There is no overarching law that governs the disclosure of confidential information. The common law and other laws that require or permit the disclosure of patient information interact in complex ways and it is not possible to decide whether a use or disclosure of patient information would be lawful by considering any aspect of the law in isolation.
This section sets out some of the key elements of the law that are relevant to the use and disclosure of patient information, but it is not comprehensive. It is also not intended to be a substitute for independent, up-to-date legal advice. If you are unsure about the legal basis for a request for information, you should ask for clarification from the person making the request and, if necessary, seek independent legal advice.
We have also published a more detailed factsheet, Confidentiality: key legislation, which you can find on our confidentiality guidance on our website.
Sources of law on confidentiality, data protection and privacy
The common law
Information acquired by doctors in their professional capacity will generally be confidential under the common law. This duty is derived from a series of court judgments, which have established the principle that information given or obtained in confidence should not be used or disclosed further except in certain circumstances. This means a doctor must not disclose confidential information, unless there is a legal basis for doing so.
It is generally accepted that the common law allows disclosure of confidential information if:
a. the patient consents
b. it is required by law, or in response to a court order
c. it is justified in the public interest.
But the common law cannot be considered in isolation. Even if a disclosure of confidential information is permitted under the common law, the disclosure must still satisfy the requirements of data protection law.
Data protection law (UK)
The General Data Protection Regulation (GDPR), supplemented by the Data Protection Act 2018, regulates the processing of personal data about living individuals in the UK. It sets out the responsibilities of data controllers when processing personal data as well as a number of rights for individuals, including rights of access to their information. The Information Commissioner’s Office (ICO) is the authority responsible for upholding information rights in the UK. Detailed guidance on complying with the data protection law is available on the ICO website: www.ico.org.uk.
The GDPR defines personal data as:
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’
The GDPR defines a data controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Individual doctors can be data controllers in their own right (for example, if they are partners in general practice, or hold data in relation to patients whom they treat privately) but in many cases the data controller will be the doctor’s employer.
The GDPR is based around six data protection principles, and provides a range of rights for individuals. The principles state that personal data must:
- be processed lawfully, fairly and in a transparent manner
- be processed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes
- be adequate, relevant and limited to what is necessary in relation to the purposes
- be accurate and up to date
- not be kept for longer than is necessary
- be secure
The first principle of the GDPR states that data must be processed lawfully and fairly. This means:
- patients’ information must not be processed in a way that breaches either statute or common law. For example, if disclosing information would be a breach of the common law duty of confidentiality, it would also be unlawful under the data protection law
- patients’ personal information must be handled in ways that are transparent and in ways they would reasonably expect.
One or more of the conditions for processing in Article 6 (for all personal data) and Article 9 (for special category data’, which includes health data) to the GDPR must also be met for the processing to be fair and lawful.
In all cases where personal data is processed, at least one of the conditions set out in Schedule 2 must be met. The conditions most likely to be relevant in medical practice are that:
- the data subject has given consent (Article 6(1)(a))
- the processing is necessary for the performance of a contract (Article 6(1)(b))
- the processing is necessary because of a legal obligation that applies to the data controller (except an obligation imposed by a contract) (Article 6(1)(c))
- the processing is necessary to protect the vital interests of the data subject (Article 6(1)(d))
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (Article 6 (1)(e))
- the processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party (Article 6 (1)(f)).
Where special category data are being used, at least one of the conditions in Article 9 must also be met. Information on a patient’s health record is likely to be special category data for the purposes of the GDPR. The conditions most likely to be relevant in medical practice are that:
- the data subject has given explicit consent (Article 9(2)(a))
- the processing is necessary to protect the vital interests of the data subject or another person in a case where the data subject is physically or legally incapable of giving consent (Article 9(2)(c))
- the processing is necessary for reasons of substantial public interest Article 9(2)(g))
- the processing is necessary for medical purposes where the processing is undertaken by a health professional or someone else who owes an equivalent duty of confidentiality (Article 9 (2)(h))
- the processing is necessary for reasons of public interest in the area of public health (Article 9(2)(i))
- the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 9(2)(j)).
