Confidentiality: Protecting and Providing Information

April 2004

Being registered with the GMC gives you rights and privileges. In return, you have a duty to meet the standard of competence, care and conduct set by the GMC.

Doctors hold information about patients which is private and sensitive.This information must not be given to others unless the patient consents or you can justify the disclosure.

When you are satisfied that information should be released, you should act promptly to disclose all relevant information. This is often essential to the best interests of the patient, or to safeguard the well-being of others.

Patients’ right to confidentiality

Principles

1. Patients have a right to expect that information about them will be held in confidence by their doctors. Confidentiality is central to trust between doctors and patients. Without assurances about confidentiality, patients may be reluctant to give doctors the information they need in order to provide good care. If you are asked to provide information about patients you must:

• inform patients about the disclosure, or check that they have already received information about it;
• anonymise data where unidentifiable data will serve the purpose;
• be satisfied that patients know about disclosures necessary to provide their care, or for local clinical audit of that care, that they can object to these disclosures but have not done so;
• seek patients’ express consent to disclosure of information, where identifiable data is needed for any purpose other than the provision of care or for clinical audit – save in the exceptional circumstances described in this booklet;
• keep disclosures to the minimum necessary; and
• keep up to date with and observe the requirements of statute and common law, including data protection legislation.

2. You must always be prepared to justify your decisions in accordance with this guidance.

3. This booklet develops the advice in Good Medical Practice (2001). It sets out the standards of practice expected of doctors when they hold or share information about patients. Additional advice on how the guidance in this booklet should be put into practice, and on the law relating to the use and disclosure of information about patients, is available in our Frequently Asked Questions.

Protecting information

4. When you are responsible for personal information about patients you must make sure that it is effectively protected against improper disclosure at all times.

5. Many improper disclosures are unintentional.You should not discuss patients where you can be overheard or leave patients’ records, either on paper or on screen, where they can be seen by other patients, unauthorised health care staff or the public. You should take all reasonable steps to ensure that your consultations with patients are private.

Sharing information with patients

6. Patients have a right to information about the health care services available to them, presented in a way that is easy to follow and use.

7. Patients also have a right to information about any condition or disease from which they are suffering. This should be presented in a manner easy to follow and use, and include information about diagnosis, prognosis, treatment options, outcomes of treatment, common and/or serious side-effects of treatment, likely time-scale of treatments and costs where relevant.You must always give patients basic information about treatment you propose to provide, but you should respect the wishes of any patient who asks you not to give them detailed information. This places a considerable onus upon health professionals. Yet, without such information, patients cannot make proper choices as partners in the health care process. Our booklet Seeking Patients’ Consent:The Ethical Considerations (1998) gives further advice on providing information to patients.

8. You should tell patients how information about them may be used to protect public health, to undertake research and audit, to teach or train clinical staff and students and to plan and organise health care services. See paragraphs 13–15 for further information.

Disclosing information about patients

9. You must respect patients’ confidentiality. Seeking patients’ consent to disclosure of information is part of good communication between doctors and patients. When asked to provide information you must follow the guidance in paragraph 1 of this booklet.

Circumstances where patients may give implied consent to disclosure

Sharing information in the health care team or with others providing care

10. Most people understand and accept that information must be shared within the health care team in order to provide their care. You should make sure that patients are aware that personal information about them will be shared within the health care team, unless they object, and of the reasons for this. It is particularly important to check that patients understand what will be disclosed if you need to share identifiable information with anyone employed by another organisation or agency who is contributing to their care. You must respect the wishes of any patient who objects to particular information being shared with others providing care, except where this would put others at risk of death or serious harm.

11. You must make sure that anyone to whom you disclose personal information understands that it is given to them in confidence, which they must respect. All staff members receiving personal information in order to provide or support care are bound by a legal duty of confidence, whether or not they have contractual or professional obligations to protect confidentiality.

12. Circumstances may arise where a patient cannot be informed about the sharing of information, for example because of a medical emergency. In these cases you must pass relevant information promptly to those providing the patient’s care.

