The SMC’s Physician’s Pledge requires all doctors to pledge “to respect the secrets which are confided in me”. Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law, or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
The SMC, in its Ethical Code and Ethical Guidelines, states that “information obtained in confidence or in the course of attending to the patient” should not be disclosed without a patient’s consent.
You should ensure that data relating to an identifiable individual is held securely and is not accessible to unauthorised persons. This includes sending or storing medical information by electronic means, via a website or by email, in cloud storage, or to services involving telemedicine. Any information held should be clear, accurate and up-to-date, and kept only as long as necessary for the purpose of providing healthcare or enabling a response to a future claim. You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard, or that patients’ confidential information is not disseminated knowingly or unknowingly through carelessness or through participation in social media.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express, eg, most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance.
A patient may request that certain information is withheld, and in such circumstances the SMC suggests explaining to the patient the benefits that sharing information brings to their care. If a patient still objects, you must comply – doing your best to ensure the overall management of care is not adversely affected by this lack of disclosure.
It is accepted that indirect disclosure is inevitable in large institutions involving a large number of medical, nursing and administrative staff who need to access patient information as part of their work. The SMC notes that doctors should readily share information about patients in patients’ best interests unless the patient has specifically objected to the disclosure.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. If the patient is a minor, consent should be taken from his parents or legal guardians; however, you must give due consideration to opinions of minor patients who are able to understand and decide for themselves. As for patients with such diminished mental capacity that they cannot give consent, you must obtain consent from persons with the legal authority to make such medical decisions for them.
When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom, and for what purpose.