Confidentiality: good practice in handling patient information
Caldicott or data guardians are senior people in the NHS, local authority social care services, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Data protection officers have a statutory function under the General Data Protection Regulation to monitor a data controller’s compliance with the GDPR.
In this guidance, ‘personal information’ means information from which individuals can be identified either in itself or in combination with other available information. ‘Disclosure’ means the provision or passing of information about a patient to anyone other than the patient, regardless of the purpose. Sharing information within healthcare teams is a form of disclosure, as is providing access to patients’ records.
These principles are aligned with the Caldicott principles for information governance within health and social care.
We use the term ‘overall benefit’ to describe the ethical basis on which decisions are made about treatment and care for adult patients who lack capacity to decide. Our guidance on overall benefit is consistent with the legal requirement to consider whether treatment ‘benefits’ a patient (as the term is used in the Adults with Incapacity (Scotland) Act 2000), or is in the patient’s ‘best interests’ (as the term is used in the Mental Capacity Act 2005 in England and Wales, and in the common law in Northern Ireland). The use of the term is also consistent with the legal requirement to apply the other principles set out in the Mental Capacity Act 2005 and Adults with Incapacity (Scotland) Act 2000.
Doctors working in a managed environment will do this largely by understanding and following this guidance and corporate information governance and confidentiality policies. Doctors who are themselves data controllers are personally responsible for understanding and meeting their responsibilities under the data protection law. See the legal annex to this guidance for more information.
Implied consent is not likely to be sufficient to share personal data under Article 6 of the GDPR and is not sufficient to share ‘special category data’ such as health data under Article 9 of the GDPR. However, other conditions for processing health data are likely to apply. See the legal annex for more detail.
See paragraph 115 of this guidance and our explanatory guidance Delegation and referral (2012). You can find all GMC guidance on professional standards and ethics available on our website.
An example is the Crime and Disorder Act 1998. Section 115 permits disclosure to organisations such as the police, local authorities, or probation services but does not create a legal obligation to do so.
In 2013, the Caldicott principles were updated to include a new principle: ‘the duty to share information can be as important as the duty to protect patient confidentiality.’
In this guidance, ‘direct care’ refers to activities that directly contribute to the diagnosis, care and treatment of an individual. The direct care team is made up of those health and social care professionals who provide direct care to the patient, and others, such as administrative staff, who directly support that care.
In England the Health and Social Care (Safety and Quality) Act 2015 created a duty to share information for direct care except in certain circumstances. See the legal annex to this guidance for more information.
For example, if staff providing treatment may be at risk of serious harm which cannot be managed through the use of universal precautions. See our explanatory guidance Disclosing information about serious communicable diseases. You can find all GMC guidance on professional standards and ethics at www.gmc-uk.org/guidance.
Patients are also entitled to access their health records under the data protection law. See endnote 54.
The main provisions of the Mental Capacity Act (Northern Ireland) 2016 have not yet come into force. The common law duty to act in the best interests of a patient who lacks capacity to consent therefore continues until the Act is commenced.
Independent mental health advocates should also be given the information listed in section 130B of the Mental Health Act 1983. Guidance on the roles of independent mental health advocates is given in the Mental Health Act 1983 Code of Practice 2015.
Protecting children and young people: the responsibilities of all doctors (General Medical Council, 2012). You can find all GMC guidance on professional standards available on our website.
0–18 years: guidance for all doctors (General Medical Council, 2007). You can find all GMC guidance on professional standards and ethics available on our website.
In very exceptional circumstances, disclosure without consent may be justified in the public interest to prevent a serious crime such as murder, manslaughter or serious assault even where no one other than the patient is at risk. This is only likely to be justifiable where there is clear evidence of an imminent risk of serious harm to the individual, and where there are no alternative (and less intrusive) methods of preventing that harm. This is an uncertain area of law and, if practicable, you should seek independent legal advice before making such a disclosure without consent.
The Department of Health in England has published Information sharing and suicide prevention: consensus statement (2014), which is consistent with the principles in this guidance.
Safelives has published guidance on disclosing information to multi-agency risk assessment conferences (MARACs), which are local meetings established to discuss how to help individuals who are at high risk of murder or serious harm. The guidance is available on the Safelives website. Personal information may be disclosed to a MARAC with consent, or if the disclosure can be justified in the public interest (see paragraphs 63–70 in this guidance).
See ‘The duties of a doctor registered with the General Medical Council’ at the front of this guidance.
