Do Employees Have To Disclose Medical Information To Their Employer In NZ?

As a small business owner, you want to do the right thing by your people - and you also need to keep your workplace safe, productive, and compliant.

That’s where things can get tricky: when an employee has a health issue, do they have to tell you? Can you ask for details? What can you store on file? And what happens if you get it wrong?

This guide breaks down how employee medical information disclosure generally works in New Zealand, including what you can (and can’t) ask for, when you can request evidence, and how to handle health information without breaching privacy laws or risking an employment dispute.

Note: This article is general information only and isn’t legal advice. If you need advice for your specific situation, get tailored legal guidance.

Why Employee Medical Information Disclosure Is A Legal “Grey Zone” For Employers

In most workplaces, health information comes up in practical, day-to-day ways, such as:

• an employee calling in sick and you need to manage resourcing
• a staff member disclosing anxiety or depression and asking for support
• a worker having restrictions after an injury and you need to ensure it’s safe for them to work
• a health condition impacting attendance, performance, or safety

From a business perspective, it’s natural to want enough information to make reasonable decisions. But medical information is also highly sensitive personal information, and employees are not generally required to “open the book” on their private health details.

The key is this: you can usually ask for what you reasonably need to meet your obligations, but you should avoid collecting more than necessary - and you must handle any information you do receive carefully.

What The Law Says In NZ: Privacy, Employment, Discrimination, And Health & Safety

There isn’t one single law that answers every question about employee medical information disclosure. Instead, your obligations sit across a few key areas.

Privacy Act 2020 (And The “Need To Know” Principle)

The Privacy Act 2020 regulates how you collect, use, store, and disclose personal information - including health information.

For employers, some practical takeaways are:

• Collect only what you need: you should not collect medical information “just in case” or out of curiosity.
• Be transparent: if you’re requesting health information, you should explain why you need it and how you’ll use it.
• Keep it secure: health details should be stored with strong access controls (not in a shared folder anyone can open).
• Limit access internally: only people who genuinely need the information (for example, the owner or a manager handling return-to-work) should see it.

If your business collects personal information generally (including staff data), it’s also worth having a fit-for-purpose Privacy Policy and internal processes so your team handles information consistently.

Health And Safety At Work Act 2015 (HSWA)

Under the Health and Safety at Work Act 2015, you have duties to take reasonably practicable steps to ensure health and safety at work.

This can sometimes justify asking for limited medical information - but only where it genuinely relates to:

• fitness for work
• workplace risks
• reasonable adjustments or safe duties
• return-to-work planning

HSWA doesn’t give you a blanket right to demand diagnoses or detailed treatment history. It supports collecting what’s relevant for safety.

Employment Relations Act 2000 (Good Faith And Fair Process)

The Employment Relations Act 2000 requires employers and employees to deal with each other in good faith. In practice, that means:

• you should not mislead or pressure employees into disclosing medical details
• if you’re making decisions that affect employment (hours, duties, performance, disciplinary steps), you need a fair process and reliable information
• employees should be given a genuine opportunity to respond

A lot of disputes arise not because an employer asked for information, but because they asked in the wrong way (too broad, too intrusive, or tied to threats), or made decisions without proper process.

Human Rights Act 1993 (Disability Discrimination Risks)

The Human Rights Act 1993 protects employees from discrimination on grounds including disability (which can include physical and mental health conditions).

This matters because the way you request, use, or act on health information can create legal risk, for example:

• refusing work or reducing shifts because of a condition without considering reasonable adjustments
• treating someone differently because they disclosed a mental health issue
• pressuring an employee to disclose more than is necessary

So even when you’re trying to manage a legitimate business concern, you need to keep discrimination risks in mind.

Do Employees Have To Disclose Medical Information To You?

In most cases, no - employees generally do not have to disclose medical information to their employer, unless there is a lawful and reasonable reason connected to the job.

