Health Records (Privacy and Access) Act 1997

The Act uses a series of defined terms that structure its operation. A “consumer” is an individual who uses or has used a health service, or in relation to whom a health record has been created. Critically, the definition extends to a person with parental responsibility for a child or young person, a guardian of a legally incompetent person, and,after death,a legal representative or, if none exists, an immediate family member. A “health record” is any record (documentary or electronic) held by a health service provider that contains personal information, or any record containing personal health information. This includes photographs, test results, imaging materials, clinical notes, and copies of any part of a record. “Personal health information” means any personal information relating to the health, illness, or disability of a consumer, or collected by a health service provider in that context. The definition excludes purely research material that does not disclose identity.

A “record keeper” is any entity with possession or control of a health record. This may be the health service provider who created the record or another entity that holds it. A “health service provider” is broadly defined as any entity that provides a health service, which in turn includes any activity intended or claimed to assess, record, improve, or maintain physical, mental, or emotional health, or to diagnose or treat illness or disability. It also covers disability, palliative care, and aged care services that involve making or keeping personal health information. The Minister may declare exempt services by regulation.

The “privacy principles” in Schedule 1 address twelve subject areas: manner and purpose of collection (principle 1), notification of purpose (principle 2), solicitation of information (principle 3), storage and security (principles 4.1 to 4.3), information about records kept (principle 5), access by persons other than the consumer (principle 6), alteration of records (principle 7), checking accuracy before use (principle 8), limits on use (principle 9), limits on disclosure (principle 10), relocation and closure of practice (principle 11), and transfer of records when a consumer or provider moves (principles 12.1 and 12.2). “Consent” includes implied consent and must be in writing and signed in certain circumstances (section 7(4); Schedule 1, principle 10, clause 7). The Act also defines “child” as a person under 12 years old, “young person” by reference to the Children and Young People Act 2008, and “legally incompetent person” as someone subject to an operative enduring power of attorney or a guardianship order (other than by reason of age alone).

The Act imposes obligations and confers rights on a wide range of persons and entities. The primary duty bearers are “record keepers” , any entity that has possession or control of a health record. This covers individual health practitioners (doctors, nurses, allied health professionals), hospitals, clinics, pathology laboratories, aged-care facilities, and any other organisation that holds health information. The privacy principles apply to all persons who collect, use, or disclose personal health information in the course of their profession, employment, or official duty. Section 30 imposes a specific duty on record keepers who lack the skill or training necessary to perform a function under the Act: they must obtain and act on expert advice.

Consumers,the individuals to whom health records relate,are the primary right-holders. However, the Act recognises that many consumers cannot exercise rights personally. For a child (under 12), the right of access is exercisable on behalf of the child by the person with parental responsibility (sections 10A(a), 25). For a young person (12 to 17), the right is exercisable by the young person personally if they have sufficient maturity and developmental capacity to understand the nature of the request and the record; otherwise it is exercisable by the person with parental responsibility (section 10A(b)). For a legally incompetent person, a guardian exercises rights on their behalf, but a purported consent by a guardian is void if given contrary to the person’s previously expressed and unwithdrawn wishes (section 26). After death, a legal representative of the deceased consumer exercises rights, again subject to the deceased’s expressed wishes (section 27). If no legal representative exists, an immediate family member is included in the definition of “consumer” for certain purposes.

The Human Rights Commission (the “commission”) receives complaints about acts or omissions that contravene the privacy principles or involve a refusal to give access (section 18). The health services commissioner is also referenced in relation to access requests (sections 10(5), 13(2)(a)). The Magistrates Court has jurisdiction to make declarations about a person’s status under the Act (e.g., whether someone is a legally incompetent person or a guardian), and to make any other appropriate order (section 31). Appeals from the Magistrates Court lie to the Supreme Court as of right, except for interim restraining orders (section 32). The director-general of the responsible administrative unit receives notices about practice relocation or closure (Schedule 1, principle 11, clause 4) and must inform the health services commissioner.

The central right conferred by the Act is a consumer’s right of access to a health record under section 10. This right applies to health records held by a health service provider, and to any other health record to the extent it contains personal health information relating to the consumer. For factual matters, the right extends to records made at any time; for matters of opinion, it applies only to records created on or after the Act’s commencement. The right may be exercised by inspecting the record (or a print-out if electronic), receiving a copy, or viewing the record with an explanation from a suitably qualified health service provider (section 10(3)). The right is subject to payment of any determined fee (section 10(7)) and to the exceptions in sections 14, 14A, 15, and 17.

