Membership information 0800 225 677
Medicolegal advice 0800 014 780

Confidentiality – General principles

8 Jan 2021

Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, the disclosure is required by law or is necessary for the public interest. This factsheet sets out the basic principles of confidentiality.


Any profession that deals with people’s sensitive personal information is bound by the same expectations of confidentiality and healthcare is no different. However, your duty of confidentiality relates not only to sensitive health information but to all information you hold about your patients.

The National Health Act 61 (2003) declares that this information must not be given to others unless the patient consents or if you can justify the disclosure. This includes demographic data and the dates and times of any appointments your patients may have made, or consultations they may have attended. The fact that an individual may be a patient of yours or registered with your practice is also confidential.

You are only permitted to reveal confidential information about a patient in certain circumstances – the most obvious of which is with the permission of the patient in question, assuming that they have sufficient capacity to consent to this. According to the HPCSA, the other appropriate scenarios are:

  • In terms of a Statutory provision
  • At the instruction of a court
  • When it is in the public interest
  • With the written consent of a parent or guardian of a minor under the age of 12 years
  • In the case of a deceased patient with the written consent of the next of kin or the executor of the deceased’s estate.

You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.

The implementation of the Protection of Personal Information Act 4 (2013) (POPI Act) from July 2020 places additional responsibilities on healthcare professionals to safeguard patient information. If patient information has been obtained from a source other than the patients themselves such as additional information held by the medical aid or by another healthcare professional, then the treating medical practitioner must take reasonable steps to inform the patient thereof and the purpose of having that information. Failure to comply with the provisions of the POPI Act, specifically with regards to maintaining patient confidentiality, can potentially lead to civil claims for damages.

See also our POPI Factsheet.


Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. There are a variety of reasons for which personal medical information may be requested: education, research, monitoring and epidemiology, public health surveillance, clinical audit, administration and planning, insurance and employment.

The patient’s consent to release this information may be implied or express. Implied consent can be deemed sufficient in instances such as you dictating a referral letter to your medical secretary. However, in the case where you will be sharing a patient’s personal information among your healthcare team, it is wise to check that the patient is aware of this. This is not necessary if the patient has already expressly consented to the particular treatment.

Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary for the public interest.


For consent to the disclosure to be valid the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent unless you have a specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom. For more on how and when to take consent, see our Consent Factsheet.


In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and the reason for it.


In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary for the public interest and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.

Such circumstances usually arise where there is a risk of death or serious harm to the patient or others, which may be reduced by disclosure of appropriate information. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime. 


You may consider a patient to be immature, too ill or lacking in mental capacity to give valid consent, yet they could request that information not be disclosed to a third party. Under the terms of the National Health Act, if no person has been legally appointed to give consent on a patient’s behalf, then the following order of preference for obtaining consent should be followed: a spouse or partner, parent, grandparent, adult child or adult brother or sister.

Where none of the above persons exist, then you may approach the High Court for relief. In emergencies in state hospitals, the Medical Superintendent may give advice.


If a young person can understand the implications of the disclosure, they can give their consent, regardless of age. However, the rules previously mentioned regarding immaturity apply. If you believe the child to be a victim of physical, sexual or emotional abuse, yet they are incapable of giving consent, you must pass their information on to an appropriate responsible person or statutory agency. This is where the disclosure can be given without consent, in the patient’s best interests.

See also Consent – Children and Young People.


Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish.

The “personal representative” of the patient (usually an executor of the will) can apply for access to the relevant part of a patient’s medical records, as can someone who has a claim arising out of the patient’s death, e.g. For a life assurance claim. Always seek advice when considering such a request.