However, there are important nuances. Employees may need to share some information where:

• their condition creates a genuine health and safety risk at work
• they are requesting a workplace accommodation or modified duties
• they are seeking sick leave and you have a right to request evidence (for example, a medical certificate)
• their role has inherent safety requirements (for example, operating heavy machinery)

Even then, it’s usually about functional impact (what they can/can’t safely do, and for how long), rather than the full diagnosis or medical history.

A Practical Rule For Employers: Ask “What Do I Need To Know To Manage Work?”

If you’re unsure whether you can ask for something, a helpful framing is:

• What decision do I need to make? (e.g. can they safely do the role, do we need to adjust hours, do we need to approve leave)
• What minimum information is needed to make that decision fairly?
• Is there a less intrusive way to get it? (e.g. a fitness-for-work certificate rather than diagnosis details)

This approach supports both compliance and a healthier employment relationship.

When Can You Request Medical Information (And What Can You Ask For)?

There are a few common situations where requesting health information may be lawful and reasonable. The key is keeping requests proportionate.

1) Sick Leave Evidence (Medical Certificates)

When an employee is on sick leave, you can usually ask for proof in certain circumstances. Under the Holidays Act 2003, you can generally require a medical certificate if the employee has been sick or injured for 3 or more consecutive calendar days. You can also ask for proof within the first 3 days, but if you do, you generally need to pay the employee’s reasonable costs of getting that proof.

In practice, the “proof” is typically a medical certificate confirming the employee is unfit for work (or fit with restrictions) and the relevant dates. You usually do not need the certificate to state the diagnosis.

Tip: make sure your Employment Contract clearly sets expectations around sick leave notification and evidence, so you’re not trying to invent the rules mid-situation.

2) Fitness For Work And Safety-Critical Roles

If you have a role where fitness for work is essential (for example, driving, operating machinery, working at heights, or handling high-risk equipment), you may be justified in requesting medical clearance when there’s a genuine concern.

In these situations, rather than asking “What condition do you have?”, you’ll usually be on safer ground asking for:

• a fitness-for-work assessment from an appropriate health professional
• confirmation of restrictions (e.g. no lifting over X kg, no night shifts, no driving)
• timeframes for review

If you need the employee’s doctor or health professional to release more detail, you should consider using a tailored Medical Release Consent Form - but only where it’s genuinely required. Keep in mind that “consent” in an employment relationship can be a sensitive issue, so it’s important that any consent is informed, specific, and not pressured.

3) Return-To-Work, Injury, Or ACC-Related Planning

If someone has been injured (whether at work or outside work), you may need to plan a safe return. It’s normal to request information about:

• capacity (hours, duties, physical restrictions)
• gradual return-to-work recommendations
• any accommodations needed to make the workplace safe

Again, you’re generally focusing on what’s needed to safely manage work - not private medical background information.

4) Mental Health Disclosures And Requests For Support

Mental health is often where employers feel most uncertain. An employee may disclose stress, burnout, anxiety, or another condition, and you might need to manage workload, safety, and performance fairly.

Even here, the same principles apply:

• you can ask what support they’re seeking and what adjustments may help
• you can request appropriate evidence if you need to make decisions about leave or adjustments
• you should avoid pushing for a diagnosis or treatment details unless it’s necessary for a legitimate purpose

It’s also wise to align your approach with your internal Workplace Policy documents, so your managers respond consistently and your team knows what to expect.

5) Drug And Alcohol Testing (If Applicable)

Drug and alcohol testing can involve sensitive health information, and it’s not something you can “wing.” Whether testing is lawful often depends on:

• the nature of the role (higher-risk roles are more likely to justify testing)
• having a clear policy and process
• consent and handling of results
• fair process if results impact employment

If testing is part of your workplace approach, using a proper Drug Test Consent Form can help ensure your process is clear and privacy-respecting.

How Should You Handle Medical Information Once You Receive It?

Collecting medical information is only half the risk. The other half is what you do next.

If you hold health information about an employee, you should treat it as sensitive data and manage it deliberately - especially in a small business, where “everyone knows everything” can accidentally become the norm.