Disclosing information for clinical audit

13. Clinical audit is essential to the provision of good care. All doctors in clinical practice have a duty to participate in clinical audit¹. Where an audit is to be undertaken by the team which provided care, or those working to support them, such as clinical audit staff, you may disclose identifiable information, provided you are satisfied that patients:

• have been informed that their data may be disclosed for clinical audit, and their right to object to the disclosure; and
• have not objected.

14. If a patient does object you should explain why information is needed and how this may benefit their care. If it is not possible to provide safe care without disclosing information for audit, you should explain this to the patient and the options open to them.

15. Where clinical audit is to be undertaken by another organisation, information should be anonymised wherever that is practicable. In any case where it is not practicable to anonymise data, or anonymised data will not fulfil the requirements of the audit, express consent must be obtained before identifiable data is disclosed.

Disclosures where express consent must be sought

16. Express consent is usually needed before the disclosure of identifiable information for purposes such as research, epidemiology, financial audit or administration. When seeking express consent to disclosure you must make sure that patients are given enough information on which to base their decision, the reasons for the disclosure and the likely consequences of the disclosure. You should also explain how much information will be disclosed and to whom it will be given. If the patient withholds consent, or consent cannot be obtained, disclosures may be made only where they are required by law or can be justified in the public interest. Where the purpose is covered by a regulation made under s60 of the Health and Social Care Act 2001, disclosures may also be made without patients’ consent. You should make a record of the patient’s decision, and whether and why you have disclosed information.

17. Where doctors have contractual obligations to third parties, such as companies or organisations, they must obtain patients’ consent before undertaking any examination or writing a report for that organisation. Before seeking consent they must explain the purpose of the examination or report and the scope of the disclosure. Doctors should offer to show patients the report, or give them copies, whether or not this is required by law.

Disclosure in connection with judicial or other statutory proceedings

Disclosures required by law

18. You must disclose information to satisfy a specific statutory requirement, such as notification of a known or suspected communicable disease. You should inform patients about such disclosures, wherever that is practicable, but their consent is not required.

Disclosures to courts or in connection with litigation

19. You must also disclose information if ordered to do so by a judge or presiding officer of a court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appear to you to be irrelevant matters, for example matters relating to relatives or partners of the patient, who are not parties to the proceedings.

20. You must not disclose personal information to a third party such as a solicitor², police officer or officer of a court without the patient’s express consent, except in the circumstances described in the paragraphs which follow.

Disclosures to statutory regulatory bodies

21. Patient records or other patient information may be needed by a statutory regulatory body for investigation into a health professional’s fitness to practise. If you are referring concerns about a health professional to a regulatory body, you must seek the patient’s consent before disclosing identifiable information, wherever that is practicable. Where patients withhold consent or it is not practicable to seek their consent, you should contact the GMC, or other appropriate regulatory body, which will advise you on whether the disclosure of identifiable information would be justified in the public interest or for the protection of other patients³. Wherever practicable you should discuss this with the patient. There may be exceptional cases where, even though the patient objects, disclosure is justified.

The public interest

Disclosures in the public interest

22. Personal information may be disclosed in the public interest, without the patient’s consent, and in exceptional cases where patients have withheld consent, where the benefits to an individual or to society of the disclosure outweigh the public and the patient’s interest in keeping the information confidential. In all cases where you consider disclosing information without consent from the patient, you must weigh the possible harm (both to the patient, and the overall trust between doctors and patients) against the benefits which are likely to arise from the release of information.

23. Before considering whether a disclosure of personal information ‘in the public interest’ would be justified, you must be satisfied that identifiable data are necessary for the purpose, or that it is not practicable to anonymise the data. In such cases you should still try to seek patients’ consent, unless it is not practicable to do so, for example because:

• the patients are not competent to give consent (see paragraphs 28 and 29); or
• the records are of such age and/or number that reasonable efforts to trace patients are unlikely to be successful; or
• the patient has been, or may be violent; or obtaining consent would undermine the purpose of the disclosure (eg disclosures in relation to crime); or
• action must be taken quickly (for example in the detection or control of outbreaks of some communicable diseases) and there is insufficient time to contact patients.

