Access to Health Information


The Health Law Central sections on confidentiality and privacy discussed how the law protects health care information from being disclosed. This section focuses upon the laws and bodies relevant to providing access to health records or information.

As a general rule, the doctor who holds patient information owns and controls it and has legal rights (for example, copyright) over their own work. Patients, however, have a general right of access to information held about them. The right to access such information in Australia, and the rules that govern how that access may occur, are found in Commonwealth and State legislation.

The Australian Privacy Principles (APPs) found in the Privacy Act 1988 (Cth) provide for access to medical records held by private health services.

State and Territory health, privacy, and/or freedom of information legislation governs access to records held by public health services.

Commonwealth Legislation

The Australian Privacy Principles
(The Privacy Act 1988 (Cth))

Australia Map

The Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth), give people a right to access and correct medical records held by private health service providers. 1 APP 12 provides that if an entity (agency, organisation, small business operator) holds personal information about a person, it must give access to that information at the person’s request.

However the right to access such information is not absolute. APP 12 also sets out grounds upon which a request may be denied. These grounds include that:

  • the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of an individual, or to public health or public safety; or
  • access would unreasonably impact upon the privacy of others;
  • the request is frivolous or vexatious;
  • the information relates to legal proceeding between the entity and individual, and would not be accessible via the process of discovery (access to documents related to the proceedings);
  • giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations;
  • giving access would be unlawful;
  • denying access is required or authorised by or under an Australian law or a court/tribunal order;
  • the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

Health services are able to charge a fee for access to information, provided the fee is not excessive.

Note: If the information was acquired before the 21 December 2001 and has not been used or disclosed since then, a person may need to seek a court order to access such information. This is because such information is not subject to the Australian Privacy Principles and is the property of the health service that holds the records. 2 In such circumstances it would be prudent for a person to seek legal advice relevant to their personal situation.

Freedom of Information Act 1982 (Cth)
(re information held by Commonwealth government ministers and agencies)

The Freedom of Information Act 1982 (Cth) provides a legally enforceable right of access to Commonwealth government documents held by ministers and most agencies (although their obligations differ). If there was health related information held by such ministers or agencies access to, or correction of, such information would be determined by the provisions of FOI Act.

Note, that some information may be exempt under the FOI Act, or subject to secrecy provisions found in other relevant acts. 3

From 1 November 2014, the Commonwealth Ombudsman has handled complaints about the processing of freedom of information (FOI) requests.

For more information about Commonwealth freedom of information see the  Office of the Australian Information Commissioner, Freedom of Information.

NOTE: Access to documents held by state and territory public health services and agencies is governed by state and territory legislation. (See below)

State and Territory Legislation and Oversight

Some key pieces of legislation that are relevant to health care information and records are listed below, and links to oversight agencies provided.

Click on the links below to go directly to information on a specific state/territory, or scroll down to read them all.

  ACT           New South Wales            Victoria            NT            QLD            Tas            South Australia            Western Australia


Australian Capital Territory

The Health Records (Privacy and Access) Act 1997 (ACT) governs issues to do with personal health information and records in the ACT.

Health records are considered confidential documents and remain the property of ACT Government Health Directorate. Copies of health records are not released to consumers or third parties without a written request and signed authorisation from the consumer. Fees apply to any such request.

Requests to access health records are assessed under the ACT Act. Schedule 1 of the legislation contains a set of ‘privacy principles’ similar to the Commonwealth AAPs, which provide information about collection, use and disclosure of information, as well as rights of access and an ability to correct information. Privacy Principle 5 requires a provider to record keeper to provide information at the request of the person who the records are about:

(i)     the nature of the records or information; and

(ii)     the main purposes for which the records are, or the information is, used; and

(iii)     the steps that the person should take if the person wishes to obtain access to the records or the information.

A record keeper is not required to give a person information if, under a law of the Territory or a law of the Commonwealth, the record keeper is required or authorised to refuse to give that information to the person.

A fee may be charged, with a limit set by the legislation.

