Confidentiality is an essential part of the bond of trust that exists between doctor and patient. Failure to maintain confidentiality may mean a patient is reluctant to reveal private or sensitive information that you may need to know in order to treat them appropriately.
You have a legal and ethical duty to keep all information relating to patients securely and not to disclose any information to third parties without a patient's consent. The only exceptions are when you are required to disclose information by law or under your ethical or contractual obligations. If you decide to disclose information without consent, you should be prepared to justify your decision.
Confidentiality is a patient's right and must be respected by the entire healthcare team.
You must get the patient's express consent before disclosing confidential information about them, or which might identify them, to third parties, unless the law allows or requires otherwise. The patient can give consent orally or in writing.
To give consent, the patient needs to understand:
- who the information will be disclosed to
- precisely what information will be disclosed
- why the information is to be disclosed
- the significant foreseeable consequences.
When a patient gives consent, you must only disclose information the patient has agreed you may disclose, and only to the third party that requested it. No other use can be made of the information without seeking further consent from the patient.
Competent patients can give consent. This includes children under 16 who are competent to make decisions – ie, they are Gillick competent).
To show competence, generally the patient must:
- have a general understanding of what decision they need to make and why they need to make it
- have a general understanding of the likely consequences of making or not making the decision
- be able to understand, retain, use and weigh up the information relevant to this decision
- communicate their decision – whether by talking, using sign language or any other means.
Every patient must be assumed to have capacity unless it is established that they lack it.
Patients who lack capacity (eg some patients with a mental disorder or young children) require special consideration. Any decisions to disclose information should be taken in the patient's best interests. You ought to consider what action will be likely to benefit the patient, as well as what you know about the patient's views, values and wishes. The views of relatives, carers and close friends should be taken into account. You should also consult anyone able to make relevant healthcare decisions about the patient.
Healthcare professionals who are responsible for patient information must make sure it is effectively protected from improper disclosure, intentional or unintentional, at all times – even after a patient has died.
Patient information should not be disclosed to third parties without consent except in certain circumstances. You may be called on to justify a decision to disclose information without consent.
Before disclosing information you will need to consider your legal duty, GMC and/or other relevant ethical guidance and the Department of Health's Confidentiality: NHS Code of Practice. For expert advice, please speak to an MDU medico-legal adviser.
Where disclosure (with or without consent) is appropriate, only the minimum relevant information should be disclosed. Disclosure should be made promptly.
Disclosure of confidential information without consent or ethical or lawful justification carries the risk of legal action by the patient and/or investigation by the relevant regulatory body, healthcare trust or the Information Commissioner.
What is confidential information?
All information about a patient is confidential. This includes any information that could identify an individual, for example:
- medical records
- current illness or condition and its ongoing treatment
- personal details – name, address, age, marital status, sexuality, race, etc
- record of appointments
- audio or audio/visual recordings
- the fact that a person is or was your patient.
The legal and ethical basis of confidentiality
The duty of patient confidentiality is enforced through four principal mechanisms:
- common law
- contract of employment
- regulatory bodies.
Patients alleging breach of confidentiality may seek redress from a court in a civil action. However, it is rare for this to be the sole cause of action in a civil court case.
Data protection law sets out the rights and responsibilities of data subjects and data users. It regulates the processing of information about individuals, including the obtaining, use or disclosure of information. It covers both paper and computer records. A breach of data protection law can result in civil or criminal proceedings. The Information Commissioner may also impose a significant fine.
Data subjects (individuals who are the subject of personal data) are entitled to:
- be told that data is held about them and the purposes for which their data will be processed
- have access to the data
- have the data corrected when inaccurate.
Although in most cases patients have the right to access information held about them, there may be rare occasions when you believe that giving a patient access to the information you hold about him or her may cause serious harm to the physical or mental health or condition of the individual or another person.
This may justify refusing disclosure, but you should talk to the healthcare professional most directly involved in the patient's care and seek advice from the MDU before doing so.
Confidential patient information which includes data about identifiable third parties (other than third parties who are themselves health professionals who have contributed to the record) should not be disclosed without the consent of the third party. Again, the MDU can advise you on any decision to disclose or not.
Data protection principles require that personal data shall be:
a) 'processed lawfully, fairly and in a transparent matter in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementing the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals, and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.'
Other statutes which affect confidentiality can include:
- notifiable diseases
- human fertility
- genito-urinary infections
- public security issues
- road traffic collisions
- cancer registries
- termination of pregnancy
- computer misuse
- human tissue
Contract of employment
Confidentiality of patient information is a requirement of employment under NHS and many independent sector contracts.
In the NHS, misuse of patient information is treated as a serious disciplinary matter. GPs are required under the terms of their contract with their primary care body to designate a person to be responsible for practices and procedures relating to the confidentiality of patient information and to comply with all the relevant guidance issued by their health body or the secretary of the state.
Arrangements for keeping patient information confidential may be scrutinised and monitored – for example, during a trust inquiry, an external review of clinical performance, under GMC performance review procedures, or by the Care Quality Commission.
Professional registration bodies may investigate alleged breaches of confidentiality and, where required, impose sanctions, which may include erasure from the register.
If you are in any doubt about the circumstances in which patient information may be disclosed, please call the MDU's 24-hour helpline for expert advice.
- Fully acquaint yourself and your colleagues with up-to-date legal requirements and GMC and NHS guidance on confidentiality.
- Nominate a person to be responsible for practices and procedures for handling confidential data.
- Train all staff to keep information confidential and reinforce the message regularly. Write a confidentiality clause into contracts of employment.
- Keep discussion about clinical management of patients private and out of earshot of the public.
- Ensure patients cannot read another patient's details on computer screens.
- Check the identity of telephone callers asking for information about a patient, if necessary by calling them back via directory enquiries.
- Take professional advice before connecting your computer to a network and keep a record of the advice.
- Ensure electronic means of communication such as fax and email are secure before sending information.
- Consider use of anonymised patient data when this might satisfy a request for information.
This guidance was correct at publication 21/05/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.