HLTAID009 · Privacy and confidentiality — what happens to what you saw

A first-aid incident generates information — the casualty's name, their condition, what you saw, what you wrote down. That information is regulated. Knowing what to keep, what to share, and what to never repeat is part of being a professional first aider.

Why this matters more than it sounds like it should

A workplace first-aid incident is, in the moment, an emergency. Once the moment passes, it becomes a piece of health information — and health information about an identifiable person is among the most strongly protected categories of personal data in Australian law. The first aider, by being on the scene and making notes, becomes a temporary custodian of that information, and the legal and ethical obligations that go with it don't end when the casualty walks out the door.

The reasons it matters:

Legal. The Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) govern the collection, use, storage, and disclosure of personal and health information by most organisations of meaningful size. State health-records legislation adds another layer in NSW, Victoria and the ACT. Most workplaces are covered by one or both.
Professional. The trust the casualty placed in you when they let you help is also trust that what they told you, and what you saw, won't end up as workplace gossip. Breaking that trust is the surest way to make the next casualty refuse help.
Practical. A casualty who learns their first-aid encounter has been shared around the lunchroom may complain, may refuse future care, may leave the employer, or may pursue legal action. None of these outcomes are good for the casualty, the first aider, or the workplace.

§ Instructor's note

The teaching point of this chapter is ethical as much as legal. Most first aiders in most workplaces will never be the subject of a formal Privacy Act investigation, but most will be tempted, at some point, to "share" the story of an incident — a dramatic resuscitation, an embarrassing presentation, a colleague's medical condition — with people who don't have a need to know. The drill is: the story isn't yours to share. It belonged to the casualty, and your role gave you temporary access to it, not ownership of it.

What counts as "personal" and "health" information

The Privacy Act draws a useful distinction:

Personal information is any information or opinion about an identified or reasonably identifiable individual — name, address, phone number, email, photograph, employee number, anything that picks one specific person out of a crowd.
Health information is a subset of personal information that includes anything about an individual's health, illness, injury, disability, medical history, genetic information, or the health services they have received. It is treated as sensitive information under the APPs and gets the strictest protection.

A first-aid incident generates both. The casualty's name and contact details are personal information; everything else — their condition, your assessment, what you did, what they told you about their medical history, the medications they were carrying, the fact that they had a seizure or a hypo or an anaphylactic reaction — is health information. All of it is protected.

The Australian Privacy Principles, in first-aid terms

The APPs are 13 principles published by the Office of the Australian Information Commissioner (OAIC). The full set is detailed and is the kind of thing your workplace's privacy officer reads in full; for a first aider, the core ideas reduce to a small number of practical rules:

Collect only what you need. A first-aid incident record needs the casualty's name, the time, the location, what happened, what you did, and the outcome. It does not need their date of birth, their religion, their political views, or anything else unrelated to the incident.
Tell the casualty what you're collecting and why. "I'm going to write this down in our incident register so we have a record of what happened" is the whole transaction.
Use the information only for the purpose it was collected. The incident record is for clinical handover, workers' compensation, regulatory notification, and workplace safety review. It is not for general HR, performance management, or anyone else's curiosity.
Disclose only to people with a legitimate need to know. Paramedics on handover (yes), the casualty's manager for incident review (yes), HR for workers' compensation processing (yes), the regulator for notifiable incidents (yes), the lunchroom (no).
Store it securely. Locked filing cabinet, password-protected file, restricted-access folder. Not the staff noticeboard, not an open spreadsheet, not the WhatsApp group.
Let the casualty access their own record if they ask for it. They have a right to see what you wrote about them.
Don't keep it forever. Workplace records have retention periods (typically 7 years for incident records, longer for some categories) and should be destroyed when the period expires.

These are not optional courtesies — they are the legal duties of any organisation covered by the Privacy Act, and the first aider acts as the workplace's hand in performing them.

Confidentiality — the ethical layer

Confidentiality is the ethical principle that information shared in a relationship of trust should not be disclosed beyond that relationship without the speaker's consent. It overlaps heavily with privacy law but is broader: it covers things that are not formally documented (the casualty's tears, the embarrassing reason they collapsed, the conversation in the ambulance) as well as things that are.