Section 11 makes it an implied term of any health service contract (oral or written, made in the ACT or performed there) that the provider will allow access in accordance with the Act. Section 11(3) imposes a freestanding duty on record keepers to allow access if the record is kept or located in the ACT, regardless of contract terms. Section 11(4) imposes a similar duty on health service providers who provide a service. Any contract purporting to exclude or be inconsistent with these duties is void (section 11(7)).

Record keepers must respond to a written or oral request for access within two weeks (section 13). If they rely on a ground for nonproduction (section 14: not in possession, does not relate to consumer, or would contravene a law or court order) they must give written notice stating the ground. If prohibited from giving access under sections 14A, 15, or 17, they must state the relevant section. Otherwise they must either give access or notify the consumer of a fee. Access must be given within 30 days of the request (or one week after fee payment if later) for adults (section 13B(2)), and the same timeframe applies for children and young people (section 13BA(2)). Before giving access, the record keeper must take reasonable steps to verify the identity of the person seeking access and, where applicable, the authority of a guardian or legal representative (sections 13B(3), 13BA(3)). If the required evidence is not provided or is unsatisfactory, the record keeper need not give access (sections 13B(4), 13BA(6)). For young people, the record keeper may require the young person to attend a meeting to explain the nature of the record or to consent to parental attendance (section 13BA(4)-(5)).

Where a record keeper refuses access on the ground that it would constitute a significant risk to the life or health of the consumer (section 15(a)), the consumer may nominate an alternative health service provider to review the record (sections 16A-16D). The nominated provider must form an opinion on the validity of the refusal and, if satisfied that inspection would not pose a significant risk, must allow the consumer to inspect the record (section 16C(d)). Record keepers who object to a nominated provider must not do so if the nominated provider is registered with the same board as the original provider, or is a medical practitioner (other than a student), or provides the same kind of service and can understand the record (section 16D(4)).

Under Schedule 1, the privacy principles impose detailed duties on record keepers. Principle 4.1 requires reasonable security safeguards against loss, unauthorised access, modification, disclosure, or misuse. Records must not be destroyed except in limited circumstances: when required or allowed by a Territory law, after a specified retention period (7 years after last service for adults, or until the consumer turns 25 for children), if an electronic copy is retained, or for certain surveillance footage (principle 4.1, clause 3). Principle 4.2 requires a register of destroyed or transferred records. Principle 7 governs alteration of records: deletion is prohibited except as part of archival destruction, and inaccurate information must be corrected or supplemented with a consumer’s written statement if the record keeper is unwilling to amend. Principle 8 requires record keepers to check accuracy before using information. Principle 9 limits use of information to the purpose for which it was collected, unless the consumer consents, the use is necessary to prevent serious risk, required by law, directly related, or for management/funding/quality purposes. Principle 10 limits disclosure to third parties, subject to exceptions for treating team sharing, usual practice disclosure with consumer awareness, consent, serious and imminent risk, legal compulsion, management/funding/quality, research (with safeguards), and disclosure to carers or immediate family members in certain circumstances. Principles 11 and 12 impose specific timeframes and notice requirements when a practice relocates or closes, or when a consumer or provider moves to a different practice.

Part 5 of the Act creates several criminal offences, each carrying a maximum penalty of 50 penalty units, imprisonment for 6 months, or both. At the republication date, a penalty unit is valued at $160 for an individual and $810 for a corporation, meaning the maximum fine for an individual is $8,000 and for a corporation $40,500, in addition to possible imprisonment. The offences are:

• Section 20: threatening or intimidating a person to cause them to give a consent under the Act or to do something without required consent; making a false representation recklessly with that intention; or falsely representing that a consumer is legally required to consent to a health status report. The false representation offence does not apply if the representation is not false in a material particular (section 20(3)).

• Section 21: destroying, defacing, or damaging a health record or related material with intent to evade or frustrate the Act; or removing a health record from the ACT with that intent.

• Section 22: threatening or intimidating a person to obtain access to a health record when not entitled; or making a false representation recklessly with that intention when not entitled. Again, the false representation offence excludes immaterial falsity (section 22(3)).