There is no agreed definition of ‘serious crime’. The Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures (Department of Health, 2003) gives some examples of serious crime. These include crimes that cause serious physical or psychological harm to individuals (such as murder, manslaughter, rape and child abuse); and crimes that cause serious harm to the security of the state and public order; and ‘crimes that involve substantial financial gain or loss’ are also mentioned in the same category. It also gives examples of crimes that are not usually serious enough to warrant disclosure without consent (including theft, fraud, and damage to property where loss or damage is less substantial). NHS Protect has published Not part of the job (NHS Protect, 2012), which gives guidance to NHS staff on reporting assaults and violent incidents at work.
We give specific advice on reporting concerns about patients’ fitness to drive in our explanatory guidance Confidentiality: Patients’ fitness to drive and reporting concerns to the DVLA or DVA. That guidance deals specifically with drivers on the roads, but the same principles apply to drivers and pilots of other kinds of regulated transport, including by rail, water and air. You can find all GMC guidance on professional standards and ethics on our website.
See our explanatory guidance Confidentiality: disclosing information about serious communicable diseases.
See our explanatory guidance Confidentiality: disclosing information for employment, insurance and similar purposes.
You should consider the assessment of risk posed by patients made by other professionals and by groups established for that purpose, but you must make your own assessment and decision as to whether disclosure is justified. Your assessment of risk is a matter of professional judgement in which an offender’s past behaviour will be a factor. The Royal College of Psychiatrists publishes guidance for psychiatrists about sharing information in the context of public protection, including participation in multi-agency public protection arrangements (MAPPA) and panels. You can find this in Good Psychiatric Practice: Confidentiality and Information Sharing (Royal College of Psychiatrists, second edition, 2010).
For more information, see Consent and confidentiality in clinical genetic practice: Guidance on genetic testing and sharing genetic information – A report of the Joint Committee on Medical Genetics (Royal College of Physicians, second edition, 2011).
You can find the Information Commissioner’s Office (ICO) Anonymisation: managing data protection risk code of practice (2012) on the ICO website.
Other potential identifiers include the patient’s initials, postcode, NHS or CHC number, local identifiers (such as hospital numbers), national insurance number, and key dates (such as birthdate, date of diagnosis or date of death).
See endnote 29 for the reference to ICO guidance.
The NHS Constitution for England and NHS Scotland’s The Charter of Patient Rights and Responsibilities both set out the rights of a patient to object to how their information is used. Under data protection law, a data subject has a right to object to processing if it causes unwarranted and substantial damage or distress. For more information, see the Guide to Data Protection on the ICO website.
The Law Society of Scotland gives some guidance for solicitors on precognition in criminal cases, which you can find in the rules and guidance section of its website.
See endnote 10 for the definition of ‘direct care’ in this guidance. Guidance on sharing information for direct care purposes is given in paragraphs 26–33.
In this guidance ‘clinical audit’ means the evaluation of clinical performance against standards or through comparative analysis, to inform the management of services.
See Good medical practice (2013), paragraph 22. Formerly known as national confidential inquiries, clinical outcome review programmes are systematic reviews that are carried out with the aim of supporting changes that can help improve the quality and safety of healthcare delivery. You can find more information on the website of the Healthcare Quality Improvement Partnership. You can find all GMC guidance on professional standards and ethics, available on our website.
Commissioners have limited rights to request personal information held by general practices for defined purposes, although they should usually respect patients’ objections. See the directions on confidentiality and disclosure of information and the code of practice for the relevant country for more information. Confidentiality and Disclosure of Information (General Medical Services, Personal Medical Services, Alternative Provider Medical Services) Directions 2013 and Code of Practice (Department of Health, 2013); Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions (Northern Ireland) 2006 and Code of Practice (Department of Health, Social Services and Public Safety, 2006); Confidentiality and Disclosure of Information: General Medical Services (GMS), Section 17c Agreements, and Health Board Primary Medical Services (HBPMS) Code of Practice and Directions; Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions 2006 and Code of Practice (Welsh Assembly Government, 2005).
We give guidance on professional and organisational duties of candour in Openness and honesty when things go wrong: the professional duty of candour (General Medical Council and Nursing and Midwifery Council, 2015). You can find all GMC guidance on professional standards and ethics, available on our website.
The obligations associated with the statutory duty of candour in England are contained in regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. In Scotland they are contained in section 22 of the Health (Tobacco, Nicotine etc. and Care) (Scotland) Act 2016.
Disclosures permitted under regulations 2 and 3 of the Health Service (Control of Patient Information) Regulations 2002 may, in some circumstances, be required rather than permitted. The Confidentiality Advisory Group of the Health Research Authority will not usually authorise disclosures under regulation 5 to which the patient has objected. See the legal annex to this guidance for more detail on the regulations.
