Membership information 800 908 433
Medicolegal advice 800 908 433

Confidentiality - General principles

26 May 2021



Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.

General principles

Data relating to an identifiable individual should be held securely. The Privacy Commissioner for Personal Data is responsible for the enforcement of the Personal Data (Privacy) Ordinance (Cap 486). One of the data protection principles in the Ordinance relates to data security, and states that data users are required to “take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use”

S.1.1.3 of the Medical Council of Hong Kong’s Code of Professional Conduct (January 2016) – or the Code – says: “All doctors have the responsibility to maintain systematic, true, adequate, clear and contemporaneous medical records.” Further, s.1.1.4 of the Code says: “All Medical records should be kept for such duration as required by the circumstances of the case and other relevant requirements.” Medical records may serve a medicolegal purpose and therefore it is legitimate to continue to keep records of a patient even if they will not be used for the purpose of medical consultation.


When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if appropriate – and includes only the minimum information necessary for the purpose.


Consent to disclose

Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express, e.g. most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance. Express consent is needed if patient identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.

Valid consent

In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.

Disclosure without consent

In some circumstances, you may be justified to disclose information to third parties without the patient’s consent, such as if required by law or if such a disclosure is necessary to prevent serious harm to the patient or others.. S.1.4.3 of the Code warns that before doing so, you must carefully consider the arguments for and against the disclosure and be able to justify your decision.

For more information on disclosures without consent, see the MPS factsheet Confidentiality: Disclosures without Consent.

Patients lacking capacity

When it comes to making a decision regarding disclosing confidential information about a patient who lacks capacity, you must act in the patient’s best interests. You should also consider the views of anyone the patient has asked you to consult, or who has legal authority to make a decision on the patient’s behalf.

After a patient has died

Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you may discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wished that specific information should remain confidential after death, or if the patient has asked that certain information be kept confidential, you should usually respect that wish.

Under common law, the personal representative of the deceased (i.e. either the executor of the will or the administrator of the estate) is entitled to access to relevant parts of the deceased’s medical records. Records of a deceased patient should also be disclosed where they are required by the Coroner.

Further information

• Medical Council of Hong Kong, Code of Professional Conduct 

• The Privacy Commissioner for Personal Data, Personal Data (Privacy) Ordinance (Cap 486)

Mental Health Ordinance (Cap 136).