• Section 23: threatening or intimidating a person to cause them not to make, pursue, or to withdraw a request for access under Part 3; or making a false representation recklessly with that intention. A defence exists if the defendant proves they had another reasonable ground for the conduct (section 23(3)).

Section 24 extends criminal responsibility to acts or omissions of representatives (employees or agents) of a person. To prove a person’s state of mind, it is enough to show that a representative within the scope of actual or apparent authority had that state of mind. The act or omission of the representative is taken to be that of the person, unless the person establishes that reasonable precautions and appropriate diligence were taken to avoid it. However, a person convicted solely by virtue of this section cannot be punished by imprisonment (section 24(6)). Section 4B confirms that the Criminal Code, chapter 2 applies to all offences under the Act, including its principles of criminal responsibility, burdens of proof, and definitions of fault elements.

Enforcement also occurs through the complaints mechanism. Section 18 allows any person to complain to the Human Rights Commission about an act or omission that contravenes the privacy principles, constitutes a refusal to give access in accordance with the Act, or involves a record keeper’s refusal to give access. A complaint may relate to a deceased consumer whether the act or omission occurred during life or after death. The Act does not prescribe the commission’s powers upon receiving a complaint, but the commission operates under the Human Rights Commission Act 2005. Additionally, section 31 gives the Magistrates Court jurisdiction to make declarations about a person’s status under the Act (e.g., whether someone is a legally incompetent person or a guardian), to declare whether anything done under the Act was validly done, and to make any other order considered appropriate. Applications may be made by the health services commissioner or any person with a sufficient interest. Appeals lie to the Supreme Court as of right, except for interim restraining orders (section 32).

The Act contains several provisions addressing its relationship with other legal frameworks. Section 37 provides a general saving: the Act is not to be read as affecting the operation of any Territory law relating to access, privacy, or confidentiality of documents, except to the extent that it does so expressly or by necessary implication. This preserves the operation of other ACT legislation such as the Human Rights Commission Act 2005, the Information Privacy Act 2014, and the Children and Young People Act 2008, unless the Health Records Act explicitly overrides them.

Section 6(2) defines “lawful authority” to contravene a privacy principle. A person is taken not to have lawful authority unless they prove that compliance would have contravened a Territory law (other than this Act or the common law), a Commonwealth law, or a court order. The dictionary expressly excludes this Act and the common law from the definition of “law of the Territory”, so a privacy principle cannot be overridden by another provision of this Act itself (except through the specific exceptions in the principles or Part 3). This creates a hierarchy: Commonwealth law and court orders prevail.

Section 33 provides that the Act does not prevent a court of competent jurisdiction from making an order under another Territory law that would otherwise constitute a contravention of this Act. However, the court must have regard to the relevant provisions of this Act when deciding whether to make or continue such an order.

Specific provisions carve out interactions with particular legislation. Section 14A prohibits access to a health record that relates to certain reports under the Children and Young People Act 2008 (child concern reports, mandatory and voluntary reports, prenatal reports, and care and protection report information) if the record identifies the person who made the report or allows that identity to be worked out. This mirrors confidentiality protections in child protection legislation. Section 14 provides that nonproduction is justified if giving access would contravene a Territory or Commonwealth law or a court order. Section 17 protects material given in confidence by a person other than the consumer, guardian, parent, or treating health service provider , this interacts with the common law of confidentiality and with other statutory secrecy provisions.

The Act also interacts with the Health Practitioner Regulation National Law (ACT). Section 16D(4) prevents a record keeper from objecting to a consumer-nominated health service provider if that provider is registered by the same national board as the original provider, or is a registered medical practitioner (other than a student), or provides the same kind of service and can understand the record. The dictionary formerly defined “registration board” but that definition was omitted in 2014; the current reference is to a national board established under the National Law, section 31.

Section 4B notes that the Criminal Code, chapter 2 applies to all offences, importing standard fault elements and defences. Section 24 on representative liability aligns with corporate criminal responsibility provisions. The regulation-making power in section 36 allows regulations to apply, adopt, or incorporate an instrument as in force from time to time for the purpose of principle 10, clause 3 (disclosure for research or statistics). This permits dynamic referencing to external guidelines without amending the Act.

