Select country
Menu
Refine my search

An introduction to confidentiality

Confidentiality is central to the trust between healthcare professionals and patients; without it, patients may be reluctant to divulge personal information, and this could impact their care and treatment. It is often referred to as doctor-patient confidentiality.

Healthcare professionals and others working in a healthcare setting, such as reception and other administrative staff, have access to sensitive personal information about patients and have a legal, ethical and often a contractual duty to keep this information confidential.

Healthcare professionals must understand the general principles of patient confidentiality and their professional, ethical, and contractual obligations.

What is confidentiality?

Confidentiality in healthcare is the protection of a patient's personal information, including their health, family, lifestyle, and care needs. This is to protect the patient's privacy during their care and even after death. Confidentiality is an essential legal and ethical duty but - given the nature of safeguarding and the responsibilities of healthcare professionals - it is not absolute. 

NHS England refer to confidentiality as follows: "All staff have a legal duty of confidence to keep person-identifiable or confidential information private and not to divulge information accidentally."

The GMC's definition of confidentiality states: "Patients have the right to expect that their personal information will be held in confidence by their doctors."

 

The primary piece of legislation that governs the handling and processing of patient information is the Data Protection Act 1998. This legislation and the General Data Protection Regulations (GDPR) that accompany it are lengthy and complex, and there are other aspects of law that touch on confidentiality which vary across the UK jurisdictions.

It is also important to recognise the role of the Mental Capacity Act (MCA) 2005 in discussions of patient confidentiality - as there are circumstances under which information may be shared on a patient's behalf if they are not deemed to be wholly competent. 

As well as a general duty of confidentiality, some independent healthcare workers such as doctors and dentists - both working in a private capacity and in General Practice - may have additional responsibilities, including as a data controller. However, in many healthcare settings, those responsibilities rest with an employer.

This article provides an overview of the basic principles of confidentiality and provides links to additional supporting information.

Advice on a specific situation can be sought by contacting our advisory team on our dedicated advice line.


 

Key principles

Data relating to an identifiable individual should be held securely, in accordance with the Data Protection Act 1998 (DPA), the GDPR and professional guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare

A breach of confidentiality may lead to a patient or their representative making a complaint to the General Medical Council (GMC) or Nursing and Midwifery Council (NMC)

For doctors and healthcare professionals, the NHS Code of Practice for Confidentiality offers clear guidance around the proper implementation of medical confidentiality - in order to protect patients' private information. In essence, a duty of confidentiality relates to all personally identifiable information held about patients and includes:

  • Medical records
  • Personal details: name, address, age, marital status, sexuality, race
  • Record of appointments
  • Audio/visual recordings
  • The fact that the patient is your patient

Healthcare professionals and those working in a healthcare setting must take care to avoid unintentional disclosure of confidential patient information, for example, by ensuring that any consultations with patients cannot be overheard. Other potential areas and sources of breach of confidentiality include:

  • Waiting areas
  • Use of social networking sites
  • Telephone
  • Texts
  • Computer
  • Emails
  • Audio/visual recordings

The Information Commissioner can impose a Civil Monetary Penalty for contravention of the DPA in a deliberate or reckless way, or of a kind likely to cause substantial distress or damage to an individual. A breach of confidentiality may also lead to a patient or their representative making a complaint to the General Medical Council (GMC) or Nursing and Midwifery Council (NMC). A breach of confidentiality can also result in disciplinary action by an employer.

Any breach of confidentiality between doctor and patient may lead to repercussions under the UK's GDPR legislation, which states that all personal data is processed in a manner that ensures appropriate security.

More information about the GDPR and the DPA can be found here.

Read more on: Confidentiality

Articles and features 15/12/2025

Should I sign my patient's 'fitness to participate' form?

Should I sign my patient's 'fitness to participate' form?

Time to read article: 4 mins
Close Preview

GPs may be unsure about declaring patients fit to take part in physical events. Medical Protection provides advice on this common query.

Read more

Article contains

Tagged in...

Articles and features 03/12/2025

Surviving Medical School: Social media

Surviving Medical School: Social media

Time to read article: 4 mins
Close Preview

Essential advice about protecting yourself online. The article looks into cases and GMC guidance around online activity and social media, with key things you need to know as a medical student and junior doctor.

