Managing and protecting personal information
Improper access and disclosure
Health and care records can include a wide range of material, including but not limited to:
- handwritten notes
- electronic records
- correspondence between health professionals
- visual and audio recordings
- laboratory reports
- communications with patients (including texts and emails).
Many improper disclosures of patient information are unintentional. Conversations in reception areas, at a patient’s bedside and in public places may be overheard. Notes and records may be seen by other patients, unauthorised staff, or the public if they are not managed securely. Patient details can be lost if handover lists are misplaced, or when patient notes are in transit.
You must make sure any personal information about patients that you hold or control is effectively protected at all times against improper access, disclosure or loss. You should not leave patients’ records, or other notes you make about patients, either on paper or on screen, unattended. You should not share passwords.
You must not access a patient’s personal information unless you have a legitimate reason to view it.
You should not share personal information about patients where you can be overheard, for example in a public place or in an internet chat forum.46 While there are some practice environments in which it may be difficult to avoid conversations with (or about) patients being overheard by others, you should try to minimise breaches of confidentiality and privacy as far as it is possible to do so.
Knowledge of information governance and raising concerns
You must develop and maintain an understanding of information governance that is appropriate to your role.
You should be satisfied that any members of staff you manage are trained and understand their information governance responsibilities. If you are responsible for employment contracts, you must make sure they contain obligations to protect confidentiality and to process information in line with data protection law.
Unless you have a role in commissioning or managing systems, you are not expected to assess the security standards of large-scale computer systems provided for your use in the NHS or in other managed healthcare environments. If, however, you are concerned about the security of personal information in premises or systems provided for your use, or the adequacy of staff training on information governance, you should follow our advice in Raising and acting on concerns about patient safety.47
Raising and acting on concerns about patient safety (General Medical Council, 2012). See endnote 46 for the web address.
Processing information in line with the data protection law
The General Data Protection Regulation read with the Data Protection Act 2018 sets out the responsibilities of data controllers48 when processing personal data, as well as a number of rights for individuals (known as data subjects). Detailed guidance is available on the website of the Information Commissioner’s Office (ICO).49 You can find a summary of the data protection principles in the legal annex to this guidance.
The GDPR defines a ‘data controller’ as: ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Key definitions of terms in the General Data Protection Regulation are available on the website of the Information Commissioner’s Office.
If you are a data controller, you must understand and meet your obligations under data protection law. This includes responsibilities to make sure patients’ personal information that you hold is handled in ways that are transparent and in ways that patients would reasonably expect, and appropriate technical and organisational measures are in place to guard against data loss. You must also make sure information is readily available to patients that explains how their information is processed, including:
- who has access to information you hold that might identify them and for what purposes
- their options for restricting access to some or all of their records
- their rights to complain about how their information is processed, and how to make a complaint.
When deciding how to provide this information, you should take into account the ICO’s guidance on fair processing or privacy notices.50
This is contained in the Guide to data protection; see endnote 49.
Whether or not you are a data controller, you must be familiar with, and follow, the confidentiality, data protection and record management policies and procedures where you work and know where to get advice on these issues. This includes policies on the use of laptops and mobile devices.
Records management and retention
If you are responsible for managing patient records or other patient information, you must make sure the records you are responsible for are made, stored, transferred, protected and disposed of in line with data protection law and other relevant laws. You should make use of professional expertise when selecting and developing systems to record, access and send electronic data.51
The Information Commissioner’s Office publishes technical guidance. NHS Digital formerly known as Health and Social Care Information Centre in England publishes good practice guidelines on technology-specific areas of information security and information governance. It also publishes the Information Governance Toolkit for NHS organisations, which is an online system that allows NHS organisations and partners to assess themselves against Department of Health Information Governance policies and standards. In Scotland, guidance and information governance standards are collected on the Knowledge Network. In Wales, organisations are expected to use the online Caldicott-Principles Into Practice (C-PIP) assessment to measure their compliance with components of information security. GPs can check their compliance using the Welsh GMP Toolkit.
You must make sure any other records you are responsible for, including financial, management or human resources records, or records relating to complaints, are kept securely and are clear, accurate and up to date.52 You should make sure administrative information, such as names and addresses, can be accessed separately from clinical information so that sensitive information is not displayed automatically.
You can find guidance on the retention and destruction of these kinds of records in Information Management Policy – Retention and Destruction (Department of Health, July 2015).
The UK health departments publish guidance on how long health records should be kept and how they should be disposed of. You should follow the guidance, even if you do not work in the NHS.53
Schedules of minimum retention periods for different types of records are given in The Records Management Code of Practice 2021: A guide to the management of health and care records (NHSX, 2021); Records Management: NHS Code of Practice (Scotland)(Scottish Government, 2008); Welsh Health Circular (2000) 71: For The Record (The National Assembly for Wales, 2000) and Good Management, Good Records (Department of Health, Social Services and Public Safety, 2005). You should also consider any legal requirement of specialty-specific guidance that affects the period for which you should keep records. You should not keep records for longer than necessary.
