Confidentiality: good practice in handling patient information

About our Confidentiality guidance

Our core guidance for doctors, Good medical practice, makes clear that patients have a right to expect that their personal information will be held in confidence by their doctors. This guidance, which forms part of the professional standards, sets out the principles of confidentiality and respect for patients’ privacy that you are expected to understand and follow.

This guidance outlines the framework for considering when to disclose patients’ personal information and then applies that framework to:

  1. disclosures to support the direct care of an individual patient
  2. disclosures for the protection of patients and others
  3. disclosures for all other purposes.

This guidance also sets out the responsibilities of all doctors for managing and protecting patient information.

In this guidance, we use the terms ‘you must’ and ‘you should’ in the following ways.

  • ‘You must’ is used for a legal or ethical duty you’re expected to meet (or be able to justify why you didn’t). 
  • 'You should’ is used for duties or principles that either:
  • may not apply to you or to the situation you’re currently in, or
  • you may not be able to comply with because of factors outside your control.  

The professional standards describe good practice, and not every departure from them will be considered serious. You must use your professional judgement to apply the standards to your day-to-day practice. If you do this, act in good faith and in the interests of patients, you will be able to explain and justify your decisions and actions. We say more about professional judgement, and how the professional standards relate to our fitness to practise processes, appraisals and revalidation, at the beginning of Good medical practice

If in doubt, you should seek the advice of an experienced colleague, a Caldicott or data guardian1 or equivalent, a data protection officer, your defence body or professional association, or seek independent legal advice.


Caldicott or data guardians are senior people in the NHS, local authority social care services, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Data protection officers have a statutory  function under the General Data Protection Regulation to monitor a data controller’s compliance with the GDPR.

Other materials available

Further guidance is available on our website explaining how these principles apply in situations doctors often encounter or find hard to deal with. At the time of publishing this core guidance, we are also publishing guidance on:

  1. patients’ fitness to drive and reporting concerns to the DVLA or DVA
  2. disclosing information about serious communicable diseases
  3. disclosing information for employment, insurance and similar purposes
  4. disclosing information for education and training purposes
  5. reporting gunshot and knife wounds
  6. responding to criticism in the media.