The first aider's confidentiality rule is short:

What you saw and heard while caring for a casualty stays within the people who need to know it for the casualty's care and the workplace's lawful response — and nowhere else.

That means:

Yes: telling the paramedics on handover what you found and what you did.
Yes: telling the workplace manager that an incident occurred and the basic facts needed for the incident response.
Yes: writing the incident register entry.
Yes: discussing the incident with another first aider on the team for a clinical debrief, focused on what happened and how to handle the next one.
Yes: discussing the impact of the incident on you personally with an EAP counsellor, your GP, or your supervisor — focused on your wellbeing, not on the casualty's identity or details.
No: telling colleagues over lunch what was wrong with the casualty.
No: telling your spouse or family members the casualty's name and condition.
No: posting about the incident on social media, even with the casualty's name removed.
No: gossiping about the casualty's medical history with anyone who asks.
No: continuing to discuss the incident with people who aren't part of the response, no matter how interesting the story is.

The single hardest line, in practice, is the social one: a dramatic incident is a story, and stories are what humans share. The first aider's professionalism is the discipline of not sharing the story, however much you want to. A debrief with a colleague who shared the response is one thing; a recap in the lunchroom is a different one.

⚠ Warning — social media is the trap

The single most common privacy breach in modern workplace first aid is the social-media post. "Crazy day at work — saved someone's life today!" with a photo of the workplace, even with no names, is enough information for the casualty's friends, family or colleagues to identify them. Posts like this have led to formal complaints, terminations, and Privacy Act investigations. The rule is absolute: do not post about workplace first-aid incidents on any social media platform, ever, under any circumstances. The story is not yours to tell.

Who you can and can't talk to — the practical map

A useful way to think about disclosure is to ask, for each potential audience, "do they need this for the casualty's care or the workplace's lawful response?"

Audience	Disclosure okay?	Why
Paramedics taking over	Yes	Direct continuity of care
Receiving hospital staff	Yes	Continuity of care
Another first aider on the response	Yes	Co-responder, needs to know
Workplace manager / HSR	Yes	Lawful incident management
HR for workers' comp	Yes (limited)	Lawful claim processing
WHS regulator (notifiable incidents)	Yes	Legal duty
Casualty's named emergency contact	Yes (limited)	Welfare, on the casualty's behalf
Police investigating an incident	Yes (with care)	Lawful investigation; check with manager
Casualty's other co-workers	No	No need to know
Casualty's family beyond named contacts	No	No need to know
The lunchroom	Absolutely not	No need to know
Social media	Absolutely not	No need to know, and identifiable
Your own family	No	No need to know
Curious bystanders	No	No need to know

The grey area is the casualty's friends and co-workers. They are likely to ask "what happened?", and they may have a kindly motivation. The right answer is the minimum compatible with politeness: "There was an incident, the ambulance took them to hospital, I'm sure they'd appreciate hearing from you" — and not, ever, the clinical detail.

Documentation and the casualty's right to access

The workplace incident register is the formal documentary record of the response. It should be:

Factual, not opinionated. Record what you saw, what you did, what the casualty said. Do not record speculation about cause, fault, or character.
Contemporaneous. Written on the day, while details are fresh. Not days or weeks later from memory.
Stored securely. In a locked cabinet, a password-protected file, or a restricted-access folder. Not on an open desk, not on a shared drive accessible to everyone.
Accessible to the casualty on request. They have a right to see what was written about them. The Privacy Act gives this right explicitly, and a workplace that refuses to honour it is in breach.
Retained for the legally required period, then destroyed. Most jurisdictions require workplace incident records to be kept for at least seven years; some workers' comp claims require longer.

The workplace procedures chapter covers the operational detail of the incident register.

Photographs and recordings

A first aider should generally not photograph or record a casualty without their consent. The exception is the narrow case where photographs are needed for clinical care (e.g. a photograph of a wound for paramedics, or of a snake for identification) and the casualty either consents or is unconscious and the photograph is clearly in their interest. Even then:

The image is health information and is governed by the same rules as any other.
It should be stored on a device that meets the workplace's information security policy, not on a personal phone if avoidable.
It should be deleted from the personal device once it has been transferred to the workplace's secure record.
It should never be shared with anyone outside the response chain.

