Can Employers Access Employees’ Medical Records In NZ?

When you’re running a small business, you’re often juggling performance, safety, leave management and legal compliance all at once. So it’s understandable to wonder where the lines are when an employee is off sick, can’t do certain duties, or raises a health concern.

One of the most common questions we hear is whether you can access (or request access to) an employee’s medical records in New Zealand.

The short version: usually, you can’t access an employee’s full medical records - at least not directly, and not without a clear, lawful reason and the employee’s informed consent. But that doesn’t mean you’re powerless. There are lawful ways to get the information you genuinely need to manage work, health and safety, and attendance - while still respecting privacy.

In this guide, we’ll break down what you can and can’t do under New Zealand privacy and employment law, what information you can ask for instead, and how to handle medical information safely once you have it.

What Counts As Employees Medical Records (And Why They’re Protected)

“Employees medical records” can mean different things in practice. For employers, it often comes up in situations like sick leave, return-to-work planning, or fitness-for-duty concerns.

In general, employees medical records can include:

• GP and specialist clinical notes
• Medical test results and imaging
• Hospital discharge summaries
• Mental health assessments
• ACC medical information (depending on the context)
• Any history of diagnosis, treatment or medication

This is highly sensitive personal information. In New Zealand, it’s protected primarily under the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC).

Even if you’re “just trying to do the right thing”, collecting more medical information than you need (or using it in the wrong way) can create real risk - including privacy complaints, employee grievances, and reputational damage.

From a business perspective, it helps to remember this principle: you usually need “fitness for work” information, not someone’s private medical history.

Can You Request Or Access Employees Medical Records As An Employer?

Most employers cannot access an employee’s medical records directly.

For example, you generally can’t:

• Call an employee’s GP and request their medical notes
• Ask an employee to hand over their full medical file as a condition of employment
• Demand diagnosis details where a medical certificate already confirms unfitness for work
• Keep “just in case” copies of detailed medical reports that aren’t needed for employment purposes

So what can you do?

In practice, you can usually request specific, limited medical information when it’s necessary for a lawful employment purpose (like managing sick leave, assessing ability to perform the role, or meeting health and safety obligations). Sometimes an employee will also choose to provide medical information themselves (for example, to explain limitations or request adjustments), and you should still handle it carefully and confidentially.

Common lawful alternatives include requesting:

• a medical certificate confirming the employee is unfit for work (or fit with restrictions)
• information about functional limitations (what the employee can/can’t do at work)
• a fitness for work clearance before returning to certain duties
• consent for an independent medical assessment (in appropriate cases)

The key is proportionality: only ask for what you reasonably need to manage the workplace issue. If you’re not sure whether your request is reasonable, it’s worth getting advice early - these situations can escalate quickly if not handled carefully.

It also helps if your Employment Contract (and any relevant workplace policies) clearly set expectations around sick leave evidence, medical assessments, privacy and confidentiality.

Which NZ Laws Apply To Medical Information At Work?

When you’re dealing with employees medical records or medical information generally, you’re usually dealing with two legal frameworks at the same time:

1) Privacy Law (Privacy Act 2020 And Health Information Privacy Code)

Under the Privacy Act 2020, you must only collect personal information when:

• you have a lawful purpose connected with your functions as an employer, and
• the collection is necessary for that purpose

Medical information is “sensitive” by nature. That means you should be even more careful about:

• what you collect
• how you store it
• who can access it internally
• how long you retain it
• whether you can disclose it to anyone else

If your business handles personal information (including staff information), it’s usually smart to have a clear Privacy Policy and internal privacy processes so you’re not making it up as you go when a sensitive situation comes up.

2) Employment Law (Good Faith, Reasonableness And Process)

Employment relationships in New Zealand are governed by good faith obligations (under the Employment Relations Act 2000) and general expectations of procedural fairness.

That matters because even if you have a legitimate concern (for example, frequent absences or safety risk), your request for medical information still needs to be:

• reasonable in scope
• clearly explained (why you need it and what it will be used for)
• made in good faith (not as a pressure tactic)
• handled confidentially

If you’re performance managing or restructuring duties due to health impacts, you’ll also want to ensure your overall approach is legally sound - medical information is often only one piece of a broader, high-risk process.

When Can You Lawfully Ask For Medical Information (And How Much Is Too Much)?

There are times when asking for medical information is legitimate - and even necessary - but the request needs to be carefully framed.

Here are common scenarios small businesses face, and what’s usually reasonable.

Sick Leave And Medical Certificates

If an employee is taking sick leave, you can generally ask for evidence in line with the Holidays Act 2003 (for example, a medical certificate).

As a general rule, if the sick leave is 3 or more consecutive calendar days (including days the employee wouldn’t normally work, like weekends), you can require a medical certificate at the employee’s cost.

You can also ask for a medical certificate within the first 3 consecutive days, but if you do, you generally need to pay the reasonable cost of getting it (and you should tell the employee as soon as possible that you’ll require it).

In either case, a medical certificate typically only needs to confirm:

• the employee is unfit for work (or fit with restrictions)
• the period they’re unfit for work

You usually don’t need diagnosis details to approve sick leave.

