Organisations in Australia are using blood analysis as a means of screening future employees for ‘health risks’ that they allege may impact on their performance of work.

Collecting sensitive information from blood analysis is restricted under Australia’s privacy laws. This is because the mishandling of this information can have a substantial detrimental impact on those who have provided the information. Requiring workers to submit to blood analysis is just one example of how organisations are now routinely collecting sensitive information from workers, sometimes without adhering to the requirements of privacy laws. Other examples include using fingerprint and facial recognition software and sensors that collect physiological and psychological data about workers.

The protection from arbitrary interference with a person’s privacy is a fundamental human right. Interfering with this right, by collecting sensitive personal information, should occur in limited circumstances and only where necessary. However, this report shows that some organisations in Australia, are not treating the collection of sensitive information from workers as an exception. They are collecting sensitive information as a routine step in their employment processes.

The findings of this report raise concerns about power, privacy, fairness, and the potential for discrimination in the practices being adopted by some organisations. These findings also show that Australia’s current privacy and workplace relations laws do not adequately address these concerns. Amendments to Australian privacy laws are currently being considered by the Australian Government with reforms likely to be put before the Australian Parliament before the end of 2024.

This report examines the need for new provisions within either or both privacy or workplace relations laws that set out the rights of workers to protect their sensitive information. It argues that regulation should be geared towards, not only protecting workers’ rights to privacy, but to providing a disincentive to organisations hoarding and misuse of the personal and sensitive information of workers.

The worker-centric approach called for in this report includes:

• the development of one system of regulation to protect the privacy concerns of all workers regardless of employment status or work context
• defining the collection of workers’ personal and sensitive information as high risk requiring both specific and detailed justification for the collection of this information and the genuine informed and affirmative consent of workers
• the establishment of a tripartite mechanism to assist the regulator to develop and manage processes for dealing with the privacy and related human rights concerns of workers
• the use of codes and frameworks, developed via a tripartite mechanism, to set out when and how workers’ information can be collected and used
• the development of an easy to access, and timely, worker centered mechanism to address concerns about the collection and use of workers’ information.