No region set
Customise for: No role selected

If you choose to customise the site it will help you to find the most relevant content for your needs. You will still be able to access all content on the site.

General practice Consultant or specialist FY or training grade Hospital doctor Medical student No customisation

Medico-legal helpline

0800 716 646



Confidentiality is an essential part of the bond of trust that exists between doctor and patient. Failure to maintain confidentiality may mean a patient is reluctant to reveal private or sensitive information that you may need to know in order to treat them appropriately.

You have a legal and ethical duty to keep all information relating to patients securely and not to disclose any information to third parties without a patient's consent. The only exceptions are when you are required to disclose information by law or under your ethical or contractual obligations. If you decide to disclose information without consent, you should be prepared to justify your decision.

General principles

Confidentiality is a patient's right and must be respected by the entire healthcare team.

You must get the patient's express consent before disclosing confidential information about them, or which might identify them, to third parties, unless the law allows or requires otherwise. The patient can give consent orally or in writing.

To give consent, the patient needs to understand:

  • who the information will be disclosed to
  • precisely what information will be disclosed
  • why the information is to be disclosed
  • the significant foreseeable consequences.

When a patient gives consent, you must only disclose information the patient has agreed you may disclose, and only to the third party that requested it. No other use can be made of the information without seeking further consent from the patient.

Competent patients can give consent. This includes children under 16 who are competent to make decisions (Gillick competent).

Defining competence

To show competence, generally the patient must:

  • have a general understanding of what decision they need to make and why they need to make it
  • have a general understanding of the likely consequences of making or not making the decision
  • be able to understand, retain, use and weigh up the information relevant to this decision
  • communicate his decision – whether by talking, using sign language or any other means.

Every patient must be assumed to have capacity unless it is established that he or she lacks it.

Patients who lack capacity (eg some patients with a mental disorder or young children) require special consideration. Any decisions to disclose information should be taken in the patient's best interests. You ought to consider what action will be likely to benefit the patient, as well as what you know about the patient's views, values and wishes. The views of relatives, carers and close friends should be taken into account. You should also consult anyone able to make relevant healthcare decisions about the patient.

Disclosing information

Healthcare professionals who are responsible for patient information must make sure it is effectively protected from improper disclosure, intentional or unintentional, at all times – even after a patient has died.

Patient information should not be disclosed to third parties without consent except in certain circumstances (see MDU Medico-legal Guide: Confidentiality 3.3). You may be called on to justify a decision to disclose information without consent.

Before disclosing information you will need to consider your legal duty, GMC and/or other relevant ethical guidance and the Department of Health's Confidentiality: NHS Code of Practice. For expert advice, please speak to an MDU medico-legal adviser.

Where disclosure (with or without consent) is appropriate, only the minimum relevant information should be disclosed. Disclosure should be made promptly.

Disclosure of confidential information without consent or ethical or lawful justification carries the risk of legal action by the patient and/or investigation by the relevant regulatory body, healthcare trust or the Information Commissioner.

What is confidential information?

All information about a patient is confidential. This includes any information that could identify an individual, for example:

  • medical records
  • current illness or condition and its ongoing treatment
  • personal details – name, address, age, marital status, sexuality, race, etc
  • record of appointments
  • audio or audio/visual recordings
  • the fact that a person is or was your patient.

The legal and ethical basis of confidentiality

The duty of patient confidentiality is enforced through four principal mechanisms:

  • common law
  • statute
  • contract of employment
  • regulatory bodies.

Common law

Patients alleging breach of confidentiality may seek redress from a court in a civil action. However, it is rare for this to be the sole cause of action in a civil court case.

Statute law

The main statute governing patient confidentiality is the Data Protection Act 1998 (DPA). The DPA sets out the rights and responsibilities of data subjects and data users. It regulates the processing of information about individuals, including the obtaining, use or disclosure of information. It covers both paper and computer records. A breach of the DPA can result in civil or criminal proceedings. The Information Commissioner may also impose a Monetary Penalty Notice of up to £500,000 for reckless flouting of the data protection laws.


Data subjects (individuals who are the subject of personal data) are entitled to:

  • be told that data is held about them and the purposes for which their data will be processed
  • have access to the data
  • have the data corrected when inaccurate.

Although in most cases patients have the right to access information held about them, there may be rare occasions when you believe that giving a patient access to the information you hold about him or her may cause serious harm to the physical or mental health or condition of the individual or another person.

This may justify refusing disclosure, but you should talk to the healthcare professional most directly involved in the patient's care and seek advice from the MDU before doing so.

Confidential patient information which includes data about identifiable third parties (other than third parties who are themselves health professionals who have contributed to the record) should not be disclosed without the consent of the third party. Again, the MDU can advise you on any decision to disclose or not.


The data protection principles require that personal data shall:

  • be obtained and processed fairly and lawfully
  • be held only for specific purposes
  • not be used or disclosed in any other way or for any other purpose
  • be adequate, relevant and not excessive in relation to the purpose for which it is held
  • be accurate and kept up to date
  • not be kept for longer than is necessary
  • be processed according to the rights of data subjects
  • be held secure.

The guidance document Use and Disclosure of Health Data, published by the Information Commissioner, is a useful source of further information.