After a notifiable incident, photographs of the scene (not the casualty) for the workplace investigation are useful and routine — that is a different question and is covered in the workplace procedures chapter.

Special cases

Children: a child's health information is doubly protected — by the Privacy Act and by the duty owed to vulnerable casualties. The same rules apply, with extra care about who is told. The parent or guardian normally has the right to access the child's health information.

Workers in small workplaces: in a workplace of ten people, "anonymised" information often isn't really anonymous — everyone knows who was off sick on Tuesday. The discipline of not discussing incidents at all is more important in small workplaces than in large ones, not less.

Casualties known to you personally: if you respond to a friend, neighbour, or family member, the duty of confidentiality is the same as for a stranger. The fact that you knew them before does not authorise you to share what you learned during the response.

Mental health presentations: confidentiality is especially important when the presentation involves mental health, self-harm, intoxication, or anything else with social stigma. The casualty is doubly vulnerable to being talked about, and the first aider is doubly responsible for not adding to the harm.

Note — your own debrief, done right

You are allowed — and encouraged — to debrief the emotional impact of an incident with your supervisor, your EAP counsellor, your GP, or another trained colleague. The way to do this without breaching confidentiality is to focus on your reaction rather than the casualty's identity: "I responded to a serious incident yesterday and I'm finding it hard to sleep" rather than "Bob from accounts had a seizure and here's what I saw." The first version protects everyone; the second version is the breach. See the rescuer stress and support chapter.

From ANZCOR Guideline 10.5 (legal and ethical issues)

A first aider has a duty to maintain the confidentiality of any information obtained while providing care to a casualty. Information should be disclosed only to those with a legitimate need to know — such as treating clinicians, the casualty's authorised representatives, and (where required by law) regulatory authorities. Records of first-aid incidents should be stored securely and retained for the period required by relevant privacy and workplace legislation.

What to do if a privacy breach has happened

If you become aware that information from a first-aid incident has been disclosed to someone who shouldn't have it — by you, a colleague, or anyone else — the right action is:

Don't try to "unbreak" it informally. Trying to retrieve a leaked piece of information usually makes it travel further.
Notify your workplace's privacy officer or manager as soon as possible. Most medium-to-large Australian workplaces have a designated privacy contact.
Document what was disclosed, to whom, and when as far as you know.
Cooperate with the workplace's response — which may include notifying the casualty, notifying the OAIC if the breach is serious enough to meet the Notifiable Data Breaches threshold, and reviewing the workplace's procedures.
Take it as a learning event, not a witch-hunt. The point of the response is to prevent the next breach, not to punish the first one.

What not to do

Do not share a casualty's identity, condition, or story with anyone who doesn't have a clear need to know.
Do not post about workplace first-aid incidents on social media, even "anonymised". The casualty's friends will recognise them.
Do not photograph or record a casualty without consent (or the narrow clinical exception).
Do not leave the incident register, photographs, or notes in places where unauthorised people can see them.
Do not keep records beyond the legally required period.
Do not use information gathered during a first-aid incident for any purpose other than the casualty's care and the workplace's lawful response.
Do not assume confidentiality only applies to written records — it applies to everything you saw, heard, and remember.

In the face-to-face course

You will work through a small set of scenarios that test the privacy boundary — a colleague asking what was wrong with the casualty, a journalist phoning the workplace, a manager wanting more clinical detail than they need, a social-media post you're tempted to write. The aim is not memorising the Privacy Act; it is internalising the rule that the story belongs to the casualty, and your access to it is conditional on you treating it with care.

Privacy and confidentiality are the long tail of the first-aid encounter. The casualty walks away, the ambulance leaves, the kit gets restocked — but the information stays, and how the first aider handles it after the moment is what makes the response professional rather than just dramatic. Discretion is the quietest part of competent first aid, and one of the most important.

— ANZCOR Guideline 10.5 (legal and ethical issues)