Select country
Refine my search

An introduction to confidentiality


Confidentiality is central to the trust between healthcare professionals and patients; without it, patients may be reluctant to divulge personal information, and this could impact their care and treatment. Healthcare professionals and others working in a healthcare setting, such as reception and other administrative staff, have access to sensitive personal information about patients and have a legal, ethical and often a contractual duty to keep this information confidential. It is, therefore, important that those working in a healthcare setting understand the general principles of confidentiality and their professional, ethical, and contractual obligations.

What is confidentiality?

Confidentiality in healthcare is the protection of a patient's personal information, including their health, family, lifestyle, and care needs. This is to protect the patient's privacy during their care and even after death. Confidentiality is an important legal and ethical duty but - given the nature of safeguarding and the responsibilities of healthcare professionals - it is not absolute. 

"All staff have a legal duty of confidence to keep person-identifiable or confidential information private and not to divulge information accidentally." - NHS

"Patients have the right to expect that their personal information will be held in confidence by their doctors." - GMC

 

The primary piece of legislation that governs the handling and processing of patient information is the Data Protection Act 1998. This legislation and the General Data Protection Regulations (GDPR) that accompany it are lengthy and complex, and there are other aspects of law that touch on confidentiality which vary across the UK jurisdictions. As well as a general duty of confidentiality, some independent healthcare workers such as doctors and dentists - both working in a private capacity and in General Practice - may have additional responsibilities, including as a data controller. However, in many healthcare settings, those responsibilities rest with an employer.

This article provides an overview of the basic principles of confidentiality and provides links to additional supporting information.

Advice on a specific situation can be sought by contacting our advisory team on our dedicated advice line.


 

Key principles

The starting point with all adult patients is the presumption that the patient has the capacity to make decisions about their care and treatment. A patient’s capacity is assessed on their ability to understand, retain and weigh up the information relevant to a specific decision at a particular point in time, the patient must also be able to communicate their decision. 

A breach of confidentiality may lead to a patient or their representative making a complaint to the General Medical Council (GMC) or Nursing and Midwifery Council (NMC)

A duty of confidentiality relates to all information held about patients and includes:

  • Medical records
  • Personal details: name, address, age, marital status, sexuality, race
  • Record of appointments
  • Audio/visual recordings
  • The fact that the patient is your patient

 

Healthcare professionals and those working in a healthcare setting must take care to avoid unintentional disclosure of confidential patient information, for example, by ensuring that any consultations with patients cannot be overheard. Other potential areas and sources of breach of confidentiality include:

  • Waiting areas
  • Use of social networking sites
  • Telephone
  • Texts
  • Computer
  • Emails
  • Audio/visual recordings

The Information Commissioner can impose a Civil Monetary Penalty for contravention of the DPA in a deliberate or reckless way, or of a kind likely to cause substantial distress or damage to an individual. A breach of confidentiality may also lead to a patient or their representative making a complaint to the General Medical Council (GMC) or Nursing and Midwifery Council (NMC). A breach of confidentiality can also result in disciplinary action by an employer.

More information about the GDPR and the DPA can be found here.

Read more on: Confidentiality

Articles and features 23/12/2024

Presumed consent for organ donation: what’s changing where?

Presumed consent for organ donation: what’s changing where?

Time to read article: 3 mins
Close Preview

In a recent Medical Protection survey almost a third of doctors questioned were not comfortable discussing organ donation with a patient. With different laws across the UK and further changes imminent, this is maybe not surprising

Read more

Article contains

Tagged in...

Articles and features 06/12/2024

Follow guidelines to avoid valproate complaints and claims

Follow guidelines to avoid valproate complaints and claims

Time to read article: 1 mins
Close Preview

Warnings to doctors over the harmful effects of the valproate medications – which, if taken by girls or women of child-bearing potential, can cause birth defects and developmental disorders in children – have been circulating for years.

Read more

Article contains

Tagged in...

Articles and features 03/12/2024

New duty to prevent sexual harassment in the workplace

New duty to prevent sexual harassment in the workplace

Time to read article: 3 mins
Close Preview

On the 26 October 2024, the Government’s Worker Protection Act came into effect requiring employers to take a proactive approach to preventing sexual harassment in the workplace. In this article, Croner outlines the Act’s key requirements and the steps you can take to meet these new obligations.