The Data Protection Act 2018 sets out more specific requirements which must also be met when a data controller is relying on the public interest and health conditions in Article 9. In some circumstances a data controller is required under the Data Protection Act 2018 to produce an ‘appropriate policy document’ which sets out the compliance measures in place to protect the data. This requirement does not apply if the disclosure of sensitive personal data uses the health-related conditions for processing, but it does apply if an employment related condition is relied on. The interactions between the GDPR and Data Protection Act 2018 are complex and data controllers should seek specialist advice where appropriate.
Consent under the GDPR
The standard of consent under the GDPR is higher than under the common law of confidentiality. The GDPR defines consent as:
‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
The GDPR also sets out a number of other conditions for consent.
- The controller must be able to demonstrate that the data subject has consented to the processing of personal data.
- Consent can be withdrawn at any time (this doesn’t affect lawfulness of processing before withdrawal). Prior to giving consent, data subjects must be informed of their right to withdraw. It must be as easy to withdraw consent as to give it.
- Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
It will not always be appropriate for data controllers to rely on consent under GDPR as a condition for processing health data. For example, implied consent is an accepted concept under the law of confidentiality, but it is unlikely to be a sufficient basis for sharing personal data based on consent under Article 6(1)(a) of the GDPR, and will not be sufficient for sharing ‘special category data’ based on explicit consent under Article 9(2)(a) of the GDPR. However, the GDPR does provide alternative conditions for processing data which are likely to be more appropriate in a health context.
This means that a doctor who is a data controller may be relying on different legal justifications for disclosing information under the common law duty of confidence and under the GDPR. It also means that doctors can continue to share information on the basis of implied consent if the conditions set out in paragraphs 28 and 29 (for direct care) and 96 (for local clinical audit) of this guidance are met.
Other requirements imposed by the GDPR
The GDPR imposes a number of other requirements on data controllers, and confers various rights on data subjects. A full summary of the GDPR is outside the scope of this guidance, but detailed guidance is provided by the Information Commissioner's Office.
Human Rights Act 1998 UK
The Human Rights Act 1998 incorporates the European Convention on Human Rights (ECHR) into UK law. A person’s right to have their privacy respected is protected by Article 8 of the ECHR. This right is not absolute, and may be interfered with where the law permits and where it is ‘necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.’
Any interference with a person’s right to privacy must be a necessary and proportionate response to the situation. This means there must be a fair balancing of competing interests. These include:
- the potential damage caused to the individual whose privacy will be breached
- society’s interest in the provision of a confidential health service
- the public interest that will be achieved through breaching the individual’s privacy.
Relevant factors to take into account when considering a disclosure in the public interest are given in paragraphs 63 - 70, and 106 - 112 of this guidance.
Other ECHR rights that may be relevant to considerations about whether disclosing a patient’s personal information is necessary and proportionate include Article 2 (which protects the right to life), Article 3 (which prohibits torture or inhumane or degrading treatment or punishment) and potentially others. Such considerations are complex and you should seek legal advice if necessary.
Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23
If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.
Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.
Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25 or poses a serious risk to others through being unfit for work.26
When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:
- the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
- the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
- the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
- the potential benefits to an individual or to society arising from the release of the information
- the nature of the information to be disclosed, and any views expressed by the patient
- whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.
If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.
If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority. You should inform the patient before disclosing the information, if it is practicable and safe to do so, even if you intend to disclose without their consent.
Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.
You must document in the patient’s record your reasons for disclosing information with or without consent. You must also document any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.
In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.
You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.
If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41
Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42
When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:
- the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
- the disclosure is the minimum necessary for the purpose
- the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
- information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).
You must keep a record of what information you disclosed, your reasons, and any advice you sought.
