If you run a private medical service, you may receive data access requests from your patients. If so, you must provide them access to their health records in accordance with various privacy and health records laws. However, what happens if the person requesting access lacks capacity? For example they are a minor or their capacity is impaired. This article explains how to handle data access requests from an individual who does not have the requisite capacity.
Background
Under the Privacy Act 1988 (Cth), there is an obligation on an APP entity to give an individual access to the information the APP entity holds about that individual upon that individual’s request. You must comply with an access request unless it:
- poses a serious threat to the life or health and safety of an individual or the public;
- would have an unreasonable impact on the privacy of others;
- is frivolous or vexatious;
- relates to legal proceedings between the organisation and the individual;
- would reveal the organisation’s intentions in negotiations with the individual; or
- is prohibited under Australian law.
In certain States and Territories there are additional grounds where you can refuse access. For example, in Victoria and ACT, access to health records may not be given where information is given in confidence. A health record will be confidential if it contains material or information given in confidence to the record writer by a person other than the patient. This individual might be the patient’s guardian or a health service provider in the course of the provider’s treatment of the patient.
In general, only the patient can request access or correct the personal information you hold about them. However, that patient may nominate a representative to access the information on their behalf.
Suppose the patient does not have capacity to authorise someone to access their records. Accordingly, the patient’s authorised representative may have authority to access the information and provide consent on their behalf.
Individuals Who May Not Have Capacity
Minors
The Privacy Act does not specify an age at which individuals can make their own privacy decisions. As a general principle, a patient under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed.
Patients With Impaired Capacity
A patient has impaired capacity if:
- they cannot understand the issues relating to the decision they are being asked to make; and
- are unable to form a reasoned judgement.
This can occur on a permanent basis, for example, when a patient has advanced dementia. Alternatively, it may be a temporary, such as when a patient is unconscious.
Some patients may intermittently lose their capacity to give consent. Similarly, their capacity may gradually deteriorate because of illness. In such cases, a determination will need to be made if the patient has sufficient capacity to indicate or withhold consent at the time of disclosure.
The State and Territory laws around health records also set out tests for capacity. Generally, a person is incapable of giving consent if they:
- cannot understand the general nature and effect of the matter they are being asked to decide on; or
- cannot communicate their intentions about that matter.

Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.
Who Can Be An Authorised Representative?
Minors
An authorised representative is someone with parental responsibility for a healthcare recipient under 14. When a child turns 14, the parent or guardian automatically loses authorised representative status. Accordingly, they can no longer access the child’s record. This is consistent with the legal rights of a competent minor to seek medical care without the knowledge and consent of a parent or guardian.
Patients With Impaired Capacity
There are slightly different tests and requirements between States and Territories concerning authorised representatives.
For example, in NSW, the following individuals can represent a patient who lacks capacity. They are:
- someone who has an ‘enduring power of attorney’ for the individual;
- a guardian, including someone with ‘enduring guardianship’ as defined in the Guardianship Act 1987 (NSW) (Guardianship Act);
- a ’person responsible‘ under section 33A of the Guardianship Act;
- a person having parental responsibility for a child under 18; or
- any other person who is authorised by law to act for or represent the person.
This is similar in Victoria. However, one difference is that in Victoria, an authorised representative can be the individual’s medical treatment decision-maker.
Data Access Requests from Patients Without Capacity
Where the patient does not have capacity, it is essential to ensure that an authorised representative can act on behalf of the patient. There should be an identification and verification process of the authorised representative before providing access. You should not give access if you are unsatisfied that the authorised representative has proper authority.
There must be a clear identification and verification process where authorised representatives are concerned. Where a determination of capacity is required, you should record the rationale of the decision in the patient’s health record.
Key Takeaways
As a private medical service provider, you will have obligations to respond to patient information access requests, even where the patient does not have capacity. In such a situation, further due diligence will need to be taken, most crucially in the identification and verification of the patient’s authorised representative.
If you require advice or have further questions about how to handle health record requests, speak to one of our commercial health lawyers today. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Yes, unless an exception applies.
This includes if you reasonably believe providing access would pose a serious threat to someone’s life or health and safety or if the access would have an unreasonable impact on the privacy of others.
We appreciate your feedback – your submission has been successfully received.