Other statutes

Other statutes which affect confidentiality are listed on our website and cover a range of areas including:

  • notifiable diseases (see also Medico-legal Guide 3.7)
  • human fertility
  • genito-urinary infections
  • public security issues
  • road traffic collisions
  • cancer registries
  • termination of pregnancy
  • computer misuse
  • human tissue
  • tax.

Contract of employment

Confidentiality of patient information is a requirement of employment under NHS and many independent sector contracts.

In the NHS, misuse of patient information is treated as a serious disciplinary matter. GPs are required under the terms of their contract with their primary care body to designate a person to be responsible for practices and procedures relating to the confidentiality of patient information and to comply with all the relevant guidance issued by their health body or the secretary of the state.

Arrangements for keeping patient information confidential may be scrutinised and monitored – for example, during a trust inquiry, an external review of clinical performance, under GMC performance review procedures, or by the Care Quality Commission.

Registration bodies

Professional registration bodies may investigate alleged breaches of confidentiality and, where required, impose sanctions, which may include erasure from the register.

If you are in any doubt about the circumstances in which patient information may be disclosed, please call the MDU's 24-hour helpline for expert advice.

Confidentiality checklist

  1. Fully acquaint yourself and your colleagues with up-to-date legal requirements and GMC and NHS guidance on confidentiality.
  2. Nominate a person to be responsible for practices and procedures for handling confidential data.
  3. Train all staff to keep information confidential and reinforce the message regularly. Write a confidentiality clause into contracts of employment.
  4. Keep discussion about clinical management of patients private and out of earshot of the public.
  5. Ensure patients cannot read another patient's details on computer screens.
  6. Check the identity of telephone callers asking for information about a patient, if necessary by calling them back via directory enquiries.
  7. Take professional advice before connecting your computer to a network and keep a record of the advice.
  8. Ensure electronic means of communication such as fax and email are secure before sending information.
  9. Consider use of anonymised patient data when this might satisfy a request for information.

Questions and answers

I gave a patient a statement of fitness to work confirming he would be unable to work for four weeks because of backache. Today, his human resources director rang and asked me to confirm that the patient would be unfit to work for 14 weeks. He faxed me a copy of the statement I had provided to the patient and it's clear that someone has added a one in front of the four. What information can I provide?

It is not a breach of confidentiality to tell a person who has been properly given a document by a patient that it is a document you signed. In this case, you can confirm that you did not sign the certificate as faxed through to you. The principle is that you should supply only the minimum information to answer the questions. You may also wish to contact your patient to discuss the matter with him.

A newborn baby was found abandoned outside our local church. A social worker has asked me for contact details of any pregnant patients with expected delivery dates of around this time. I suspect I know the mother concerned. Should I pass on this information?

Your duty of confidentiality prevents you from releasing a blanket list of the names of all your pregnant patients. Even the fact that these are your patients is confidential. You may think you know the mother, and it may be appropriate to arrange to see her and to offer counselling and treatment.

To justify breaching the presumed mother's confidentiality, you would have to argue that failing to do so would put her or someone else at risk of serious harm or death.

A hospital porter slipped on a wet floor and was treated for a fracture in the hospital's A&E department where I work. He is now pursuing a claim against the hospital (his employer) alleging that the floor cleaner was negligent by failing to put up a sign warning of the wet floor. The hospital management have asked for his records to deal with the claim. The patient has not given his consent to the release of the records. Should I, as the A&E consultant, agree to release them?

Had this patient been treated in another hospital's A&E department, his consent would have been needed for the disclosure of his records from that hospital to his employer and the same principle applies in your hospital. Hospital managers have a right to look at documents in the custody of their hospital only for the ordinary administration of healthcare and this includes records of a patient who is pursuing a claim against the hospital alleging that the treatment provided by a member of their healthcare team was negligent. But your hospital's managers cannot use their power to ask for his records just because he was treated in your hospital's A&E department. You need to seek the patient's consent to disclosure in the same way that you would if the request came from any other employer.

Next article

This guidance was correct at publication on . It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


Login to comment

  • MDU staff
  • 17 August 2017 2:14PM

Dear Dr Beugelaar, Thanks for posting your query. If you would like to discuss with an adviser, please do call the advisory line on 0800 716 646. If you would prefer to receive an email response, please forward your query to and one of our team will be in touch shortly.

  • DR Beugelaar
  • 16 August 2017 4:07PM

Hello, I am no longer a licensed medical doctor and plan to practice complementary medicine (talking therapies including NLP and Hypnotherapy). I am however still on the GMC register. Can you provide any advice or reading material regarding what I can and cannot advertise as being able to treat/help and the terminology I may use now that I am no longer licenced? I will have insurance with a complementary medicine provider. Many thanks

  • MDU staff
  • 16 May 2017 11:12AM

Dear Dr Huda, Thanks for posting your query. If you would like to discuss with an adviser, please do call the advisory line on 0800 716 646. If you would prefer to receive an email response, please let us know and one of our team will be in touch shortly.

  • DR Huda
  • 15 May 2017 8:49PM

My question is about patients with conditions like DIABETIC KETOACIDOSIS or chest infection and who could full fill the criteria of 4 question for assessing capacity. If these patients decide to leave accident and emergency department, should we consider that they have the capacity and can make their own decision?

We have detected you are in and some website content may have been personalised to be more relevant to you.
You can change your region setting here or at the top of the page.

change now Close