Skip to content
LegalVision

How Do I Handle Data Access Requests to an Individual’s Health Records if They Do Not Have Capacity?

Avatar photo

By Shauna Ng
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

If you run a private medical service, you may receive data access requests from your patients. If so, you must provide them access to their health records in accordance with various privacy and health records laws. However, what happens if the person requesting access lacks capacity? For example they are a minor or their capacity is impaired. This article explains how to handle data access requests from an individual who does not have the requisite capacity. 

Background

Under the Privacy Act 1988 (Cth), there is an obligation on an APP entity to give an individual access to the information the APP entity holds about that individual upon that individual’s request. You must comply with an access request unless it: 

  • poses a serious threat to the life or health and safety of an individual or the public;
  • would have an unreasonable impact on the privacy of others;
  • is frivolous or vexatious;
  • relates to legal proceedings between the organisation and the individual;
  • would reveal the organisation’s intentions in negotiations with the individual; or
  • is prohibited under Australian law.

In certain States and Territories there are additional grounds where you can refuse access. For example, in Victoria and ACT, access to health records may not be given where information is given in confidence. A health record will be confidential if it contains material or information given in confidence to the record writer by a person other than the patient. This individual might be the patient’s guardian or a health service provider in the course of the provider’s treatment of the patient. 

In general, only the patient can request access or correct the personal information you hold about them. However, that patient may nominate a representative to access the information on their behalf.

Suppose the patient does not have capacity to authorise someone to access their records. Accordingly, the patient’s authorised representative may have authority to access the information and provide consent on their behalf.

Individuals Who May Not Have Capacity

Minors

The Privacy Act does not specify an age at which individuals can make their own privacy decisions. As a general principle, a patient under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed.

Patients With Impaired Capacity 

A patient has impaired capacity if:

  • they cannot understand the issues relating to the decision they are being asked to make; and 
  • are unable to form a reasoned judgement. 

This can occur on a permanent basis, for example, when a patient has advanced dementia. Alternatively, it may be a temporary, such as when a patient is unconscious. 

Some patients may intermittently lose their capacity to give consent. Similarly, their capacity may gradually deteriorate because of illness. In such cases, a determination will need to be made if the patient has sufficient capacity to indicate or withhold consent at the time of disclosure.

The State and Territory laws around health records also set out tests for capacity. Generally, a person is incapable of giving consent if they: 

  • cannot understand the general nature and effect of the matter they are being asked to decide on; or
  • cannot communicate their intentions about that matter.
Front page of publication
Guide to Protecting Your Brand

Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.

Download Now
Continue reading this article below the form
Loading form

Who Can Be An Authorised Representative? 

Minors

An authorised representative is someone with parental responsibility for a healthcare recipient under 14. When a child turns 14, the parent or guardian automatically loses authorised representative status. Accordingly, they can no longer access the child’s record. This is consistent with the legal rights of a competent minor to seek medical care without the knowledge and consent of a parent or guardian.

Patients With Impaired Capacity 

There are slightly different tests and requirements between States and Territories concerning authorised representatives. 

For example, in NSW, the following individuals can represent a patient who lacks capacity. They are:

  • someone who has an ‘enduring power of attorney’ for the individual;
  • a guardian, including someone with ‘enduring guardianship’ as defined in the Guardianship Act 1987 (NSW) (Guardianship Act);
  • a ’person responsible‘ under section 33A of the Guardianship Act;
  • a person having parental responsibility for a child under 18; or
  • any other person who is authorised by law to act for or represent the person.

It is worth noting that the term ‘next of kin’ is not used or relied on in NSW. It does not, therefore, give a ‘next of kin’ any authority to make decisions on behalf of the patient. Where a person is listed as a ‘next of kin’, it is recommended to check whether they are an authorised representative before relying on that person to decide on behalf of the patient.

This is similar in Victoria. However, one difference is that in Victoria, an authorised representative can be the individual’s medical treatment decision-maker.

Data Access Requests from Patients Without Capacity 

Where the patient does not have capacity, it is essential to ensure that an authorised representative can act on behalf of the patient. There should be an identification and verification process of the authorised representative before providing access. You should not give access if you are unsatisfied that the authorised representative has proper authority. 

There must be a clear identification and verification process where authorised representatives are concerned. Where a determination of capacity is required, you should record the rationale of the decision in the patient’s health record. 

Key Takeaways

As a private medical service provider, you will have obligations to respond to patient information access requests, even where the patient does not have capacity. In such a situation, further due diligence will need to be taken, most crucially in the identification and verification of the patient’s authorised representative. 

If you require advice or have further questions about how to handle health record requests, speak to one of our commercial health lawyers today. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

If someone requests access to their personal information, must I give them access? 

Yes, unless an exception applies. 

What are the exceptions to an access request? 

This includes if you reasonably believe providing access would pose a serious threat to someone’s life or health and safety or if the access would have an unreasonable impact on the privacy of others. 

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Shauna Ng

Shauna Ng

Lawyer | View profile

Shauna is a Lawyer in LegalVision’s Corporate and Commercial and Regulatory and Compliance teams. She assists a diverse range of clients in drafting and reviewing their agreements and also provides regulatory and compliance advice in various areas as required. Shauna has a particular interest in health-related services, including NDIS services.

Qualifications: Bachelor of Laws (Hons), Flinders University, Bachelor of Accountancy, Nanyang Technological University.

Read all articles by Shauna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

5 Ways to Protect Your Health Business’ Brand

Can I Advertise a Therapeutic Good to Health Professionals?

Essential Contracts for Health Businesses

Can I Advertise a Therapeutic Good on My Social Media Platforms?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards