Confidentiality: good practice in handling patient information

Disclosures for the protection of patients and others

Disclosing information to protect patients

50

All patients have the right to a confidential medical service. Challenging situations can however arise when confidentiality rights must be balanced against duties to protect and promote the health and welfare of patients who may be unable to protect themselves.

Disclosing information about children who may be at risk of harm

51

For specific guidance on confidentiality in the context of child protection, see our guidance Protecting children and young people: the responsibilities of all doctors.16  For general advice on confidentiality when using, accessing or disclosing information about children and young people, see our guidance 0–18 years: guidance for all doctors.17 

16

Protecting children and young people: the responsibilities of all doctors (General Medical Council, 2012). You can find all GMC guidance on professional standards available on our website.

17

0–18 years: guidance for all doctors (General Medical Council, 2007). You can find all GMC guidance on professional standards and ethics available on our website.

Disclosing information about adults who may be at risk of harm

52

As a rule, you should make decisions about how best to support and protect adult patients in partnership with them, and should focus on empowering patients to make decisions in their own interests. You must support and encourage patients to be involved, as far as they want and are able, in decisions about disclosing their personal information.

Legal requirements to disclose information about adults at risk

53

There are various legal requirements to disclose information about adults who are known or considered to be at risk of, or to have suffered, abuse or neglect.18  You must disclose information if it is required by law.

You should:

  1. satisfy yourself that the disclosure is required by law
  2. only disclose information that is relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so.
18

The requirements of the relevant Acts – the Adult Support and Protection (Scotland) Act 2007, the Social Services and Well-being (Wales) Act 2014 and the Care Act 2014 – are summarised in the Confidentiality: key legislation factsheet.

54

You can find advice about disclosures that are permitted but not required by law in paragraphs 17 - 19.

17

You must disclose information if it is required by statute, or if you are ordered to do so by a judge or presiding officer of a court (see paragraphs 87 - 94).

18

You should satisfy yourself that the disclosure is required by law and you should only disclose information that is relevant to the request. Wherever practicable, you should tell patients about such disclosures, unless that would undermine the purpose, for example by prejudicing the prevention, detection or prosecution of serious crime.

19

Laws and regulations sometimes permit, but do not require, the disclosure of personal information.8  If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

Disclosing information to protect adults who lack capacity

55

You must disclose personal information about an adult who may be at risk of serious harm if it is required by law (see paragraph 53). Even if there is no legal requirement to do so, you must give information promptly to an appropriate responsible person or authority if you believe a patient who lacks capacity to consent is experiencing, or at risk of, neglect or physical, sexual or emotional abuse, or any other kind of serious harm, unless it is not of overall benefit to the patient to do so.

56

If you believe it is not of overall benefit to the patient to disclose their personal information (and it is not required by law), you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must document in the patient’s records your discussions and the reasons for deciding not to disclose. You must be able to justify your decision.

The rights of adults with capacity to make their own decisions

57

As a principle, adults who have capacity are entitled to make decisions in their own interests, even if others consider those decisions to be irrational or unwise. You should usually ask for consent before disclosing personal information about a patient if disclosure is not required by law, and it is practicable to do so. You can find examples of when it might not be practicable to ask for consent in paragraph 14.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3.  the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
58

If an adult patient who has capacity to make the decision refuses to consent to information being disclosed that you consider necessary for their protection, you should explore their reasons for this. It may be appropriate to encourage the patient to consent to the disclosure and to warn them of the risks of refusing to consent.

59

You should, however, usually abide by the patient’s refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of death or serious harm.19, 20  You should do your best to give the patient the information and support they need to make decisions in their own interests – for example, by arranging contact with agencies to support people who experience domestic violence.21  Adults who initially refuse offers of assistance may change their decision over time.

19

In very exceptional circumstances, disclosure without consent may be justified in the public interest to prevent a serious crime such as murder, manslaughter or serious assault even where no one other than the patient is at risk. This is only likely to be justifiable where there is clear evidence of an imminent risk of serious harm to the individual, and where there are no alternative (and less intrusive) methods of preventing that harm. This is an uncertain area of law and, if practicable, you should seek independent legal advice before making such a disclosure without consent.

20

The Department of Health in England has published Information sharing and suicide prevention: consensus statement (2014), which is consistent with the principles in this guidance.

21

Safelives has published guidance on disclosing information to multi-agency risk assessment conferences (MARACs), which are local meetings established to discuss how to help individuals who are at high risk of murder or serious harm. The guidance is available on the Safelives website. Personal information may be disclosed to a MARAC with consent, or if the disclosure can be justified in the public interest (see paragraphs 63–70 in this guidance).

Disclosing information to protect others

60

Doctors owe a duty of confidentiality to their patients, but they also have a wider duty to protect and promote the health of patients and the public.22 

22

See ‘The duties of a doctor registered with the General Medical Council’ at the front of this guidance.