Section 31(1)(a)(iv) allows the Magistrates Court to declare whether a young person has sufficient maturity and developmental capacity to understand the nature of their access request , a determination that interacts with the Children and Young People Act 2008’s definition of “young person” and with the Family Law Act 1975 (Cth) principles concerning a child’s best interests, though the Act does not explicitly reference Commonwealth family law.

The Health Records (Privacy and Access) Act 1997 was notified on 24 December 1997 and commenced on 1 February 1998. Since then it has been amended by over 30 separate amending laws, as recorded in the endnotes. Significant amendments include:

• Legislation (Consequential Amendments) Act 2001 (A2001-44): made minor textual adjustments to Part 1, including omitting the original commencement section.

• Legislation Amendment Act 2002 (A2002-11): inserted a note in Part 6 concerning the application of privilege against self-incrimination and client legal privilege, and omitted the former section 28 on legal professional privilege (which was no longer needed after the note).

• Health Records (Privacy and Access) Amendment Act 2005 (A2005-4): introduced section 14A (no access to health record relating to child protection reports) and amended sections 13 and 15.

• Health Records (Privacy and Access) Amendment Act 2005 (No 2) (A2005-63): a major restructuring that relocated the privacy principles from section 5 into Schedule 1, repealed the former offences and replaced them with the current set, inserted sections 13A to 13D and 16A to 16D (relating to disclosure with consent, access timeframes, deemed refusal, and the nomination process), and made numerous consequential amendments. This Act also introduced the register of destroyed or transferred records (principle 4.2) and updated the dictionary.

• Human Rights Commission Legislation Amendment Act 2005 (A2005-41) and associated amendments in 2006: replaced the complaints mechanism, substituting the former section 18 and omitting section 19 (which had applied the Community and Health Services Complaints Act 1993). The Human Rights Commission became the complaints body.

• Children and Young People (Consequential Amendments) Act 2008 (A2008-20): updated references to child protection reports following the enactment of the Children and Young People Act 2008.

• Health Legislation Amendment Act 2010 (No 2) (A2010-11): inserted provisions relating to practice relocation and closure (principle 11) and consumer move (principle 12).

• Health Legislation Amendment Act 2016 (A2016-11): inserted section 10A and section 13BA specifically addressing the right of access for children and young people, and amended related provisions throughout the Act, including the definitions of “child”, “guardian”, and “young person”.

• Children and Young People Amendment Act 2023 (A2023-49) and 2024 (A2024-3): updated section 14A to refer to the amended provisions of the Children and Young People Act 2008.

• Health Legislation Amendment Act 2024 (A2024-42): amended the schedule of privacy principles, likely relating to security and destruction provisions.

• Statute Law Amendment Act 2025 (A2025-29): made minor amendments to sections 13C, 34, 36, and the schedule, effective 16 November 2025.

The Act has been republished 32 times, with the latest republication incorporating amendments up to A2025-29.

The Act itself does not refer to any specific cases, nor does the republication include a case note or litigation summary. Accordingly, any discussion of litigation must be confined to the statutory framework that enables court proceedings, without naming or analysing decided cases.

The Act confers jurisdiction on the Magistrates Court to make declarations and orders under section 31. Applications may be brought by the health services commissioner or any person with a sufficient interest. The court can declare a person’s status under the Act (e.g., legally incompetent person, guardian, young person with sufficient capacity, person with parental responsibility, or legal representative), declare whether anything done or purportedly done under the Act was valid, and make any other appropriate order. This jurisdiction likely generates applications where a record keeper disputes a consumer’s claimed status or where a consumer challenges a refusal of access on grounds that depend on capacity or authority.

Section 32 provides for appeals to the Supreme Court as of right from any decision of the Magistrates Court under section 31, except for interim restraining orders (which are not appealable). The appeal is governed by the Magistrates Court Act 1930, Part 4.5 (civil appeals), other than section 274. This means that the Supreme Court can review both the making and refusal of declarations and orders.

The Act’s complaints mechanism (section 18) directs complaints to the Human Rights Commission, which operates under its own Act. The commission may investigate and attempt conciliation, and its decisions may be subject to judicial review under the ACT’s administrative law framework. However, the Health Records Act does not set out the commission’s powers or provide for appeal from its determinations.

