You have a legal and ethical duty to keep all information relating to patients secure, and not to disclose any information to third parties without a patient's consent.

The only exceptions are when you're required to disclose information by law or under your ethical or contractual obligations. If you decide to disclose information without consent, you should be prepared to justify your decision.

Confidentiality is also vital for patients to trust with patients their doctors. If you fail to maintain confidentiality, a patient might be reluctant to reveal the private or sensitive information you need in order to treat them appropriately.

General principles

Confidentiality is a patient's right and must be respected by the entire healthcare team.

You must get the patient's express consent before disclosing confidential information about them or which might identify them, to third parties, unless the law allows or requires otherwise. The patient can give consent orally or in writing.

To give consent, the patient needs to understand:

who the information will be disclosed to
precisely what information will be disclosed
why the information is to be disclosed
the significant foreseeable consequences.

When a patient gives consent, you must only disclose information the patient has agreed you may disclose, and only to the third party that requested it. No other use can be made of the information without seeking further consent from the patient.

Competent patients can give consent. This includes children under 16 who are competent to make decisions - ie, they are Gillick competent - or children over 12 in Scotland.

Defining competence

To show competence, generally the patient must:

have a general understanding of what decision they need to make and why they need to make it
have a general understanding of the likely consequences of making or not making the decision
be able to understand, retain, use and weigh up the information relevant to this decision
communicate their decision - whether by talking, using sign language or any other means.

The Mental Capacity Act Code of Practice states that every patient must be assumed to have capacity unless it is established that they lack it. Similarly, the law in Scotland presumes that those over the age of 16 are capable of making their own decisions.

Patients who lack capacity (such as those with a severe mental health condition, or young children) require special consideration. Any decisions to disclose information should be taken in the patient's best interests. Consider what action will be likely to benefit the patient, as well as what you know about the patient's views, values and wishes.

The views of relatives, carers and close friends should be taken into account as well, and you should also consult anyone able to make relevant healthcare decisions about the patient.

Disclosing information

Healthcare professionals responsible for patient information must make sure it is effectively protected from improper disclosure, intentional or unintentional, at all times - even after a patient has died.

Patient information should not be disclosed to third parties without consent except in certain circumstances. You may be called on to justify a decision to disclose information without consent.

Before disclosing information you will need to consider your legal duty, GMC and/or other relevant ethical guidance, and the Department of Health's Confidentiality: NHS Code of Practice in England. For expert advice, members can speak to one of our medico-legal advisers.

Where disclosure (with or without consent) is appropriate, only the minimum relevant information should be disclosed. Disclosure should be made promptly.

Disclosing confidential information without consent or ethical or lawful justification carries the risk of legal action by the patient and/or investigation by the relevant regulatory body, healthcare provider or the Information Commissioner.

What is confidential information?

All information about a patient is confidential. This includes any information that could identify an individual - for example:

medical records
current illness or condition and its ongoing treatment
personal details - name, address, age, marital status, sexuality, race, etc
record of appointments
audio or audio/visual recordings
the fact that a person is or was your patient.

The legal and ethical basis of confidentiality

The duty of patient confidentiality is enforced through four principal mechanisms:

common law
statute
contract of employment
regulatory bodies.

Common law

Patients alleging breach of confidentiality may seek redress from a court in a civil action. However, it is rare for this to be the sole cause of action in a civil court case.

Statute law

Data protection law sets out the rights and responsibilities of data subjects and data users. It regulates the processing of information about individuals, including the obtaining, use or disclosure of information. It covers both paper and computer records.

A breach of data protection law can result in civil or criminal proceedings, and the Information Commissioner may also impose a significant fine.

Rights

Data subjects (individuals who are the subject of personal data) are entitled to:

be told that data is held about them
the purposes for which their data will be processed
have access to the data
have the data corrected when inaccurate.

Although in most cases patients have the right to access information held about them, there may be rare occasions when you believe giving a patient access to the information you hold about them may cause serious harm to their physical or mental health or condition, or that of someone else.

This may justify refusing disclosure, but you should talk to the healthcare professional most directly involved in the patient's care before doing so. MDU members can come to us for guidance as well.

Confidential patient information that includes data about identifiable third parties (other than third parties who are themselves health professionals who have contributed to the record) should not be disclosed without the consent of the third party. Again, the MDU can advise you on any decision to disclose or not.

Responsibilities

The UK GDPR's data protection principles state that, among other things, personal data must be:

a) processed lawfully, fairly and in a transparent matter in relation to individuals

b) collected and used for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

c) adequate, relevant and limited to what is necessary for the reasons it's being processed

d) accurate and, where necessary, kept up to date

e) kept in a form that allows data subjects to be identified for no longer than is necessary for why it's being processed

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Other statutes

Other statutes that affect confidentiality can include:

notifiable diseases
human fertility
genito-urinary infections
public security issues
road traffic collisions
cancer registries
termination of pregnancy
computer misuse
human tissue
tax.

Contract of employment

Confidentiality of patient information is a requirement of employment under NHS and many independent sector contracts.

In the NHS, misuse of patient information is treated as a serious disciplinary matter. Under the terms of their contract with their primary care body, GPs are required to designate a person to be responsible for practices and procedures relating to the confidentiality of patient information and to comply with all the relevant guidance issued by their health body or the secretary of the state.

Arrangements for keeping patient information confidential may be scrutinised and monitored - for example, during a trust inquiry, an external review of clinical performance, under GMC performance review procedures, or by the Care Quality Commission (CQC) in England.

Registration bodies

Professional registration bodies can investigate alleged breaches of confidentiality and impose sanctions where required, which may include being erased from the register.

If you're in any doubt about when patient information can be disclosed, please call our 24-hour helpline for expert advice.

Confidentiality checklist

Fully acquaint yourself and your colleagues with up-to-date legal requirements and GMC and NHS guidance on confidentiality.
Nominate a person to be responsible for practices and procedures for handling confidential data.
Train all staff to keep information confidential and reinforce the message regularly. Write a confidentiality clause into contracts of employment.
Keep discussion about patients' clinical management private and out of earshot of the public.
Ensure patients can't read another patient's details on computer screens.
Check the identity of telephone callers asking for information about a patient - if necessary, by calling them back via directory enquiries.
Take professional advice before connecting your computer to a network and keep a record of the advice.
Ensure all types of digital communication are secure before sending information.
Consider using anonymised patient data when it might satisfy a request for information.

An introduction to confidentiality

Related articles

Membership in your pocket