(1)  A person conducting a business or undertaking must ensure that health monitoring reports in relation to a worker carrying out work for the business or undertaking are kept as a confidential record –

(a) identified as a record in relation to the worker; and

(b) for at least 30 years after the record is made.

Penalty:  In the case of –

(a) an individual, a fine not exceeding $1 250; or

(b) a body corporate, a fine not exceeding $6 000.

(2)  The person must ensure that the health monitoring report and results of a worker are not disclosed to another person without the worker's written consent.

Penalty:  In the case of –

(a) an individual, a fine not exceeding $1 250; or

(b) a body corporate, a fine not exceeding $6 000.

(3)  Subregulation (2) does not apply if the record is disclosed under regulation 412 , 413 or 414 or to a person who must keep the record confidential under a duty of professional confidentiality.