Confidentiality – General principles


confidential(Correct as of April 2008) Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure; disclosure is required by law or is necessary in the public interest. This factsheet sets out the basic principles of confidentiality.

General principles

Identifiable health information that has been acquired in a professional capacity should be held securely, in accordance with the Data Protection Act 1998 and GMC guidance on confidentiality. The information held should be accurate, relevant and up-to-date, and kept only as long as necessary for the purpose of providing healthcare.

You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose. You have a responsibility to keep patient information secure and protected against improper disclosure at all times.

Your duty of confidentiality relates not only to sensitive health information but to all information you hold about your patients. This includes demographic data and the dates and times of any appointments your patients may have made, or consultations they may have attended. The fact that an individual may be a patient of yours or registered with your practice is also confidential.

Consent to disclosure

Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express – for instance, most patients understand that information about their health needs to be shared within the healthcare team providing care. Implied consent is adequate in this circumstance and express consent does not need to be sought.

Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.

Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.

Valid consent

In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.

Disclosure required by law

In some circumstances, you are obliged to disclose information to comply with a statutory requirement. An example is the requirement to notify certain communicable diseases. In such cases, you should disclose the information – even if you do not have the patient’s consent. You should also inform the patient of the disclosure and reason for it.

You may also be ordered by the court to provide information without a patient’s consent. If ordered by the judge or presiding officer, you should comply but explain that you do not have the patient’s consent, and limit the information disclosed to that relevant to the proceedings.

Disclosures in the public interest

In some cases, it is not possible to obtain the patient’s consent, such as when the patient is not contactable. Alternatively, the patient may have expressly refused their consent. If you believe that disclosure is necessary in the public interest, and that the benefits from disclosure outweigh the risks from doing so, it may be justified to disclose the information, even without the patient’s consent.

Such circumstances usually arise where there is a risk of death or serious harm to the patient or others, which may be reduced by disclosure of appropriate information. If possible, you should seek the patient’s consent and/or inform them of the disclosure before doing so. Examples of such a situation would include one in which disclosure of information may help in the prevention, detection or prosecution of a serious crime.

Disclosures involving patients who are not competent adults

Children and young people under 18 years

If a young person is able to understand the implications of the disclosure, they are able to give their consent, regardless of age. In practical terms, consideration should be given to whether any child aged 12 and over may be competent to give consent.

If a child is not competent to give consent, someone with parental responsibility may consent to disclosure on behalf of the child. Mothers have automatic parental responsibility, as will the father if they were married at the time of the child’s birth. For children whose births were registered from 15th April 2002 in Northern Ireland, from 1st December 2003 in England and Wales and from 4th May 2006 in Scotland, the father has parental responsibility if he is named on the child’s birth certificate. There are also other circumstances in which fathers may gain parental responsibility – for full details see the factsheet on Parental Responsibility.

Patients lacking capacity

Under the Mental Capacity Act 2005, adults are assumed to have capacity unless they have an impairment affecting their mind (eg, dementia), which means they are unable to make a specific decision at a particular time. There is also a requirement to ensure all practical steps have been taken to help the individual make a decision.

If a patient lacks capacity, you should act in their best interests when deciding whether to disclose the information. If the patient has made a lasting power of attorney which covers personal welfare, the attorney can take the decision about disclosure on behalf of the patient and should be consulted.

After a patient has died

Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wishes that specific information should remain confidential after their death, or if the patient has asked, you should respect that wish.

The “personal representative” of the patient (usually an executor of the will) can apply for access to the relevant part of a patient’s medical records, as can someone who has a claim arising out of the patient’s death (eg, for a life assurance claim).

©2009 Medical Protection Society. This information was reproduced with permission. For more information visit