Membership information 0800 225 677
Medicolegal advice 0800 014 780

Part 2: Disclosure and security


Confidentiality is usually thought of as an ethical issue. It is, but it is also a legal obligation:

  • Employed healthcare workers are usually bound by a confidentiality clause in their contracts. There is a common-law contractual duty to preserve professional confidence.
  • The Constitution guarantees citizens the right to privacy, including the right not to have the privacy of their communications infringed.2
  • The National Health Act makes it an offence to divulge information about health service users without the user’s consent. The only permissible exceptions are when the law or a court order requires disclosure, or if nondisclosure would represent a serious threat to public health. (However see the HPCSA's guidelines in booklet 10 paragraph 9.3 which allows for disclosures to be made that may assist in the prevention or detection of a crime that will put someone at risk of death or serious harm).3
  • In terms of the Protection of Personal Information Act all employers and all employees are legally obliged to treat all personal information concerning all patients, including their health information, as private and confidential.

The obligation of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that all records containing patient information are kept securely.

Confidential records should not be left where other people may have casual access to them and information about patients should be sent under private and confidential cover, with appropriate measures to ensure that it does not go astray.

Patients should be informed about the kind of information being held about them, how and why it might be shared, and with whom it might be shared. Patient information leaflets are a convenient way of notifying patients about this, but they are not sufficient in themselves. Bear in mind that few patients will bother to read the leaflets, and some may not be able to read them. It is especially important to understand that with the advent of the Protection of Personal Information Act patients are vested with the right that their personal information will always be treated as confidential. It is not recommended that users be required to agree to the general waiver of their rights to confidentiality. If you intend to use a patients' personal information for purposes other than their immediate care, or to share it with non-medical agents such as social workers, or to use it for research purposes, you must obtain the patient's consent to hold, process and use the personal information for that particular additional purpose.

Confidentiality is not an absolute obligation – there are circumstances in which disclosure is permissible or even mandatory. Disclosures not authorised by patients are the exception and should only be made after careful and due consideration.