24. In cases where there is a serious risk to the patient or others, disclosures may be justified even where patients have been asked to agree to a disclosure, but have withheld consent (for further advice see paragraph 27).

25. You should inform patients that a disclosure will be made, wherever it is practicable to do so. You must document in the patient’s record any steps you have taken to seek or obtain consent and your reasons for disclosing information without consent.

26. Ultimately, the ‘public interest’ can be determined only by the courts; but the GMC may also require you to justify your actions if a complaint is made about the disclosure of identifiable information without a patient’s consent. The potential benefits and harms of disclosures made without consent are also considered by the Patient Information Advisory Group in considering applications for Regulations under the Health and Social Care Act 2001. Disclosures of data covered by a Regulation⁴ are not in breach of the common law duty of confidentiality.

Disclosures to protect the patient or others

27. Disclosure of personal information without consent may be justified in the public interest where failure to do so may expose the patient or others to risk of death or serious harm. Where the patient or others are exposed to a risk so serious that it outweighs the patient’s privacy interest, you should seek consent to disclosure where practicable. If it is not practicable to seek consent, you should disclose information promptly to an appropriate person or authority. You should generally inform the patient before disclosing the information. If you seek consent and the patient withholds it you should consider the reasons for this, if any are provided by the patient. If you remain of the view that disclosure is necessary to protect a third party from death or serious harm, you should disclose information promptly to an appropriate person or authority. Such situations arise, for example, where a disclosure may assist in the prevention, detection or prosecution of a serious crime, especially crimes against the person, such as abuse of children.

Children and other patients who may lack competence to give consent

Disclosures in relation to the treatment sought by children or others who lack capacity to give consent

28. Problems may arise if you consider that a patient lacks capacity to give consent to treatment or disclosure⁵. If such patients ask you not to disclose information about their condition or treatment to a third party, you should try to persuade them to allow an appropriate person to be involved in the consultation⁶. If they refuse and you are convinced that it is essential, in their medical interests, you may disclose relevant information to an appropriate person or authority. In such cases you should tell the patient before disclosing any information, and where appropriate, seek and carefully consider the views of an advocate or carer. You should document in the patient’s record your discussions with the patient and the reasons for deciding to disclose information.

Disclosures where a patient may be a victim of neglect or abuse

29. If you believe a patient to be a victim of neglect or physical, sexual or emotional abuse and that the patient cannot give or withhold consent to disclosure, you must give information promptly to an appropriate responsible person or statutory agency, where you believe that the disclosure is in the patient’s best interests. If, for any reason, you believe that disclosure of information is not in the best interests of an abused or neglected patient, you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must be prepared to justify your decision.

Disclosure after a patient’s death

30. You still have an obligation to keep personal information confidential after a patient dies. The extent to which confidential information may be disclosed after a patient’s death will depend on the circumstances. If the patient had asked for information to remain confidential, his or her views should be respected. Where you are unaware of any directions from the patient, you should consider requests for information taking into account:

• whether the disclosure of information may cause distress to, or be of benefit to, the patient’s partner or family;
• whether disclosure of information about the patient will in effect disclose information about the patient’s family or other people;
• whether the information is already public knowledge or can be anonymised;
• the purpose of the disclosure.

If you decide to disclose confidential information you must be prepared to explain and justify your decision.

Glossary

This defines the terms used within this document. These definitions have no wider or legal significance.

Footnotes

1 See Good Medical Practice (2001), paragraph 12.

2 You may disclose information to your own legal adviser if this is necessary to prepare a defence against a complaint or potential legal action against you.

3 s35 of the Medical Act 1983 (as amended) gives the GMC power to require doctors to supply any document or information which appears relevant to the discharge of the GMC’s professional conduct, professional performance or fitness to practise functions, provided that the disclosure is not prohibited by other legislation.

4 The Regulations apply in England and Wales only.

5 Guidance on assessing patients’ capacity to make decisions is provided in Seeking Patients’ Consent:The Ethical Considerations.

6 In some cases disclosure will be required for example under some sections of the Mental Health Act 1983, or under the Adults with Incapacity (Scotland) Act 2000.