General confidentiality principles as advised by medical defence organisations

All doctors know that maintaining confidentiality is an important part of building up trust with patients. Here, Dr Stephanie Bown examines the medicolegal aspects of confidentiality

Confidentiality is a core subject on which medical defence organisations routinely advise health professionals, and is also central to patients and doctors maintaining trust in each other. While doctors are able to access sensitive personal information about patients, it is also their legal and ethical duty to safeguard the confidentiality of this information against ever-increasing risks - including social media. However, disclosure may be necessary in some cases in the public interest or a legal requirement, or consent to disclose may have been given by the patient.   

The Data Protection Act 1998 requires that data relating to an identifiable individual is securely held, while medical defence organisations also advise their members to consult GMC guidance on confidentiality. Not only should the information only be held for as long as is required for the provision of healthcare, but it should also be relevant, accurate and up-to-date. Care should also be taken to avoid unintentional disclosure by health professionals, with hazards including consultations with patients being overheard by others. 

Doctors are also obliged to follow the guidance of the GMC and will also have to comply with the common law duty of confidentiality. In all of the situations in which information can be disclosed, medical defence organisations advise that the disclosure is proportional and, if possible, anonymised, also only including the information that is required for the purpose. At all times, the responsible health professional will look to ensure the security of patient information and its protection against improper disclosure. Data controllers in deliberate or reckless contravention of the Data Protection Act, or who do so in a manner likely to cause substantial distress or damages to an individual, can be subject to a Civil Monetary Penalty from the Information Commissioner of up to £500,000.

Social media and other newer forms of communication can also pose risks to the confidentiality of patient information

All data that a health professional holds about a patient is covered by this duty of confidentiality, including demographic information, the dates and times of any appointments made by the patient and the fact of an individual being a patient of theirs or registered with their practice. No information should be disclosed about a patient to a third party without the patient's consent to the disclosure being sought. However, express or implied consent may be valid, with the latter being adequate for the sharing of information within the healthcare team providing care.

Medical defence organisations can advise in more detail on consent to disclosure, what constitutes valid consent and when and how disclosure may be made when required by law. Health professionals may also wish to be better informed on the cases when disclosure should be made in the public interest, as well as disclosures involving patients who are not competent adults, including those who have died. Social media and other newer forms of communication can also pose risks to the confidentiality of patient information, with medical defence organisations able to advise accordingly on the most appropriate use of social networks.