Read more

Article contains

Tagged in...

Disclosure of information

Appropriate information sharing is an essential part of the provision of safe and effective patient care. There are also important uses of patient information for purposes other than direct care, for example, service planning and audit.

Other uses are not directly related to the provision of healthcare but serve wider public interests, such as disclosures for the protection of the wider public. Specific scenarios where patient consent may be overridden include:

  • notifiable diseases, that must be reported to public health authorities,
  • public security issues, where it may prevent serious harm or threats to public safety,
  • court orders, which may compel the disclosure of confidential information.

In addition, patients have a right of access to their medical records and other information held about them and may choose to share this information with third parties, such as solicitors, insurance companies, or employers. 

Therefore, it is important to understand when information can be disclosed and when it should remain confidential.

Disclosure request under the Data Protection Act 1998 (DPA)

Patients have a right to request access to their records and any other information held about them - such as appointment details and complaint records - under the Data Protection Act (DPA). The patient may also consent to such a disclosure to a third party, such as a solicitor, who acts as the patient’s agent under the DPA. In these circumstances, disclosure in accordance with the DPA should normally take place. When disclosing information to a third party, the third party should provide evidence that the patient has consented to the disclosure. However, if it is considered that the patient may not appreciate the nature and extent of the disclosure, it is important to confirm their agreement before proceeding.


The Data Protection Act 1998 permits patients to request access to their medical records.


Disclosure of a patient’s medical records must be checked for third-party information (excluding healthcare professionals) and information that, if disclosed, could cause serious harm to the physical or mental health of the patient or any other person, and this information should be redacted.


Disclosure with consent

Before disclosing any information about a patient to a third party, a patient must consent to the disclosure. Consent may be implied or express; for example, most patients understand that information about their health needs to be shared within the healthcare team providing direct care, so implied consent is often adequate in this circumstance.

However, only information necessary for the provision of care should be shared, and the patient should be informed of the need to share the information and their right to withhold it if they wish. If a patient refuses to allow the sharing of information, then the implications of this on the patient and their care should be explained, and a compromise reached, if possible.

Implied consent is acceptable for clinical audit purposes within the healthcare team as long as patients have been made aware of the possibility by notices within the waiting room, for example, and have not objected to having their information used in this way. If the patient does object, their objection should be respected, and their data should not be used for audit purposes.
 
Express consent is required if patient-identifiable data is to be disclosed for any purpose, except if the disclosure is required by law, necessary in the public interest, or in the best interests of the patient - and can be justified despite their lack of consent.

When giving consent to disclosure of information, the patient must be made aware of what data will be disclosed, to whom, and for what purpose.

For consent to disclosure to be valid, the patient must be competent to give consent and must be provided with full information about the extent of the disclosure. Adult patients are assumed to be competent unless there is a specific reason to doubt this.

Patient competence, and considerations around patient capacity, are discussed in more detail in our Guide to consent in healthcare:


Read more on Consent

Disclosure without consent

Confidentiality is an important ethical and legal duty - but it is not absolute, and it is possible to disclose information without consent in the following situations:

Disclosure required by law

In some circumstances, a healthcare professional will be required to disclose information to comply with a legal requirement. An example is the requirement to notify certain communicable diseases. In such cases, information can be provided – even if the patient has not provided consent. The patient should be informed of the disclosure and reason for it.

A judge or presiding officer of a court may also order disclosure of patient information without consent and in most cases, this should be complied with, however objections can be raised if attempts are made to compel disclosure of what appears to be irrelevant matters, such as matters relating to relatives or partners of the patient who are not party to the proceedings.

Personal information about a patient must not be disclosed to a solicitor, police officer or officer of a court without the patient’s express consent, unless it is required by law or there is a court order.

 

Disclosures in the public interest

Sometimes a situation arises where disclosure is necessary in the public interest, and the benefits from disclosure outweigh the risks from not doing so and in this situation, it may be justifiable to disclose information, without the patient’s consent, or when the patient has withheld consent.

Such circumstances usually arise where there is a risk of death or serious harm to the patient or others. If possible, attempts should still be made to obtain the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime. Serious crimes are usually considered to be crimes against the person such as violent assault, murder and abuse. The minimum amount of information to serve the purpose should be disclosed and it is advisable to carefully document the reasons for disclosure, if consent was sought and obtained or not.

