Confidentiality - general principles
Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential. This factsheet sets out the basic principles of confidentiality.
General principles
Data protection principles indicate that identifiable health information that has been acquired in a professional capacity should be held securely. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.
Your duty of confidentiality relates not only to sensitive health information but to all information you hold about your patients. This includes demographic data and the dates and times of any appointments your patients may have made, or consultations they may have attended. The fact that an individual may be a patient of yours or registered with your practice is also confidential.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express – for instance, most patients understand that information about their health needs to be shared within the healthcare team providing care. Implied consent is adequate in this circumstance and express consent does not need to be sought.
Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
Valid consent
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what exact data will be disclosed, and to whom.
Disclosures without consent
Under special circumstances, the Medical Council advises that doctors may be allowed to disclose confidential patient information without the patient’s consent, but usually only if:
- they are ordered to do so by a judge, or by a tribunal established by an Act of the Oireachtas
- it is necessary to protect the interests of the patient
- doing so will protect the welfare of society, or another individual.
In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and reason for it.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.
Such circumstances usually arise where there is a risk of death or serious harm to the patient or others, which may be reduced by disclosure of appropriate information. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so.
Children and young people under 18 years
If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. In practical terms, consideration should be given to whether any child aged 12 and over may be competent to give consent. If a child is not competent to give consent, someone with parental responsibility may consent to disclosure on behalf of the child.
Patients lacking capacity
Adults are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision. If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information. If the patient has made a lasting power of attorney which covers personal welfare, the attorney can take the decision about disclosure on behalf of the patient and should be consulted.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish. Requests for medical information concerning a deceased person are often made by family members. Care must be taken never to disclose anything the deceased would have wished to keep private. You should avoid making disclosures which would compromise the confidentiality of a third party.
The “personal representative” of the patient (usually an executor of the will or next of kin) can apply for access to the relevant part of a patient’s medical records, as can someone who has a claim arising out of the patient’s death.