The ACT Human Rights Commission administers the legislation, and handles privacy complaints regarding health information and records.

ACT Health also provides useful information about accessing medical records here.

New South Wales

New South Wales

Access to health information

In NSW, the Health Records and Information Privacy Act 2002 (NSW) seeks to ‘promote fair and responsible handling of health information’, which includes (amongst other things) enabling individuals to gain access to such information.

The NSW Information and Privacy Commission oversees the protection of personal and health information.

The NSW IPC advises that people wanting to access their own health information or records, have a right to request such information by contacting the health service provider with whom the information is being held (for example, a GP, specialist or a hospital where the person was/is a patient). It is recommended that requests be put in writing.

Note, exemptions from having to release information apply under the Act when such release:

  • might cause serious harm to life/health;
  • might impact on the privacy of others;
  • relates to legal proceedings;
  • is unlawful; or
  • is a repeat request that has previously been reasonably denied.

A fee may be applicable, but it should not be excessive. Information must be provided within 45 days from the request.

If the health service provider otherwise refuses to release the information a person has six months from becoming aware of the situation to make a complaint or seek a review of the conduct. If it is a private health service or organisation, the NSW IPC directs that complaints should be directed to their office. If it is a public health service, the person must lodge an internal review directly to the relevant Local Health District.

Access to information held by government organisations
Note – There is a separate process to access information held by government organisations. Relevant legislation regarding access from Government organisations includes:

The NSW IPC provides detailed information regarding the GIPA Act, GIPA Regulations, and the GIIC Act here.



Public Sector Health Information

If personal health information about a person is held by a Victorian Government department or public sector organisation (such as a public hospital), then they may seek access to that information by making a Freedom of Information (FOI) request under the Freedom of Information Act 1982 (Vic).

Each Department and public sector organisation has an FOI Officer and you should contact that person for further information about making an FOI request.

Information about freedom of information, how to apply, costs and the Freedom of Information Commissioner, can be found here.

Private Sector Information

Access to health information in Victoria held in the private sector is covered by the Health Records Act 2001 (Vic). From 1 July 2002, Section 25 and Health Privacy Principle 6 of the Health Records Act 2001 gave people a right of access to personal health information held about them by any organisation in the private sector in Victoria.

(In addition, there is the right of access pursuant to the Commonwealth Privacy Act 1988 discussed above).

If the information the person is seeking access to was collected by the organisation after 1 July 2002, then the organisation must give access in one of the following ways:

  • inspecting the information; and/or
  • getting a copy; and/or
  • viewing the information, accompanied by an explanation by a health service provider.

A fee may be charged, but as with other states/territories, it is limited by what is permitted in the legislation.

The Health Complaints Commissioner provides further information for the public that relates to health records and information held by public and private entities. The HCC also provides information for providers of health services, which may be found here.

Northern Territory

Northern Territory

The Information Act (NT) relates to information privacy generally, and there is no distinct health information act (such as those found in the ACT, NSW and Victoria). There is therefore one set of rules for applying to access or amend information held by public sector organisations.

Freedom of information requests can be made to public sector organisations directly to the organisation. Exemptions from releasing information may occur when releasing the information is against the public interest, or the public interest generally, or if in the particular case the public interest considerations against disclosure outweigh the considerations favouring disclosure.

There may be a fee for example, related to copying documents, but the fee should not be excessive. There is an application fee if the information is not just personal information.

Complaints can be made to the Office of the Information Commissioner for the Northern Territory, which is the independent statutory body responsible for overseeing the Information Act (NT).

The NT OIC provides further information on:



Queensland has general privacy laws that protect the privacy of information and provide for when it can be used, disclosed and accessed or amended. People have the right to access and amend information held by public sector agencies in Queensland, unless there is a good reason for it not to be provided.

People have a right to access personal information held by government under the Information Privacy Act 2009.  There is also a right to access personal and non-personal information held by government under the Right to Information Act 2009.

Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld).