Legal requirements to disclose information for public protection purposes

61

Some laws require disclosure of patient information for purposes such as the notification of infectious diseases and the prevention of terrorism. You must disclose information if it is required by law, including by the courts (see paragraphs 87 - 94).

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

88

You must disclose information if it is required by law. You should:

  1. satisfy yourself that personal information is needed, and the disclosure is required by law
  2. only disclose information relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
  4. abide by patient objections where there is provision to do so.32 
89

You can find advice about disclosures that are permitted but not required by law in paragraph 19.

90

The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.

91

You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.

92

If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.

93

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.

94

In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.33 

Disclosing information with consent

62

You should ask for a patient’s consent to disclose information for the protection of others unless the information is required by law or it is not safe, appropriate or practicable to do so (see paragraph 14), or the information is required by law. You should consider any reasons given for refusal.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3.  the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).

Disclosing information in the public interest

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

23

There is no agreed definition of ‘serious crime’. The Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures (Department of Health, 2003) gives some examples of serious crime. These include crimes that cause serious physical or psychological harm to individuals (such as murder, manslaughter, rape and child abuse); and crimes that cause serious harm to the security of the state and public order; and ‘crimes that involve substantial financial gain or loss’ are also mentioned in the same category. It also gives examples of crimes that are not usually serious enough to warrant disclosure without consent (including theft, fraud, and damage to property where loss or damage is less substantial). NHS Protect has published Not part of the job (NHS Protect, 2012), which gives guidance to NHS staff on reporting assaults and violent incidents at work.

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

24

We give specific advice on reporting concerns about patients’ fitness to drive in our explanatory guidance Confidentiality: Patients’ fitness to drive and reporting concerns to the DVLA or DVA. That guidance deals specifically with drivers on the roads, but the same principles apply to drivers and pilots of other kinds of  regulated transport, including by rail, water and air. You can find all GMC guidance on professional standards and ethics on our website.

67

Before deciding whether disclosure would be justified in the public interest you should consider whether it is practicable or appropriate to seek consent (see paragraph 14). You should not ask for consent if you have already decided to disclose information in the public interest but you should tell the patient about your intention to disclose personal information, unless it is not safe or practicable to do so. If the patient objects to the disclosure you should consider any reasons they give for objecting.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3.  the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

Responding to requests for information

71

You must consider seriously all requests for relevant information about patients who may pose a risk of serious harm to others. For example, you must participate in procedures set up to protect the public from violent and sex offenders, such as multi-agency public protection arrangements (MAPPA) in England, Wales and Scotland and public protection arrangements in Northern Ireland (PPANI).27  You must also consider seriously all requests for information needed for formal reviews (such as inquests and inquiries, serious or significant case reviews, case management reviews, and domestic homicide reviews) that are established to learn lessons and to improve systems and services.

27

You should consider the assessment of risk posed by patients made by other professionals and by groups established for that purpose, but you must make your own assessment and decision as to whether disclosure is justified. Your assessment of risk is a matter of professional judgement in which an offender’s past behaviour will be a factor. The Royal College of Psychiatrists publishes guidance for psychiatrists about sharing information in the context of public protection, including participation in multi-agency public protection arrangements (MAPPA) and panels. You can find this in Good Psychiatric Practice: Confidentiality and Information Sharing (Royal College of Psychiatrists, second edition, 2010).

72

If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

9

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies.

  1. The patient consents, whether implicitly or explicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes (see paragraphs 13 - 15).
  2. The patient has given their explicit consent to disclosure for other purposes (see paragraphs 13 - 15 ).
  3. The disclosure is of overall benefit4 to a patient who lacks the capacity to consent (see paragraphs 41 - 49).
  4. The disclosure is required by law (see paragraphs 17 - 19), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20 - 21).
  5. The disclosure can be justified in the public interest (see paragraphs 22 - 23).
10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 

Disclosing genetic and other shared information

73

Genetic and some other information about your patient might also be information about others with whom the patient shares genetic or other links. The diagnosis of a patient’s illness might, for example, point to the certainty or likelihood of the same illness in a blood relative.

74

Most patients will readily share information about their own health with their children and other relatives, particularly if they are told it might help those relatives to:

  1. get prophylaxis or other preventative treatments or interventions
  2. make use of increased surveillance or other investigations
  3. prepare for potential health problems.28 
28

For more information, see Consent and confidentiality in clinical genetic practice: Guidance on genetic testing and sharing genetic information – A report of the Joint Committee on Medical Genetics (Royal College of Physicians, second edition, 2011).

75

If a patient refuses to consent to information being disclosed that would benefit others, disclosure might still be justified in the public interest if failure to disclose the information leaves others at risk of death or serious harm (see paragraphs 63 - 70). If a patient refuses consent to disclosure, you will need to balance your duty to make the care of your patient your first concern against your duty to help protect the other person from serious harm.

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

68

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. You should inform the patient before disclosing the information, if it is practicable and safe to do so, even if you intend to disclose without their consent.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

76

If practicable, you should not disclose the patient’s identity in contacting and advising others about the risks they face.