Freedom of Information Acts across the UK
The Freedom of Information Act 2000 (England, Northern Ireland and Wales) and Freedom of Information (Scotland) Act 2002 give public access to information held by public authorities. Public authorities include government departments, local authorities, the NHS, state schools and police forces. The Acts do not give people access to their own personal information such as their health records. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998. You can find guidance about the Freedom of Information Act 2000 on the ICO website. Guidance about the Freedom of Information (Scotland) Act 2002 is available on the website of the Scottish Information Commissioner.
Computer Misuse Act 1990 UK
It is an offence under this Act to gain unauthorised access to computer material. This would include using another person’s ID and password without authority to use, alter or delete data.
Regulation of healthcare providers and professionals
Various bodies regulating healthcare providers and professionals have legal powers to require information to be disclosed, including personal information about patients. The following sets out only a selection of these bodies, and gives a summary of their most relevant powers and refers to the codes of practice they publish about how they use their powers.
The Care Quality Commission (CQC) in England has powers of inspection and entry and to require documents and information under the Health and Social Care Act 2008. Sections 76 to 79 govern the CQC’s use and disclosure of confidential personal information. Section 80 requires it to consult on and publish a code of practice on how it obtains, handles, uses and discloses confidential personal information. You can find the code of practice on the CQC’s website.
Healthcare Inspectorate Wales has powers under the Health and Social Care (Community Health and Standards) Act 2003 to access a patient’s personal information.
Healthcare Improvement Scotland has similar powers in relation to registered independent healthcare providers under the Public Services Reform (Scotland) Act 2010.
The Regulation and Quality Improvement Authority in Northern Ireland has powers under sections 41 and 42 of the Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 to enter establishments, agencies and health and social services bodies or providers’ premises and inspect and take copies of records, subject to the protection of confidential information provided for in section 43.
The NHS Counter Fraud Authority has powers under the National Health Service Act 2006 and the National Health Service (Wales) Act 2006 to require the production of documents to prevent, detect and prosecute fraud in the NHS. The Department of Health (England) and the Welsh Assembly Government have published codes of practice for the use of these powers. There are no comparable specific powers to require the production of documents for these purposes in Scotland or Northern Ireland.
The General Medical Council has powers under section 35A of the Medical Act 1983 (as amended) to require disclosure of information and documentation relevant to the discharge of our fitness to practise functions, provided such disclosure is not prohibited by other laws. Other professional regulators have similar powers. For example, the Nursing and Midwifery Council has powers to require disclosure of patient information for the purpose of carrying out its fitness to practise functions in some circumstances under section 25 of the Nursing and Midwifery Order 2001.
The Parliamentary and Health Service Ombudsman, the Northern Ireland Public Services Ombudsman, the Public Services Ombudsman for Wales and the Scottish Public Services Ombudsman have legal powers similar to the High Court or Court of Session to require the production of documents and the attendance and examination of witnesses for the purposes of investigations about the health bodies that fall within their remits.
Laws on disclosure for health and social care purposes
Health and Social Care Act 2012 (England)
Section 259 gives the Health and Social Care Information Centre (known as NHS Digital) the power to require providers of health and social care in England to send it confidential data in limited circumstances, including when directed to do so by the UK Secretary of State for Health or NHS England. Patient consent is not needed, but patient objections will be handled in line with the pledges set out in the NHS Constitution for England and directions given to NHS Digital by the Secretary of State.
Health and Social Care (Safety and Quality) Act 2015 (England)
This Act places a duty on providers and commissioners of health and social care in England to share information when it is considered likely to facilitate the provision of health or social care to an individual and when it is in the individual’s best interests. The duty will not apply where an individual objects (or would be likely to object), or where the information is connected with the provision of care by ‘an anonymous access provider’ (such as a sexual health service) or where the duty cannot be reasonably complied with for other reasons. The duty does not override duties under the common law or the Data Protection Act 1998. The Information Governance Alliance has published guides to the Health and Social Care (Safety and Quality) Act 2015 on its website.
Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016
This Act requires the Department of Health in Northern Ireland to make regulations that permit or require the processing of confidential information for defined health and social care purposes. The Act allows the common law duty of confidentiality to be set aside where seeking individuals’ consent is not practicable, where it is not possible to use anonymised information and where the committee established under the Act has authorised the processing. The Act does not set aside the Data Protection Act 1998 or the Human Rights Act 1998 and any use of information must continue to comply with the requirements of these two pieces of legislation.
No regulations have yet been made under the Act. Until such regulations are made the Privacy Advisory Committee will continue to advise health and social care bodies about the use of information relating to patients and clients. You can find out more about the committee on its website.
Section 251 of the NHS Act 2006 (England and Wales)
Section 251 of this Act allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. In practice, this means the person responsible for the information can disclose confidential patient information without consent to an applicant without being in breach of the common law duty of confidentiality, as long as the requirements of the regulations are met. The person responsible for the information must still comply with all other relevant legal obligations such as the Data Protection Act 1998 and the Human Rights Act 1998.
The regulations that enable this power are called the Health Service (Control of Patient Information) Regulations 2002. Any references to ‘section 251 support or approval’ actually refer to approval given under the authority of the regulations. These powers can only be used where it is not practical to obtain consent and anonymised information cannot be used, having regard to the cost and available technology. They cannot be used to permit information to be disclosed solely or principally for the direct care of individual patients. The regulations only apply in England and Wales.
The regulations provide different kinds of support.
- Regulation 2 provides specific support for cancer registries to receive and process identifiable data on patients referred for the diagnosis or treatment of cancer for the medical purposes set out in the regulation.
- Regulation 3 provides specific support for identifiable patient information to be disclosed to, and processed by, the persons or bodies listed in paragraph 3 of Regulation 3 when processing is intended to diagnose, control or prevent, or recognise trends in, communicable diseases and other risks to public health.
- Regulation 5 can be used to permit processing for a range of medical purposes, broadly defined to include ‘preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health and social care services’. Any person wishing to obtain support under Regulation 5 will submit an application to the Confidentiality Advisory Group of the Health Research Authority. The Confidentiality Advisory Group will then give advice to the relevant decision maker, which is currently the Health Research Authority for research applications and the Secretary of State for Health for non-research applications.
The Confidentiality Advisory Group will not usually authorise disclosures under Regulation 5 to which the patient has objected. The Health Research Authority may not give an approval unless a research ethics committee has approved the medical research concerned.
You can find more information about section 251 of the NHS Act 2006 and the role of the Confidentiality Advisory Group on the website of the Health Research Authority.
Statutory restrictions on disclosing information about patients
Gender Recognition Act 2004 (UK)
Section 22 of the Act makes it an offence to disclose ‘protected information’ when that information is acquired in an official capacity. ‘Protected information’ is defined as information about a person’s application for gender recognition and a person’s gender history after that person has changed gender under the Act. Section 22 also sets out a series of exceptions where disclosure is considered to be justified. These are further expanded and clarified by The Gender Recognition (Disclosure of Information) (England, Wales and Northern Ireland) Order 2005 and The Gender Recognition (Disclosure of Information) (Scotland) Order 2005.
Human Fertilisation and Embryology Act 1990 (UK)
Section 33A protects the confidentiality of information kept by clinics and the Human Fertilisation and Embryology Authority. Information may be accessed or disclosed only in the specific circumstances set out in the Act. Disclosing information that identifies the patient in other circumstances without the patient’s prior consent is a criminal offence.
The National Health Service (Venereal Diseases) Regulations 1974 (Wales) and the NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000 (England)
These regulations provide that any information capable of identifying an individual who is examined or treated for any sexually transmitted disease, including HIV, shall not be disclosed, other than to a medical practitioner in connection with the treatment of the individual in relation to that disease or for the prevention of the spread of the disease.