Working with doctors Working for patients

Confidentiality: key legislation factsheet

In the legal annex of our guidance Confidentiality: good practice in handling patient information, we set out some of the key elements of the law that are relevant to the use and disclosure of patient information. In this factsheet, we give further details about other laws that require or permit disclosure of confidential information.

This factsheet is not intended to be a substitute for independent, up-to-date legal advice. If you are unsure about the legal basis for a request for information, you should ask for clarification from the person making the request and, if necessary, seek independent legal advice.

Access to patient records and disclosures of reports

Access to Health Records Act 1990 (England, Scotland and Wales) and Access to Health Records (Northern Ireland) Order 1993

These pieces of legislation provide rights of access to a deceased patient’s personal representative and any person who may have a claim arising out of a patient’s death. Where an application is made by a person who may have a claim, access to patient records is limited to information of relevance to the claim.

Access should be limited or refused if there is evidence:

  • that the patient would have expected that the information would not be disclosed to the applicant
  • if disclosure is likely to cause serious harm to anyone else, or
  • if it would also disclose information about a third party (other than a healthcare professional involved in the deceased person’s care) who does not consent.

Access must be refused to records that contain a note, made at the patient’s request, expressing that they did not wish access to be given on an application under the Act.

These Acts only give access to records created on or after the date on which they came into force (1 November 1991 for England, Scotland and Wales. 30 May 1994 for Northern Ireland). Access must also be given to information recorded before these dates if this is necessary to make any later part of the records intelligible.

Access to Medical Reports Act 1988 (England, Scotland and Wales) and Access to Personal Files and Medical Reports (Northern Ireland) Order 1991

These pieces of legislation give patients the right to see medical reports written about them for employment or insurance purposes, by a doctor who is or has been responsible for the patient’s clinical care. Patients have the right to ask the doctor to amend any part of the report that the patient considers to be incorrect or misleading. They also have the right to record their disagreement to the contents of the report in a statement attached to the report, or withdraw their consent for the release of the information.

Adult safeguarding and support

Adult Support and Protection (Scotland) Act 2007

This Act requires health boards in Scotland to report to local authorities if they know or believe that an individual is an ‘adult at risk’ (whether or not they lack capacity to make the decision) and action needs to be taken to protect them. The Act also requires certain public bodies and office-holders to cooperate with local authorities making enquiries about adults at risk and includes powers to examine health records for related purposes.

You can read detailed guidance in the Adult Support and Protection Code of Practice.

Care Act 2014 (England)

This Act requires ‘relevant partners’ to cooperate with local authorities making enquiries about adults at risk unless to do so would be incompatible with their own duties, or would otherwise have an adverse effect on the exercise of its functions. Relevant partners include NHS trusts, foundation trusts and clinical commissioning groups in the local authority’s area. Certain persons or bodies must also give information to a safeguarding adults boards, at its request to enable or assist the board to perform its functions. The explanatory notes to the Act make clear that individual doctors can be asked for information under this provision.

You can read detailed guidance in the Care and Support Statutory Guidance.

Carers (Scotland) Act 2016

This Act places a duty on local authorities to seek and take account of the views of carers when determining a cared-for person’s needs. It also places a duty on health boards to share information with carers about a cared-for person who is being discharged from hospital and to seek and take account of the views of the carers about the discharge. The Act is expected to come into force on 1 April 2018.

Social Services and Well-being (Wales) Act 2014

This Act requires ‘relevant partners’ (which include local health boards and NHS trusts in Wales) to tell local authorities if they have reasonable cause to suspect that an individual is an ‘adult at risk’ (whether or not they lack capacity to make the decision). The Act also requires relevant partners to cooperate with local authorities making enquiries about adults and children at risk. The Act also requires certain persons or bodies to provide information to a safeguarding board (or a specified body) at the safeguarding board’s request, unless they consider that doing so would be incompatible with their own duties or would have an adverse effect on the exercise of their powers or duties.

Mental capacity and mental health legislation

Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 2005 (England and Wales)

These pieces of legislation provide for information to be shared with anyone who is authorised to make decisions on behalf of, or who is appointed to support and represent, a patient who lacks capacity. This might be a welfare attorney, a court-appointed deputy or guardian or an independent mental capacity advocate.

You can read detailed guidance in the Adults with Incapacity (Scotland) Act 2000 codes of practice, and in the Mental Capacity Act Code of Practice. The main provisions of the Mental Capacity Act (Northern Ireland) 2016 have not yet come into force.

Mental Health Act 1983, Mental Health (Care and Treatment) (Scotland) Act 2003 and Mental Health (Northern Ireland) Order 1986

These pieces of legislation provide for a number of situations in which confidential information about patients can be disclosed, even if the patient does not consent.

You can find detailed guidance in:

  • the Mental Health Act 1983: Code of Practice
  • the Code of Practice under the Mental Health (Care and Treatment) (Scotland) Act 2003
  • the Guidelines on the use of the Mental Health (Northern Ireland) Order 1986
  • and on the website of the Mental Welfare Commission for Scotland.

Public health and other mandatory notification schemes

The Abortion Regulations 1991 (England and Wales) and The Abortion (Scotland) Regulations 1991

A doctor who has carried out a termination of pregnancy must notify the appropriate chief medical officer of that fact within seven days of the termination. There is no equivalent legislation in Northern Ireland.

The Controlled Drugs (Supervision of Management and Use) Regulations 2013 (England and Scotland); The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (as amended) and The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008

Under these regulations, responsible bodies are required to cooperate with each other in relation to the handling of, and acting on, shared information relating to the management and use of controlled drugs. Responsible bodies include local health boards, NHS trusts and regulatory bodies. As far as possible, information that identifies patients should be removed before disclosure, but it may be necessary for identifiable information to be disclosed in some circumstances, with consent if practicable.

Further guidance is provided by:

  • the UK Department of Health for the regulations in England and Scotland
  • the Department of Health Northern Ireland
  • Healthcare Inspectorate Wales.

The Health Protection (Notification) Regulations 2010 (England), The Public Health (Northern Ireland) Act 1967, part 2 of the Public Health etc. (Scotland) Act 2008, The Health Protection (Notification) (Wales) Regulations 2010

Registered doctors in each of the UK countries have statutory duties to notify an appropriate person or body of suspected cases of certain infectious diseases. In England, Scotland and Wales, doctors must also notify the appropriate person of cases of any infection or contamination which they believe present, or could present, a significant risk to human health.

Detailed guidance has been published by:

  • Public Health England
  • the Scottish Government
  • the Department of Health in Northern Ireland
  • NHS Wales.

Prevention, detection and prosecution of crime

Crime and Disorder Act 1998 (UK)

Section 115 permits disclosure to organisations such as the police, local authorities and probation services but does not create a legal obligation to do so. Information should only be disclosed if the patient consents, or there is an overriding public interest, or in response to a court order.

Criminal Law Act (Northern Ireland) 1967

Section 5 places a duty on all citizens to report to the police information they may have about the commission of a relevant offence (one with a maximum sentence of five years or more). The duty does not arise where a person has a ‘reasonable excuse’ not to disclose the information.

Road Traffic Act 1988 (England, Scotland and Wales) and Road Traffic (Northern Ireland Order) 1981

In certain circumstances, all citizens (including doctors) must give the police, on request, any information which it is in their power to give that may identify a driver alleged to have committed a traffic offence.

Terrorism Act 2000 (UK)

Under section 38B of this Act, it is a criminal offence for a person to fail to disclose information to the police that they know or believe might be relevant in preventing an act of terrorism or securing the arrest, prosecution or conviction of a person for a terrorist act.