In Scotland, the Public Benefit and Privacy Panel for Health and Social Care scrutinises requests for access to some (but not all) NHS Scotland originated data. You may disclose personal information if the disclosure has been approved by the Public Benefit and Privacy Panel for Health and Social Care.
The Confidentiality Advisory Group (CAG) of the Health Research Authority publishes a range of guidance for CAG applicants, which you may find helpful. It is available at www.hra.nhs.uk.
Disclosure of the whole record may breach the principles of data protection law, as the full record may contain information that is excessive and not relevant for the purpose.
If any of the exceptions set out in paragraph 115(d) of this guidance apply, you should still disclose as much of the report as you can. The Department for Work and Pensions publishes advice about reports for benefits purposes.
In some circumstances, patients are entitled to see a report that has been written about them under the provisions of the Access to Medical Reports Act 1988. For more details see the Confidentiality: key legislation factsheet which you can find on the our confidentiality guidance page, available on our website.
See also our guidance Doctors’ use of social media (General Medical Council, 2013). You can find all GMC guidance on professional standards and ethics, available on our website.
Raising and acting on concerns about patient safety (General Medical Council, 2012). See endnote 46 for the web address.
The GDPR defines a ‘data controller’ as: ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Key definitions of terms in the General Data Protection Regulation are available on the website of the Information Commissioner’s Office.
The Guide to data protection is available on the website of the Information Commissioner’s Office.
This is contained in the Guide to data protection; see endnote 49.
The Information Commissioner’s Office publishes technical guidance. NHS Digital formerly known as Health and Social Care Information Centre in England publishes good practice guidelines on technology-specific areas of information security and information governance. It also publishes the Information Governance Toolkit for NHS organisations, which is an online system that allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. In Scotland, guidance and information governance standards are collected on the Knowledge Network. In Wales, organisations are expected to use the online Caldicott-Principles Into Practice (C-PIP) assessment to measure their compliance with components of information security. GPs can check their compliance using the Welsh GMP Toolkit.
You can find guidance on the retention and destruction of these kinds of records in Information Management Policy – Retention and Destruction (Department of Health, July 2015).
Schedules of minimum retention periods for different types of records are given in The Records Management Code of Practice for Health and Social Care (Information Governance Alliance, 2016); Records Management: NHS Code of Practice (Scotland) (Scottish Government, 2008); Welsh Health Circular (2000) 71: For The Record (The National Assembly for Wales, 2000) and Good Management, Good Records (Department of Health, Social Services and Public Safety, 2005). You should also consider any legal requirement of specialty-specific guidance that affects the period for which you should keep records. You should not keep records for longer than necessary.
Article 15 of the General Data Protection Regulation gives patients the right to access their personal information, although exemptions apply in certain circumstances. Most exemptions are contained in the Data Protection Act 2018. For example, an exemption applies if providing subject access to information about an individual’s physical or mental health or condition would be likely to cause serious harm to them or to another person’s physical or mental health or condition. You also do not have to supply a patient with information about another person or that identifies another person as the source of the information, unless that other person consents or it is reasonable in the circumstances to supply the information without their consent. See the Information Commissioner’s Office technical guidance, Dealing with subject access requests involving other people’s information (Information Commissioner’s Office, 2014).
The Scottish Government and NHS Scotland have published Using email in NHS Scotland: A Good Practice Guide (2014). The Professional Record Standards Body and the Health and Social Care Information Centre have published Faster, better, safer communications: Using email in health and social care (in England) (2015).
There is an obvious ethical obligation. There may also be a legal obligation: see Lewis v. Secretary of State for Health  EWHC 2196. Section 38 of the Freedom of Information (Scotland) Act 2002 includes a deceased person’s medical records within the definition of personal information, which is exempt from the general entitlement to information.
See paragraph 73 of Good medical practice (General Medical Council, 2013) and paragraph 22 of our explanatory guidance Acting as a witness in legal proceedings (General Medical Council, 2013). You can find all our guidance on professional standards and ethics, available on our website.
See endnote 39 for references to statutory duties of candour.
The permission of a surviving relative or next of kin is not required for, and does not authorise, disclosure of confidential information, although the views of those who were close to the patient may help you decide if disclosure is appropriate.
See endnote 36 for a description of clinical outcome review programmes.
You should contact your organisation’s approved place of deposit or The National Archives, the Public Record Office of Northern Ireland or the National Archives of Scotland for further advice about storage of, and access to, archives of records of ongoing research or historical value. Health records of deceased patients are exempt from the Freedom of Information (Scotland) Act 2002.