Collect Only What’s Necessary (And Document Why)

Before you request information, it’s worth documenting (even briefly):

• what decision you need to make
• why the information is relevant
• why less information won’t do

This puts you in a much stronger position if the request is later challenged.

Get Consent Where Required (And Don’t Make It Feel Forced)

In many cases, employees will voluntarily provide a medical certificate or brief information.

But if you’re requesting something more detailed (for example, speaking with their doctor), you should ensure:

• the employee understands what will be requested and why
• they know who will see it
• the request isn’t bundled with threats or assumptions

Consent should be real - not “consent under pressure.”

Store It Securely And Limit Internal Access

Health information should not be sitting in an inbox thread or general HR folder that multiple people can access.

As a baseline, consider:

• restricted-access digital storage (or locked physical filing)
• keeping it separate from general personnel files where appropriate
• only sharing it with managers on a strict “need to know” basis (often, restrictions are enough, not the diagnosis)

If your business ever has a privacy incident (for example, emailing a medical certificate to the wrong person), having a Data Breach Response Plan helps you act quickly and reduce harm.

Be Careful About “Informal” Sharing

One of the biggest real-world risks for small businesses is casual disclosure, such as:

• a manager mentioning someone’s condition to “explain” roster changes
• workplace gossip after someone takes mental health leave
• sharing too much with colleagues under the banner of “transparency”

If you need to explain operational changes, you can usually do so without revealing private health details. It’s a good idea to train managers on these boundaries (and to make confidentiality expectations explicit in your policies and onboarding).

Common Employer Mistakes (And How To Avoid Them)

Most employers aren’t trying to invade privacy - they’re trying to manage a business. But these are the common missteps that can create legal exposure.

Mistake 1: Demanding A Diagnosis

In many situations, you don’t need a diagnosis to manage work. You need to know if the employee can work safely, what adjustments are needed, and for how long.

Try: “Can you provide a medical certificate confirming whether you’re fit for work and any restrictions we should accommodate?”

Avoid: “Tell me exactly what’s wrong with you.”

Mistake 2: Treating Non-Disclosure As Misconduct

If an employee doesn’t volunteer medical details, that isn’t automatically dishonest or a breach of trust.

There can be situations where failing to disclose creates safety issues - but those situations are fact-specific, and your response should be careful and proportionate.

Mistake 3: Making Big Employment Decisions Without Proper Information

If health issues are affecting attendance or performance, it can be tempting to “jump ahead” (for example, moving straight to termination).

But you generally need a fair process, and that often involves:

• talking with the employee
• considering medical input where relevant
• considering adjustments and alternatives
• documenting your reasoning

This is where tailored advice can really matter, because the right process depends heavily on the circumstances.

Mistake 4: Not Having Clear Policies And Paperwork

A surprising number of disputes can be avoided by setting expectations early - especially around sick leave evidence, privacy, and fitness for work.

Many small businesses start with the basics:

• a well-drafted employment agreement
• clear workplace policies
• manager guidance on privacy and confidentiality

If you’re building out your internal HR systems, an Employee Privacy Handbook can also help set clear boundaries around how personal information is handled at work.

Key Takeaways

• In most cases, employees do not have to disclose medical information to you, but you may be able to request limited information where it’s lawful and reasonable.
• The key compliance areas for employee medical information disclosure in NZ include the Privacy Act 2020, Health and Safety at Work Act 2015, and fair process obligations under employment law.
• You should generally focus on fitness for work and restrictions, rather than seeking a diagnosis or detailed medical history.
• If you request medical information, be clear about why you need it, collect the minimum necessary, and store it securely with limited access.
• Be cautious about discrimination risks - particularly where health conditions require reasonable adjustments or impact performance.
• Clear documentation (employment contracts, workplace policies, and consent forms where needed) helps you manage health-related issues consistently and fairly.

If you’d like help setting up your employment documents, workplace policies, or a compliant process for handling medical information, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.