Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure; disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
Identifiable health information that has been acquired in a professional capacity should be held securely, in accordance with the Data Protection Act 1998 and GMC guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.
You have a responsibility to keep patient information secure and protected against improper disclosure at all times. The Information Commissioner can impose a Civil Monetary Penalty up to a maximum of £500,000 if data controllers seriously contravene the Data Protection Act in a deliberate or reckless way, or of a kind likely to cause substantial distress or damages to an individual.
Your duty of confidentiality relates to all information you hold about your patients, including demographic data, the dates and times of any appointments your patients may have made, and the fact that an individual may be a patient of yours or registered with your practice.
Your duty of confidentiality relates not only to sensitive health information but to all information you hold about your patients. This includes demographic data and the dates and times of any appointments your patients may have made, or consultations they may have attended. The fact that an individual may be a patient of yours or registered with your practice is also confidential.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express – for instance, most patients understand that information about their health needs to be shared within the healthcare team providing care. Implied consent is adequate in this circumstance and express consent does not need to be sought.
Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.
Disclosure required by law
In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent.
You should also inform the patient of the disclosure and reason for it. You may also be ordered by the court to provide information without a patient’s consent. If ordered by the judge or presiding officer, you should comply but explain that you do not have the patient’s consent.
You should object to the judge or presiding officer if attempts are made to compel you to disclose what appear to you to be irrelevant matters, eg, matters relating to relatives or partners of the patient who are not party to the proceedings. Should you consider that the requested disclosure may, for any reason, be detrimental to the patient’s physical or mental health, you must bring it to the court’s attention.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.
Such circumstances usually arise where there is a risk of death or serious harm to the patient or others, which may be reduced by disclosure of appropriate information. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime.
Disclosures involving patients who are not competent adults
Children and young people under 18 years
If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. In practical terms, consideration should be given to whether any child aged 12 and over may be competent to give consent. If a child is not competent to give consent, someone with parental responsibility may consent to disclosure on behalf of the child.
Mothers have automatic parental responsibility, as will the father if they were married at the time of the child’s birth. For children whose births were registered after 15 April 2002 in Northern Ireland, the father has parental responsibility if he is named on the child’s birth certificate. There are also other circumstances in which fathers may gain parental responsibility – for full details see the MPS factsheet on Parental Responsibility.
Patients lacking capacity
Adults are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision. If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish.
Under the Access to Health Records (Northern Ireland) Order 1993, if a patient has died, the “personal representative” of the patient (usually an executor of the will) can apply for access to the relevant part of a patient’s medical records, as can someone who may have a claim arising out of the patient’s death (eg, for a life assurance claim). Access under this legislation, should, however, be refused if the record includes a note, made at the patient’s request, that he or she did not wish access to be given on such an application.
Some newer forms of communication – such as social media – are ubiquitous, and medicine’s high profile among the news media means that the confidentiality of patient information is facing newer risks.
In para 69 of Good Medical Practice, the GMC says: “When communicating publicly, including speaking to or writing in the media, you must maintain patient confidentiality. You should remember when using social media that communications intended for friends or family may become more widely available.”
In its explanatory guidance Doctors’ use of social media, the GMC says: “Many doctors use professional social media sites that are not accessible to the public. Such sites can be useful places to find advice about current practice in specific circumstances. However, you must still be careful not to share identifiable information about patients.
“Although individual pieces of information may not breach confidentiality on their own, the sum of published information online could be enough to identify a patient or someone close to them.
“You must not use publicly accessible social media to discuss individual patients or their care with those patients or anyone else.”
- MPS factsheet, Confidentiality – Disclosures Without Consent
- MPS factsheet, Confidentiality – Patients Unable to Consent
- GMC, Confidentiality (2009)
- DHSSPS, Confidentiality Code of Practice
- BMA, Confidentiality and Disclosure of Health Information (1999)
- DHSSPS, Confidentiality and Disclosure of Information: General Medical Services (Northern Ireland) (2006)
- Access to Health Records (Northern Ireland) Order (1993)
- GMC, Confidentiality: good practice in handling patient information
- GMC, Making and Using Visual and Audio Recordings of Patients – Guidance for
- GMC, Good Medical Practice (2013)
- GMC, Doctors' use of Social Media (2013)
- The Health and Social Care Information Centre, Code of practice on confidential information(2014).