Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
Data relating to an identifiable individual should be held securely, in accordance with the Data Protection Act 1998 and GMC guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose. You have a responsibility to keep patient information secure and protected against improper disclosure at all times. The Information Commissioner can impose a Civil Monetary Penalty up to a maximum of £500,000 if data controllers seriously contravene the Data Protection Act in a deliberate or reckless way, or of a kind likely to cause substantial distress or damages to an individual.
Your duty of confidentiality relates to all information you hold about your patients, including demographic data, the dates and times of any appointments your patients may have made, and the fact that an individual may be a patient of yours or registered with your practice.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express, eg, most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance.
Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.
Disclosure required by law
In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and reason for it. You may also be ordered by the court to provide information without a patient’s consent. If ordered by the judge or presiding officer, you should comply.
You should object to the judge or presiding officer if attempts are made to compel you to disclose what appear to you to be irrelevant matters, eg, matters relating to relatives or partners of the patient who are not party to the proceedings. You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s express consent, unless it is required by law or can be justified in the public interest. Where confidential patient records are being disclosed to a third party who is acting as the patient’s agent under the DPA, full disclosure in accordance with the act should normally take place. However, if you believe the patient may not appreciate the nature and extent of the disclosure it would be prudent to confirm their agreement before proceeding. Where information from the records is being disclosed in other circumstances, you should make sure the disclosure is in accordance with the patient’s consent.
DPA disclosures must be vetted for third party information and harmful information, and this information should be redacted.
Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless —
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.Where the patient refuses to authorise a full disclosure of information to a third party, that party must be made aware that information has been withheld at the patient’s request.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.
Such circumstances usually arise where there is a risk of death or serious harm to the patient or others. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime. A competent adult’s wishes should generally be respected if they refuse to allow disclosure and no-one else will suffer.
The GMC has produced supplementary guidance on Disclosing information about serious communicable diseases. For more information see the MPS factsheet Confidentiality – Disclosures without consent.
Disclosures involving patients who are not competent adults
Children and young people under 18 years
The Information Commissioner’s Office (ICO) is responsible for governing data protection compliance. ICO advice states that a competent child has the right to make their own application for disclosure under the DPA, and accordingly any application by a parent (or any other party) at this point, can only be with the child’s consent.
Prior to the child becoming competent, someone with parental responsibility can exercise the right on the child’s behalf, as long as it is in the child’s best interests.
You should allow access by competent patients unless:
- It is likely to cause serious harm to the patient or another person
- The records refer to another person (excluding healthcare professionals) who has not given consent to disclosure.
If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. Once children have the capacity to make decisions about their own treatment, they are also entitled to decide whether personal information may be passed on.
Patients lacking capacity
Under the Mental Capacity Act 2005, adults are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.
If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information. You must consider the views of anyone the patient asks you to consult, or who has legal authority to make a decision on their behalf, or has been appointed to represent them.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wished that specific information should remain confidential after their death, or if the patient has asked, you should usually respect that wish.
The “personal representative” of the patient (usually an executor of the will, or an administrator if there is no will) can apply for access to the relevant part of a patient’s medical records (excepting harmful or third party information), as can someone who has a claim arising out of the patient’s death (eg, for a life assurance claim), or a claim in negligence.
In respect of disclosure potentially associated with assisted suicide (eg, to Dignitas), specific advise should be sought from MPS prior to disclosure.
Some newer forms of communication – such as social media – are ubiquitous, and medicine’s high profile among the news media means that the confidentiality of patient information is facing newer risks.
In para 69 of Good Medical Practice, the GMC says: “When communicating publicly, including speaking to or writing in the media, you must maintain patient confidentiality. You should remember when using social media that communications intended for friends or family may become more widely available.”
In its explanatory guidance Doctors’ use of social media, the GMC says: “Many doctors use professional social media sites that are not accessible to the public. Such sites can be useful places to find advice about current practice in specific circumstances. However, you must still be careful not to share identifiable information about patients.
“Although individual pieces of information may not breach confidentiality on their own, the sum of published information online could be enough to identify a patient or someone close to them.
“You must not use publicly accessible social media to discuss individual patients or their care with those patients or anyone else.