Disclosure to benefit a patient lacking capacity

Adult patients are assumed to have capacity unless they have an impairment, which means they are unable to make or communicate a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.

If a patient lacks capacity, a healthcare professional may act in their best interests when deciding whether to disclose the information. The views of anyone the patient has asked to be consulted, or who has legal authority to make a decision on their behalf, or has been appointed to represent them must also be considered.

The requirements of capacity assessments differ from country to country, so be sure to familiarise yourself with the guidance in your area.

If it is believed that a patient is a victim of neglect or abuse and they lack capacity to consent to disclosure there is a legal requirement information to disclose information promptly to an appropriate person or authority.

More information can be found here on adult safeguarding can be found here: Adult safeguarding and confidentiality – disclosing information to the Office of the Public Guardian (medicalprotection.org)


Read more on: Mental capacity
Articles and features 19/11/2024

Consent - An essential guide

Consent - An essential guide

Time to read article: 7 mins
Close Preview

This guide helps equip medical practitioners build understanding of issues and manage risks around patient consent, and when to contact us for help.

Read more

Article contains

Tagged in...

Articles and features 29/06/2023

The five principles of the Mental Capacity Act

The five principles of the Mental Capacity Act

Time to read article: 5 mins
Close Preview

Both legislation and the GMC’s guidance emphasise that doctors should presume that adults have the capacity to consent to or refuse a proposed treatment unless it can be established that they lack that capacity.

Read more

Article contains

Tagged in...

Articles and features 20/09/2021

COVID-19 vaccination: lacking capacity to consent

COVID-19 vaccination: lacking capacity to consent

Time to read article: 3 mins
Close Preview

As the vaccination programme against COVID-19 continues in the UK, the usual laws around patient consent still apply. But what if your patient lacks capacity to consent? Dr Jayne Molodynski, Medicolegal Consultant at Medical Protection, offers advice and guidance

Read more

Article contains

Tagged in...

Disclosure after death

A duty of confidentiality continues after death. In some situations, such as a complaint arising after a patient’s death, relevant information may be discussed with the family. If it is reasonably believed or known that the patient wished that specific information should remain confidential after their death then this request should usually be respected.

Under the Access to Health Records Act 1990 and the Access to Health Records (Northern Ireland) Order 1993, the personal representative of the deceased and anyone who may have a claim arising from the patient’s death are permitted to access the medical records. The records should not be disclosed if they may cause physical or mental harm to anyone, if they identify a third party (excluding a healthcare professional), or if the deceased gave the information on the understanding that it would remain private.

A duty of confidentiality continues after death

Relevant information may also be disclosed if it is required by law or to assist a coroner, procurator fiscal, or other similar officer with an inquest or fatal accident inquiry.

Information should also be shared when disclosure is necessary to meet a professional duty of candour and when it is necessary to support the reporting or investigation of adverse incidents or complaints, for local clinical audit or for clinical outcome review programmes.

Children and young people

A competent child has the right to make their own application for disclosure under the DPA and, accordingly, any application by a parent (or any other party) at this point can only be with the child’s consent.

Prior to the child becoming competent, someone with parental responsibility can exercise the right on the child’s behalf, as long as it is in the child’s best interests. For more information, please see Parental responsibility (medicalprotection.org)

If a young person is able to understand the implications of the disclosure, they can give their consent, regardless of age. Once children have the capacity to make decisions about their own treatment, they are also entitled to decide whether personal information may be passed on, and each request must be judged on its own merits.

Disclosure may be withheld if the disclosure:

  • Is likely to cause serious harm to the patient or another person
  • The records refer to another person (excluding healthcare professionals) who has not given consent to disclosure

As with adults, the duty of confidentiality to young patients is not absolute, and disclosure of information may be justified when required by law or where the risks to the child or the public in general outweigh the risks of keeping the information confidential.

For more information about disclosure without consent please read Confidentiality - Disclosures relating to patients unable to consent (medicalprotection.org) and Factsheet: Confidentiality - Disclosures without consent - England (medicalprotection.org)

Social media

It is essential to maintain patient confidentiality in all professional communications and this includes the use of social media and other digital communication formats.

For more on Social Media and Professionalism please read Pitfalls of social media (medicalprotection.org)

 

Explore this page