The rights of patients to access their own records
Patients have a right to access their own health records, subject to certain safeguards.54 You should respect, and help patients to exercise, their legal rights to have access to, or copies of, their health records. The ICO gives guidance on what fees you may charge.
Article 15 of the General Data Protection Regulation gives patients the right to access their personal information, although exemptions apply in certain circumstances. Most exemptions are contained in the Data Protection Act 2018. For example, an exemption applies if providing subject access to information about an individual’s physical or mental health or condition would be likely to cause serious harm to them or to another person’s physical or mental health or condition. You also do not have to supply a patient with information about another person or that identifies another person as the source of the information, unless that other person consents or it is reasonable in the circumstances to supply the information without their consent. See the Information Commissioner’s Office technical guidance, Dealing with subject access requests involving other people’s information (Information Commissioner’s Office, 2014).
Communicating with patients
Wherever possible, you should communicate with patients in a format that suits them. For example, electronic communications – such as email or text messaging – can be convenient and can support effective communication between doctors and patients, with appropriate safeguards.55
The Scottish Government and NHS Scotland have published Using email in NHS Scotland: A Good Practice Guide (2014). The Professional Record Standards Body and the Health and Social Care Information Centre have published Faster, better, safer communications: Using email in health and social care (in England) (2015).
Most communication methods pose some risk of interception – for example, messages left on answering machines can be heard by others and emails can be insecure. You should take reasonable steps to make sure the communication methods you use are secure.
Disclosing information after a patient has died
Your duty of confidentiality continues after a patient has died.56
There is an obvious ethical obligation. There may also be a legal obligation: see Lewis v. Secretary of State for Health  EWHC 2196. Section 38 of the Freedom of Information (Scotland) Act 2002 includes a deceased person’s medical records within the definition of personal information, which is exempt from the general entitlement to information.
There are circumstances in which you must disclose relevant information about a patient who has died. For example:
- when disclosure is required by law
- to help a coroner, procurator fiscal or other similar officer with an inquest or fatal accident inquiry57
- on death certificates, which you must complete honestly and fully
- when a person has a right of access to records under the Access to Health Records Act 1990 or the Access to Health Records (Northern Ireland) Order 1993, unless an exemption applies
- when disclosure is necessary to meet a statutory duty of candour.58
See paragraph 73 of Good medical practice (General Medical Council, 2013) and paragraph 22 of our explanatory guidance Acting as a witness in legal proceedings (General Medical Council, 2013). You can find all our guidance on professional standards and ethics, available on our website.
See endnote 39 for references to statutory duties of candour.
In other circumstances, whether and what personal information may be disclosed after a patient’s death will depend on the facts of the case. If the patient had asked for information to remain confidential, you should usually abide by their wishes. If you are unaware of any instructions from the patient, when you are considering requests for information you should take into account:
- whether disclosing information is likely to cause distress to, or be of benefit to, the patient’s partner or family59
- whether the disclosure will also disclose information about the patient’s family or anyone else
- whether the information is already public knowledge or can be anonymised or de-identified
- the purpose of the disclosure.
The permission of a surviving relative or next of kin is not required for, and does not authorise, disclosure of confidential information, although the views of those who were close to the patient may help you decide if disclosure is appropriate.
Circumstances in which you should usually disclose relevant information about a patient who has died include:
- the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality, unless you know the patient has objected (see paragraphs 103 - 105)
- when disclosure is justified in the public interest to protect others from a risk of death or serious harm
- for public health surveillance, in which case the information should be anonymised, unless that would defeat the purpose
- when a parent asks for information about the circumstances and causes of a child’s death
- when someone close to an adult patient asks for information about the circumstances of that patient’s death, and you have no reason to believe the patient would have objected to such a disclosure
- when disclosure is necessary to meet a professional duty of candour (see paragraphs 100 - 101)
- when it is necessary to support the reporting or investigation of adverse incidents, or complaints, for local clinical audit, or for clinical outcome review programmes.60
In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.
Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.
You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40
All doctors have a duty of candour – a professional responsibility to be honest with patients when things go wrong. As part of this duty, doctors must tell the patient when something has gone wrong, and explain the short- and long-term effects of what has happened.38
If the patient has died, or is unlikely to regain consciousness or capacity, it may be appropriate to speak to those close to the patient. When providing information for these purposes, you should still respect the patient’s confidentiality. If a patient has previously asked you not to share personal information about their condition or treatment with those close to them, you should abide by their wishes. You must still do your best to be considerate, sensitive and responsive to those close to the patient, giving them as much information as you can.
See endnote 36 for a description of clinical outcome review programmes.
Archived records relating to deceased patients remain subject to a duty of confidentiality, although the potential for disclosing information about, or causing distress to, surviving relatives or damaging the public’s trust will diminish over time.61
You should contact your organisation’s approved place of deposit or The National Archives, the Public Record Office of Northern Ireland or the National Archives of Scotland for further advice about storage of, and access to, archives of records of ongoing research or historical value. Health records of deceased patients are exempt from the Freedom of Information (Scotland) Act 2002.