Given the Act’s long history (since 1998), there is likely a body of decisions from the ACT Magistrates Court and Supreme Court interpreting its provisions, particularly the scope of the risk exception in section 15, the confidentiality provisions in section 17, and the capacity requirements for children and young people. However, the source text does not record this case law, and no assumptions should be made about the content of those decisions.

Several provisions in the Act are easily overlooked or may operate in ways that are not immediately obvious.

The “law of the Territory” exclusion. Section 6(2) defines lawful authority to contravene a privacy principle as requiring proof that compliance would have contravened a Territory law (other than this Act or the common law), a Commonwealth law, or a court order. The dictionary expressly states that “law of the Territory” does not include this Act or the common law. This means that a record keeper cannot rely on a conflict between two provisions of this Act as lawful authority to ignore a privacy principle. For example, a record keeper cannot argue that complying with the access provisions in Part 3 justifies a disclosure that would otherwise breach principle 10 , the conflict must arise from an external law, not from the Act itself.

Deceased consumer rights and the definition of consumer. The definition of “consumer” includes, after death, a legal representative of the deceased consumer, and if there is no legal representative, an immediate family member. However, section 27(2) states that a right or power conferred by the Act is exercisable “by a legal representative of the deceased consumer.” This creates a potential gap: if there is no legal representative, the immediate family member is a “consumer” for the purposes of the definition but section 27(2) does not expressly confer the right to exercise access or other powers on them. The Act may rely on the definition of consumer to allow immediate family members to exercise rights, but the interaction is ambiguous. Similarly, a purported consent by a legal representative is void if given contrary to the deceased’s previously expressed wishes (section 27(3)), but the same rule is not explicitly stated for immediate family members acting as consumers.

The “significant risk” standard in section 15. The prohibition on giving access where the record keeper believes on reasonable grounds that provision would constitute a significant risk to life or health (physical, mental, or emotional) of the consumer or another person is a high threshold. The word “significant” is not defined, and the burden rests on the record keeper to form a reasonable belief. If the ground is the risk to the consumer, the record keeper may make an offer under section 16 to discuss the record, and the consumer can then nominate an alternative provider under section 16A. The nominated provider can override the record keeper’s decision if satisfied that inspection would not be a significant risk (section 16C(d)). This means the record keeper’s initial refusal is not final.

Record deletion prohibition with exceptions. Principle 4.1, clause 2 states that a record keeper “must keep, and must not destroy, a health record about a consumer, even if it is later found or claimed to be inaccurate.” Clause 3 lists exceptions: destruction required or allowed by a Territory law, destruction after specified retention periods (7 years from last service for adults; when the consumer turns 25 for children), destruction after generating an electronic copy under the Electronic Transactions Act 2001, or destruction of surveillance footage. Practitioners may be unaware that merely scanning a paper record and then destroying the paper may not satisfy the exception unless the scanning method meets the requirements of the Electronic Transactions Act, section 11(2)(b), and it is reasonable to expect the electronic copy will remain accessible for subsequent reference.

The “deemed refusal” consequences. Sections 13A, 13B, 13C, and 13D create a detailed compliance timeline. If a record keeper fails to respond within two weeks (section 13), fails to give access within 30 days (or one week after fee payment), fails to make the record available for inspection at a reasonable time, or fails to arrange an explanation, access is taken to have been refused (section 13D). This deemed refusal then grounds a complaint under section 18(1)(c). The record keeper cannot argue that they did not formally refuse , the legislation treats non-compliance as a refusal.

Children and young people access , parent vs young person. Under section 10A, a young person (12 to 17) may exercise the right of access personally if they have sufficient maturity and developmental capacity. If they do not, the person with parental responsibility exercises it. Section 13BA gives the record keeper discretion to require a young person seeking access to attend a meeting for explanation, or to consent to a parent attending. Conversely, before giving access to a parent of a young person, the record keeper may require the young person’s consent or discuss the access with the young person. This creates a potential stand-off: a parent may be denied access if the young person objects, even if the parent normally has parental responsibility. Record keepers must navigate this without a clear statutory hierarchy.

