Confidentiality: good practice in handling patient information

About our Confidentiality guidance

Our core guidance for doctors, Good medical practice, makes clear that patients have a right to expect that their personal information will be held in confidence by their doctors. This guidance sets out the principles of confidentiality and respect for patients’ privacy that you are expected to understand and follow.

This guidance outlines the framework for considering when to disclose patients’ personal information and then applies that framework to:

  1. disclosures to support the direct care of an individual patient
  2. disclosures for the protection of patients and others
  3. disclosures for all other purposes.

This guidance also sets out the responsibilities of all doctors for managing and protecting patient information.

In this guidance, we use the terms ‘you must’ and ‘you should’ in the following ways.

  1. ‘You must’ is used for an overriding duty or principle.
  2. ‘You should’ is used when we are providing an explanation of how you will meet the overriding duty.
  3. ‘You should’ is also used where the duty or principle will not apply in all situations or circumstances, or where there are factors outside your control that affect whether or how you can follow the guidance.

You must use your judgement to apply the principles in this guidance to the situations you face as a doctor, whether or not you hold a licence to practise and whether or not you routinely see patients. If in doubt, you should seek the advice of an experienced colleague, a Caldicott or data guardian1 or equivalent, a data protection officer, your defence body or professional association, or seek independent legal advice.

You must be prepared to explain and justify your decisions and actions. Only serious or persistent failure to follow our guidance that poses a risk to patient safety or public trust in doctors will put your registration at risk.


Caldicott or data guardians are senior people in the NHS, local authority social care services, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Data protection officers have a statutory  function under the General Data Protection Regulation to monitor a data controller’s compliance with the GDPR.

Other materials available

Further explanatory guidance is available on our website explaining how these principles apply in situations doctors often encounter or find hard to deal with. At the time of publishing this core guidance, we are also publishing explanatory guidance on:

  1. patients’ fitness to drive and reporting concerns to the DVLA or DVA
  2. disclosing information about serious communicable diseases
  3. disclosing information for employment, insurance and similar purposes
  4. disclosing information for education and training purposes
  5. reporting gunshot and knife wounds
  6. responding to criticism in the media.