Read more

Article contains

Tagged in...

Disclosure of information

Appropriate information sharing is an essential part of the provision of safe and effective patient care. There are also important uses of patient information for purposes other than direct care, for example, service planning and audit. Other uses are not directly related to the provision of healthcare but serve wider public interests, such as disclosures for the protection of the wider public. In addition, patients have a right of access to their medical records and other information held about them and may choose to share this information with third parties, such as solicitors, insurance companies, or employers.

Therefore, it is important to understand when information can be disclosed and when it should remain confidential.

Disclosure request under the Data Protection Act 1998 (DPA)

Patients have a right to request access to their records and any other information held about them - such as appointment details and complaint records - under the Data Protection Act (DPA). The patient may also consent to such a disclosure to a third party, such as a solicitor, who acts as the patient’s agent under the DPA. In these circumstances, disclosure in accordance with the DPA should normally take place. When disclosing information to a third party, the third party should provide evidence that the patient has consented to the disclosure. However, if it is considered that the patient may not appreciate the nature and extent of the disclosure, it is important to confirm their agreement before proceeding.


The Data Protection Act 1998 permits patients to request access to their medical records.


Disclosure of a patient’s medical records must be checked for third-party information (excluding healthcare professionals) and information that, if disclosed, could cause serious harm to the physical or mental health of the patient or any other person, and this information should be redacted.


Disclosure with consent

Before disclosing any information about a patient to a third party, a patient must consent to the disclosure. Consent may be implied or express; for example, most patients understand that information about their health needs to be shared within the healthcare team providing direct care, so implied consent is often adequate in this circumstance.

However, only information necessary for the provision of care should be shared, and the patient should be informed of the need to share the information and their right to withhold it if they wish. If a patient refuses to allow the sharing of information, then the implications of this on the patient and their care should be explained, and a compromise reached, if possible.

Implied consent is acceptable for clinical audit purposes within the healthcare team as long as patients have been made aware of the possibility by notices within the waiting room, for example, and have not objected to having their information used in this way. If the patient does object, their objection should be respected, and their data should not be used for audit purposes.
 
Express consent is required if patient-identifiable data is to be disclosed for any purpose, except if the disclosure is required by law, necessary in the public interest, or in the best interests of the patient - and can be justified despite their lack of consent.

For consent to disclosure to be valid, the patient must be competent to give consent and must be provided with full information about the extent of the disclosure. Adult patients are assumed to be competent unless there is a specific reason to doubt this.

When giving consent to disclosure of information, the patient must be made aware of what data will be disclosed, to whom, and for what purpose.

Read more on Consent

Disclosure without consent

Confidentiality is an important ethical and legal duty - but it is not absolute, and it is possible to disclose information without consent in the following situations:

Disclosure required by law

In some circumstances, a healthcare professional will be required to disclose information to comply with a legal requirement. An example is the requirement to notify certain communicable diseases. In such cases, information can be provided – even if the patient has not provided consent. The patient should be informed of the disclosure and reason for it.

A judge or presiding officer of a court may also order disclosure of patient information without consent and in most cases, this should be complied with, however objections can be raised if attempts are made to compel disclosure of what appears to be irrelevant matters, such as matters relating to relatives or partners of the patient who are not party to the proceedings.

Personal information about a patient must not be disclosed to a solicitor, police officer or officer of a court without the patient’s express consent, unless it is required by law or there is a court order.

 

Disclosures in the public interest

Sometimes a situation arises where disclosure is necessary in the public interest, and the benefits from disclosure outweigh the risks from not doing so and in this situation, it may be justifiable to disclose information, without the patient’s consent, or when the patient has withheld consent.

Such circumstances usually arise where there is a risk of death or serious harm to the patient or others. If possible, attempts should still be made to obtain the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime. Serious crimes are usually considered to be crimes against the person such as violent assault, murder and abuse. The minimum amount of information to serve the purpose should be disclosed and it is advisable to carefully document the reasons for disclosure, if consent was sought and obtained or not.

Disclosure to benefit a patient lacking capacity

Adult patients are assumed to have capacity unless they have an impairment, which means they are unable to make or communicate a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.