Confidentiality by consumer direction after incapacity or death. Section 17(3) allows a consumer to notify a record keeper that they want the record to remain confidential, and the record keeper marks it accordingly. If the consumer then becomes legally incompetent or dies, the record becomes “subject to confidentiality” and access must be refused. This overrides the rights that a guardian or legal representative would otherwise have. The consumer must have made the notification before losing capacity, and the record keeper must have marked the record. The Act does not require that the notification be in writing, but the record keeper must have acted on it.

Record keepers and health service providers should adopt a systematic approach to compliance, focusing on the privacy principles, the access regime, and the specific procedural requirements.

Implement the privacy principles. The twelve principles in Schedule 1 must be integrated into everyday practice. For each principle, record keepers should develop policies and procedures. Under principle 1, collect personal health information only for a lawful purpose directly related to a function or activity, and only by lawful and fair means. Under principle 2, inform consumers of the purpose of collection, whether collection is required by law, the identity of treating team members, and any usual disclosures. Under principle 3, take reasonable steps to ensure information is relevant, up to date, and accurate, and does not intrude unreasonably on personal affairs. Under principle 4.1, implement reasonable security safeguards against loss, unauthorised access, modification, disclosure, and misuse. Maintain a register of destroyed or transferred records under principle 4.2 for at least 7 years (except surveillance footage). Under principle 7, never delete information; correct inaccurate information by appropriate additions and, if unwilling to amend, attach the consumer’s written statement to the record. Under principle 8, check accuracy before using information. Under principle 9, use information only for the purpose it was collected, unless one of the specified exceptions applies. Under principle 10, disclose information only as permitted (e.g., with consent, for treating team, for serious risk, under legal compulsion, for management/funding/quality, or for research with safeguards). Obtain written consent for disclosure under principle 10, clause 2(c) where required.

Manage access requests. Designate a responsible person to handle requests under section 12. For each request, verify the identity of the requester and, if someone else is authorised, verify their identity and authority (sections 13B(3), 13BA(3)). If the requester is a young person, consider whether they have sufficient maturity and developmental capacity; if unsure, seek guidance or a court declaration under section 31. Respond within two weeks of receiving the request (section 13(2)). If refusing access, give written notice stating the ground (section 14) or the section prohibiting access (sections 14A, 15, 17). If relying on section 15 (risk to life or health of the consumer), consider making an offer under section 16 to discuss the record, and be prepared to accept a nomination from the consumer under section 16A. If the consumer nominates an alternative provider, give the record or a copy to that provider within two weeks (section 16B(2)), unless the nomination lapses or the record keeper objects under section 16D (but note the limitations on objection). If access is granted, provide it within 30 days (or one week after fee payment if later), and give access in the requested manner (inspection, copy, or viewing with explanation) at a time and place stated in a notice (section 13C).

Manage practice relocation or closure. If a health service practice is relocated or permanently closed, the provider must give public notice and take other steps to inform consumers at least 30 days beforehand (Schedule 1, principle 11, clause 2). The notice must state that consumers may request a copy or summary of their health record within 14 days of publication, that a fee may apply, and that if no request is made, records will be transferred to a stated provider or record keeper. Give a copy of the notice to the director-general (clause 4). Process transfer requests within 30 days (or 7 days if urgent health services are needed) (clauses 5 and 6). If the provider dies or becomes legally incompetent, the legal representative or guardian must comply as soon as practicable (clause 10). If a consumer moves to a different provider, or a provider moves to a different practice, handle transfer requests under principles 12.1 and 12.2 within 30 days (or 7 days for urgent health services), subject to any determined fee.

Train staff and maintain records. Section 24 imposes vicarious liability for acts or omissions of representatives (employees and agents) unless the record keeper proves that reasonable precautions and appropriate diligence were taken. This requires documented training, supervision, and auditing of compliance with the privacy principles and access procedures. Section 30 requires record keepers lacking necessary skill or training to obtain and act on expert advice , this may apply to small practices or allied health professionals without administrative support. Keep records of all access requests, responses, and consents for evidentiary purposes. Note that the Act does not prescribe a specific retention period for these administrative records, but they may be relevant to defend against complaints or offences.

Handle complaints and court applications. If a complaint is made to the Human Rights Commission under section 18, cooperate with the commission’s process. The commission may attempt conciliation. If a dispute arises about a person’s status (e.g., whether a young person has sufficient capacity, or whether a person is a guardian), either party may apply to the Magistrates Court for a declaration under section 31. Comply promptly with any court declaration or order.