A health agency is required to

  • make people aware of what kind of personal information it holds and why (NPP 5);
  • tell people how they can get access to it (NPP 6) (NPP 6 provides that, where a health agency has control of a document containing personal information, it must the give the subject of the information access to the document if they ask); and
  • tell people how they can seek to have personal information amended if they believe it is not accurate.

The Office of the Information Commissioner Qld provides information and guidelines to:

1) community members, which includes:

2) health agencies, which includes:

The Queensland Government also maintains a website called the ‘Right to Information and Information Privacy‘ which comprehensively explains the Queensland system.



Section 7 of the  Right to Information Act 2009 (Tas) (the RTI Act)  gives people a legally enforceable right to be provided with information in the possession of a public authority or a Minister, provided that it is not exempt information. A fee may be charged in some circumstances, but must not be excessive.

The Personal Information and Protection Act 2004 (Tas) is also relevant to access and amendment of personal information (including information that relates to health). Section 3B, provides that if –

(a) a request is made to a personal information custodian for access to information of a medical or psychiatric nature concerning the person making the request; and

(b) it appears to the personal information custodian that the provision to that person of access to the information might be prejudicial to the physical or mental health or wellbeing of that person –

the personal information custodian may direct that access to the information must not be provided to the person who made the request but must instead be provided to a medical practitioner nominated by that person.

Sections 17A-17I provide for the amendment of personal information.

The Tasmanian Ombudsman also oversees the

The Tasmanian Ombudsman is the review authority under the RTI Act and the Personal Information Protection Act 2004 (Tas), and may receive and investigate complaints in relation to those acts.

The ombudsman issues guidelines and a manual providing specific information on decisions and practices related to information release.

South Australia

South Australia

The Freedom of Information Act 1991 (SA) gives people a legal right to:

  • request access to documents held by State Government agencies, Government Ministers, Local Councils or State Universities; (this includes information held by Public hospitals and health units)
  • request the amendment of documents about themselves which are incomplete, incorrect, out-of-date or misleading;
  • seek a review of a decision made by a State Government  agency, Government Minister, Local Council or University.

(NB. Freedom of information does not apply to private businesses, private doctors or health specialists, which are covered by the Commonwealth Privacy Act 1988, and APPs.)

Request are made directly to the agency or body, which then has 30 days to reply.

There are again certain exemptions that are set out in Schedule 1 of the FOI Act, which provide that information does not have do be released if it would (amongst other things) affect public safety or law enforcement; lead to unreasonable disclosure of another person’s affairs; breach parliamentary or legal privilege.

Under freedom of information people may also make an application to have documents concerning their personal affairs amended if they are incomplete, incorrect, misleading or out-of-date.

Applications for internal review of decisions can be made to any government agency from which information is requested; or external review to the South Australian Ombudsman.

Western Australia

Western Australia

The Freedom of Information Act 1992 (WA) provides for access to, and correction of, documents held by State and local government agencies.

People may apply directly to such agencies for information, in writing usually to a designated FOI officer. A fee will apply.

People can also apply to correct that information if it is incorrect, inaccurate, out of date, or misleading.

The Western Australian FOI Act is overseen by the Office of the Information Commissioner (WA), whose main function of the Commissioner is to deal with complaints about decisions made by agencies in respect of access applications and requests to amend personal information.

More information about the FOI process in Western Australia can be found here.

Find out more


  1. Note the information must have been acquired after 21 December 2001 or if acquired before that date, been used or disclosed by the health service since 21 December 2001.
  2. Breen v Williams [1996] HCA 57; (1996) 186 CLR 71.
  3. For example, see the Commonwealth Aged Care Act 1997 , subsection 86‑2(1) and sections 86‑5, 86‑6 and 86‑7; Australian Institute of Health Act 1987, subsections 29(1) and (3); Gene Technology Act 2000, subsections 187(1) and (2); Health Insurance Act 1973, subsections 130(1), (4) and (9); National Health Act 1953 subsections 135A(1), (4) and (9); Private Health Insurance Act 2007, sections 323‑1 and 323‑40.