lawyer
Louis Fourie - Environmental Lawyer
Mabila Mathebula
Rudy D. Maritz

Originally founded by Ben Fouche of Real Babe Media, has been serving the SHEQ industry since 2007 and contains over 1600 articles from various experts in the Safety, Health and Environmental Management fields. Today, is proudly co-owned by the Africa Media Group(50%) and focuses on Human Resources Management, Risk & Compliance on the African Continent.
The role of the HR and IR practitioner remains undisputed in the selection and placement of competent staff, while the education and training of people goes a long way in achieving business objective. covers topics on risk & compliance related to basic human rights:
S = Safety in our workplaces and communities
H = Healthcare
E = The Environment we live in
Q = Quality of Life

One Reply to “Who has access to your Personal Medical Information?

  1. Thank you for this and I wish all persons will realize and understand the implication of information getting out. I have been put off many sites and overridden by senior persons when I refuse to give a persons full medical and only give them the annexure 3. I always state how would they feel if everyone on site know they are deaf in one ear or have a disease.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.