It’s also worth remembering that “sick leave” can include mental health-related absence. If you’re dealing with that scenario, your approach needs to be supportive and privacy-conscious. (If helpful, our guide on mental health day off work covers some practical considerations.)

Ongoing Absences Or Patterns Of Leave

If absences become frequent or unpredictable, it’s normal to want more clarity - especially in a small team where coverage is hard.

Even then, it’s generally better to focus on:

• capacity to meet role requirements
• expected timeframes for improvement
• what support or adjustments might help

Rather than asking for an employee’s full medical records, you might instead ask the employee to provide a letter from their treating practitioner addressing specific work-related questions (with the employee’s consent).

Fitness For Work And Health And Safety Concerns

Under the Health and Safety at Work Act 2015, you must take reasonably practicable steps to ensure health and safety.

If you genuinely believe an employee may not be safe to perform certain duties (for example, operating machinery, driving, working at heights, or working alone), you may need medical input.

In these cases, it’s usually reasonable to request a clearance or functional assessment addressing:

• whether the employee is fit for the specific duties
• any restrictions
• any recommended adjustments
• review timeframe

The aim is to manage workplace risk - not to “investigate” the employee’s underlying condition.

Independent Medical Assessments (IMEs)

Sometimes employers consider an independent medical assessment (IME) where:

• there’s conflicting or unclear medical information
• absence is prolonged
• there are serious safety concerns
• you’re considering a major employment decision (like termination on medical grounds)

Because an IME is intrusive, the process needs to be handled carefully. In many cases, you’ll need to show that the request is reasonable and that you’ve explained:

• why the assessment is needed
• what questions you want answered (keep it specific)
• who the doctor is and their role
• how the report will be used
• who will see it inside the business

This is also where having the right documentation and process matters. If your contracts and policies are unclear, it can be harder to justify the request later if it’s challenged.

What Consent Means (And Why “Just Sign This” Can Backfire)

Because employees medical records are so sensitive, employers often rely on employee consent to collect or share information. But consent in a workplace context can be tricky.

Consent should be:

• informed (the employee understands what they’re agreeing to)
• specific (not a broad “all medical records” authority)
• freely given (not pressured or coerced)
• revocable (employees can withdraw it in many situations)

If an employee feels they had no real choice (for example, “sign or you’re fired”), the consent may be challenged as not genuine - and it can damage trust fast.

From a practical business point of view, it’s often better to:

• clearly explain the issue you’re trying to manage (attendance, safety, capability)
• ask for the minimum information needed
• give the employee reasonable time to consider and respond
• confirm in writing what you’ll do with the information

If you’re preparing a written authority or consent form, it needs to match the purpose. If it’s too broad, you can create privacy risk for your business.

How Should You Store And Use Medical Information Once You Have It?

Even if you’ve lawfully obtained medical information, your obligations don’t end there. How you store, access, and use that information matters just as much.

Limit Access Internally

Medical information should only be accessible to people who genuinely need it to do their job (for example, the owner, a manager, or HR). It generally should not be shared widely through a team “FYI” or left in a shared drive.

Keep in mind that even well-intentioned disclosure (“just letting the supervisor know”) can turn into a privacy issue if it wasn’t necessary.

Use It Only For The Purpose You Collected It For

If you collected information to assess fitness for a particular duty, don’t later use it to make unrelated decisions (like promotion eligibility) unless you have a clear lawful basis to do so.

Purpose creep is one of the quickest ways for a business to end up on the wrong side of a privacy complaint.

Be Careful With Email And Messaging

Medical documents are often sent by email, which can be convenient - but it also increases the risk of accidental forwarding, misdirection, or insecure storage.

As a baseline, consider:

• storing documents in a restricted-access HR folder
• not leaving medical attachments in shared inboxes
• minimising printing (and securely disposing of anything printed)

Have A Clear Retention And Disposal Practice

Don’t keep sensitive medical information forever “just in case”. A sensible retention approach depends on your business and the purpose for collection, but the key is to avoid holding unnecessary sensitive data.

If you’re not sure what’s appropriate, getting privacy advice can help you set a practical process that fits your systems and your risk profile.

Train Your Managers (This Is Where Businesses Slip Up)

In small businesses, medical information often lands with a frontline manager first. That’s where privacy issues commonly arise - for example:

• a manager asking for diagnosis details out of frustration
• medical information being shared in rostering discussions
• an employee being treated differently after disclosing a condition

Having a clear internal process (and consistent messaging) can prevent a lot of headaches later.

Key Takeaways

• In New Zealand, employers generally can’t directly access an employee’s full medical records and should avoid requesting broad medical histories.
• You can often request limited, relevant evidence such as a medical certificate, clearance to work, or functional restrictions where it’s necessary for a lawful workplace purpose.
• The Privacy Act 2020 and the Health Information Privacy Code 2020 mean you should only collect medical information that’s necessary, and you must handle it securely and confidentially.
• Your request for medical information must also be reasonable and made in good faith under employment law, especially if it could lead to a significant employment decision.
• Employee consent needs to be informed and specific - overly broad or pressured “consent” can create legal risk and damage trust.
• Once you have medical information, limit internal access, use it only for the purpose collected, and store it securely (and don’t keep it longer than needed).

If you’d like help setting up employment documents and privacy processes that protect your business from day one - including your Employment Contract and Privacy Policy - you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.