Accessing health information of deceased persons
Not all Australian jurisdictions expressly recognise the right of access to health information after death. We snapshot how the NSW, ACT and Victorian jurisdictions handle access to the health information of the deceased.
Maddocks regularly advises governments, health service providers, and others who hold health information about their privacy obligations, including rights of access to health information. Did you know these obligations vary according to which Australian jurisdiction you are in? Interestingly, not all jurisdictions expressly recognise the right of access to health information continues after death. Here is a quick snapshot of the Commonwealth, NSW, Victorian and ACT jurisdictions and how they handle access to health information.
The Privacy Act 1988 (Cth) (Cth Privacy Act) regulates the right of access to health information, specifically Australian Privacy Principle (APP) 12. APP sets out how an organisation should respond to an access request and when access may be refused.
Neither the Cth Privacy Act nor APP 12 expressly refers to deceased persons. The Cth Privacy Act does, however, define ‘individual’ to mean a ‘natural person’. This is often taken as reference to a ‘living person’. The Office of the Australian Information Commissioner has issued guidance about deceased persons, confirming information about deceased persons is not considered to be ‘personal information’.
That said, the guidance also notes information about a deceased person may include information about a living individual and can be ‘personal information’ for the purposes of the Cth Privacy Act. The example given is where a deceased person had an inheritable medical condition, which could indicate the deceased person’s descendants have an increased risk of that condition. Therefore, privacy interests of family members are recommended to be considered when handling information about deceased persons.
The only situation where the Cth Privacy Act contemplates deceased persons is when dealing with personal information in emergencies and disasters (see Part VIA). In this limited context, an individual is taken to also include a reference to an individual ‘who is not living’.
The Health Records and Information Privacy Act 2002 (NSW) (NSW Health Privacy Act) also regulates the right of access to health information. Under this Act, ‘personal information’ is defined to exclude ‘information about an individual who has been dead for more than 30 years. Conversely, it follows that the information of deceased persons can be covered by this Act, provided they have been dead for 30 years or less.
However, it appears the right of access to health information can only be exercised by ‘living persons’, not extending to a deceased person or their authorised representatives. This was discussed in the NSW Civil and Administrative Tribunal case of DSC v United Protestant Association  NSWCATAD 315. Whilst not formally deciding on the matter, the Tribunal’s reasoning suggests the access provisions do not apply to health information of a deceased person.
That said, health service providers commonly receive requests for access to the health information of a deceased person. Where the right of access may not apply regarding the deceased person’s health information, disclosure under Health Privacy Principle (HPP) 11 maybe contemplated. For example, disclosure may be made to an immediate family member on compassionate grounds. This disclosure is discretionary and must be limited to the extent necessary for those compassionate reasons. Similarly, disclosure could be made where the information is genetic information and disclosure is to a genetic relative of the person and is believed on reasonable grounds to be necessary to lessen or prevent a serious threat to the life, health or safety of that relative, providing disclosure is in accordance with any guidelines issued by the NSW Privacy Commissioner.
In Victoria, the privacy laws are enshrined in the Privacy and Data Protection Act 2014 (Vic) (Vic Privacy Act) and the Health Records Act 2001 (Vic) (Vic Health Privacy Act). The Vic Privacy Act regulates the handling of personal information, and the Vic Health Privacy Act specifically regulates the handling of health information.
While the Vic Privacy Act does not expressly deal with deceased persons, the Vic Health Privacy Act includes the following:
(1) This Act applies in relation to a deceased individual who has been dead for 30 years or less, so far as it is reasonably capable of doing so, in the same way as it applies in relation to an individual who is not deceased.
(2) Subject to subsection (3), if an individual has died, a right or power conferred on individuals by a provision of this Act is exercisable in relation to the deceased individual, so far as the circumstances reasonably permit, by a legal representative of the deceased individual.
(3) A purported consent by a legal representative of a deceased individual is void if, when giving it, the legal representative knows or believes that the consent does not accord with the wishes expressed, and not changed or withdrawn, by the individual in his or her lifetime.
Like the NSW Privacy Act, the Vic Health Privacy Act applies to deceased individuals who have been dead for 30 years or less. However, the Vic Health Privacy Act goes on to expressly acknowledge that, if an individual has died, their rights may be exercised by another – namely, a ‘legal representative of the deceased individual’.
This means a deceased individual’s legal representative may request access to their health information, provided it is not inconsistent with the wishes expressed by the individual during their lifetime.
In the ACT, the Office of the Australian Information Commissioner is responsible for administrating the Cth Privacy Act on behalf of the ACT Government. Like the Cth Privacy Act, the Information Privacy Act 2014 (ACT Privacy Act) is silent regarding deceased persons, but the guidance issued by the Commissioner regarding the information of deceased persons is likely to apply to the ACT Privacy Act.
However, health information in the ACT is governed by the Health Records (Privacy and Access) Act 1997 (ACT) (ACT Health Records Act). Similarly to the Vic Health Privacy Act, the ACT Health Records Act expressly deals with deceased persons, as follows:
(1) The privacy principles apply in relation to a deceased consumer, so far as they are reasonably capable of doing so, in the same way as they apply in relation to a consumer who is not deceased.
(2) Subject to subsection (3), where a consumer has died, a right or power conferred on consumers by a provision of this Act is exercisable in relation to the deceased consumer, so far as the circumstances reasonably permit, by a legal representative of the deceased consumer.
(3) A purported consent by a legal representative of a deceased consumer is void if, when giving it, the legal representative knows or believes it to be at variance with the wishes expressed, and not changed or withdrawn, by the consumer in his or her lifetime.
Consequently, the ACT’s position on health information is the same as the Victorian position, where a deceased’s legal representative may request access to their health information, provided this is not inconsistent with their wishes, although this is not subject to the 30 year time limit which applies in Victoria.
For more information on your privacy obligations please contact our Privacy team.
See s 6(1) of the Cth Privacy Act.
 See at https://www.oaic.gov.au/privacy/guidance-and-advice/what-is-personal-information.
 See at https://www.oaic.gov.au/privac....
 See s 5(1) of the NSW Health Privacy Act.
 For a discussion of this case, refer to an Article by Aaron Kloczko and Katherine McNaughton of Maddocks at https://www.maddocks.com.au/insights/hripa-and-deceased-persons-dsc-v-united-protestant-association.
 See NSW Health Privacy Act at s 4.
 See NSW Health Privacy Act at HPP 11(g)
 See NSW Health Privacy Act at s 6(d).
 See NSW Health Privacy Act at HPP 11(c1) and the NSW Genetic Health Guidelines: use and disclosure of genetic information to a patient’s genetic relatives: Guidelines for organisations in NSW October 2014 published at https://www.ipc.nsw.gov.au/nsw....
 This is defined to exclude information of a kind to which the Vic Health Privacy Act applies – see s 3 definition of ‘personal information’.
 See Part 5 of the Vic Health Privacy Act. Note s
New point of law: What can be considered as a protected document?
A look at Environment Protection Authority v Sydney Water Corporation  NSWLEC 119.
Society of University Lawyers Conference 2023
Maddocks is a proud platinum sponsor of the Society of University Lawyers Conference 2023.
Implementation of Universities Accord Interim Recommendations passed
On 19 October 2023 the Senate passed a slightly amended version of the Higher Education Support Amendment
Preparing for mandatory data breach notification under NSW privacy laws: Five key actions
By Ooma Khurana & Radhika Bhatia
This is the second instalment in our For Your Information campaign