If a patient lacks capacity, a healthcare professional may act in their best interests when deciding whether to disclose the information. The views of anyone the patient has asked to be consulted, or who has legal authority to make a decision on their behalf, or has been appointed to represent them must also be considered.

The requirements of capacity assessments differ from country to country, so be sure to familiarise yourself with the guidance in your area.

If it is believed that a patient is a victim of neglect or abuse and they lack capacity to consent to disclosure there is a legal requirement information to disclose information promptly to an appropriate person or authority.

More information can be found here on adult safeguarding can be found here: Adult safeguarding and confidentiality – disclosing information to the Office of the Public Guardian (medicalprotection.org)


Read more on: Mental capacity
Articles and features 29/06/2023

The five principles of the Mental Capacity Act

The five principles of the Mental Capacity Act

Time to read article: 5 mins
Close Preview

Both legislation and the GMC’s guidance emphasise that doctors should presume that adults have the capacity to consent to or refuse a proposed treatment unless it can be established that they lack that capacity.

Read more

Article contains

Tagged in...

Articles and features 20/09/2021

COVID-19 vaccination: lacking capacity to consent

COVID-19 vaccination: lacking capacity to consent

Time to read article: 3 mins
Close Preview

As the vaccination programme against COVID-19 continues in the UK, the usual laws around patient consent still apply. But what if your patient lacks capacity to consent? Dr Jayne Molodynski, Medicolegal Consultant at Medical Protection, offers advice and guidance

Read more

Article contains

Tagged in...

Disclosure after death

A duty of confidentiality continues after death. In some situations, such as a complaint arising after a patient’s death, relevant information may be discussed with the family. If it is reasonably believed or known that the patient wished that specific information should remain confidential after their death then this request should usually be respected.

Under the Access to Health Records Act 1990 and the Access to Health Records (Northern Ireland) Order 1993, the personal representative of the deceased and anyone who may have a claim arising from the patient’s death are permitted to access the medical records. The records should not be disclosed if they may cause physical or mental harm to anyone, if they identify a third party (excluding a healthcare professional), or if the deceased gave the information on the understanding that it would remain private.

A duty of confidentiality continues after death

Relevant information may also be disclosed if it is required by law or to assist a coroner, procurator fiscal, or other similar officer with an inquest or fatal accident inquiry.

Information should also be shared when disclosure is necessary to meet a professional duty of candour and when it is necessary to support the reporting or investigation of adverse incidents or complaints, for local clinical audit or for clinical outcome review programmes.

Children and young people

A competent child has the right to make their own application for disclosure under the DPA and, accordingly, any application by a parent (or any other party) at this point can only be with the child’s consent.

Prior to the child becoming competent, someone with parental responsibility can exercise the right on the child’s behalf, as long as it is in the child’s best interests. For more information, please see Parental responsibility (medicalprotection.org)

If a young person is able to understand the implications of the disclosure, they can give their consent, regardless of age. Once children have the capacity to make decisions about their own treatment, they are also entitled to decide whether personal information may be passed on, and each request must be judged on its own merits.

Disclosure may be withheld if the disclosure:

  • Is likely to cause serious harm to the patient or another person
  • The records refer to another person (excluding healthcare professionals) who has not given consent to disclosure

As with adults, the duty of confidentiality to young patients is not absolute, and disclosure of information may be justified when required by law or where the risks to the child or the public in general outweigh the risks of keeping the information confidential.

For more information about disclosure without consent please read Confidentiality - Disclosures relating to patients unable to consent (medicalprotection.org) and Factsheet: Confidentiality - Disclosures without consent - England (medicalprotection.org)

Explore this page
New site feature tour

Introducing an improved
online experience

You'll notice a few things have changed on our website. After asking our members what they want in an online platform, we've made it easier to access our membership benefits and created a more personalised user experience.

Why not take our quick 60-second tour? We'll show you how it all works and it should only take a minute.

Take the tour Continue to site

Medicolegal advice
0800 561 9090
Membership information
0800 561 9000

Key contact details

Should you need to contact us, our phone numbers are always visible.

Personalise your search

We'll save your profession in the "I am a..." dropdown filter for next time.

Tour completed

Now you've seen all of the updated features, it's time for you to try them out.

Continue to site
Take again