Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure; disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.
Data relating to an identifiable individual should be held securely, in accordance with the Data Protection Act 1998 and GMC guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.
You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose. You have a responsibility to keep patient information secure and protected against improper disclosure at all times. The Information Commissioner can impose a Civil Monetary Penalty up to a maximum of £500,000 if data controllers seriously contravene the Data Protection Act in a deliberate or reckless way, or of a kind likely to cause substantial distress or damages to an individual.
Your duty of confidentiality relates to all information you hold about your patients, including demographic data, the dates and times of any appointments your patients may have made, and the fact that an individual may be a patient of yours or registered with your practice.
Consent to disclosure
Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express, eg, most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance.
Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.
Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.
In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.
Disclosure required by law
In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and reason for it.
You may also be ordered by the court to provide information without a patient’s consent. If ordered by the judge or presiding officer, you should comply. You should object to the judge or presiding officer if attempts are made to compel you to disclose what appear to you to be irrelevant matters, eg, matters relating to relatives or partners of the patient who are not party to the proceedings. You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s express consent, unless it is required by law or can be justified in the public interest.
Disclosures in the public interest
In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.
Such circumstances usually arise where there is a risk of death or serious harm to the patient or others. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime. A competent adult’s wishes should generally be respected if they refuse to allow disclosure and no-one else will suffer.
The GMC has produced supplementary guidance on Disclosing information about serious communicable diseases. For more information see the MPS factsheet Confidentiality – Disclosures without consent.
Disclosures involving patients who are not competent adults
Children and young people under 18 years
If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. In practical terms, consideration should be given to whether any child aged 12 and over may be competent to give consent.
If a child is not competent to give consent, someone with parental responsibility may consent to disclosure on behalf of the child. Mothers have automatic parental responsibility, as will the father if they were married at the time of the child’s birth.
For children whose births were registered from 4 May 2006 in Scotland, the father has parental responsibility if he is named on the child’s birth certificate. There are also other circumstances in which fathers may gain parental responsibility – for full details see the
factsheet on Parental Responsibility. Any disclosure must normally be in the child’s best interests even where authorised by parental consent.
Patients lacking capacity
Under the Adults with Incapacity (Scotland) Act 2000, adults, (those over 16) are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.
If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information.
The Adults with Incapacity Act sets out in law a range of options to help people aged 16 or over who lack the capacity to make some or all of the decisions for themselves. It allows other people to make decisions on their behalf.
If the patient has made a lasting power of attorney which covers personal welfare, the attorney can take the decision about disclosure on behalf of the patient and should be consulted.
After a patient has died
Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wished that specific information should remain confidential after their death, or if the patient has asked, you should usually respect that wish.
The “personal representative” of the patient (usually an executor of the will, or an administrator if there is no will) can apply for access to the relevant part of a patient’s medical records (excepting harmful or third party information), as can someone who has a claim arising out of the patient’s death (eg, for a life assurance claim), or a claim in negligence.
Some newer forms of communication – such as social media – are ubiquitous, and medicine’s high profile among the news media means that the confidentiality of patient information is facing newer risks.
In para 69 of Good Medical Practice, the GMC says: “When communicating publicly, including speaking to or writing in the media, you must maintain patient confidentiality. You should remember when using social media that communications intended for friends or family may become more widely available.”
In its explanatory guidance Doctors’ use of social media, the GMC says: “Many doctors use professional social media sites that are not accessible to the public. Such sites can be useful places to find advice about current practice in specific circumstances. However, you must still be careful not to share identifiable information about patients.
“Although individual pieces of information may not breach confidentiality on their own, the sum of published information online could be enough to identify a patient or someone close to them.
“You must not use publicly accessible social media to discuss individual patients or their care with those patients or anyone else.”