Confidentiality: good practice in handling patient information



Caldicott or data guardians are senior people in the NHS, local authority social care services, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Data protection officers have a statutory  function under the General Data Protection Regulation to monitor a data controller’s compliance with the GDPR.


In this guidance, ‘personal information’ means information from which individuals can be identified either in itself or in combination with other available information. ‘Disclosure’ means the provision or passing of information about a patient to anyone other than the patient, regardless of the purpose. Sharing information within healthcare teams is a form of disclosure, as is providing access to patients’ records.


These principles are aligned with the Caldicott principles for information governance within health and social care.


We use the term ‘overall benefit’ to describe the ethical basis on which decisions are made about treatment and care for adult patients who lack capacity to decide. Our guidance on overall benefit is consistent with the legal requirement to consider whether treatment ‘benefits’ a patient (as the term is used in the Adults with Incapacity (Scotland) Act 2000), or is in the patient’s ‘best interests’ (as the term is used in the Mental Capacity Act 2005 in England and Wales, and in the common law in Northern Ireland). The use of the term is also consistent with the legal requirement to apply the other principles set out in the Mental Capacity Act 2005 and Adults with Incapacity (Scotland) Act 2000.


Doctors working in a managed environment will do this largely by understanding and following this guidance and corporate information governance and confidentiality policies. Doctors who are themselves data controllers are personally responsible for understanding and meeting their responsibilities under the data protection law. See the legal annex to this guidance for more information.


Implied consent is not likely to be sufficient to share personal data under Article 6 of the GDPR and is not sufficient to share ‘special category data’ such as health data under Article 9 of the GDPR. However, other conditions for processing health data are likely to apply. See the legal annex for more detail.


See paragraph 115 of this guidance and our guidance Delegation and referral (2024). You can find all GMC guidance on professional standards and ethics available on our website.


An example is the Crime and Disorder Act 1998. Section 115 permits disclosure to organisations such as the police, local authorities, or probation services but does not create a legal obligation to do so.


Principle 7 of the Caldicott principles is that: ‘the duty to share information for individual care is as important as the duty to protect patient confidentiality.’


In this guidance, ‘direct care’ refers to activities that directly contribute to the diagnosis, care and treatment of an individual. The direct care team is made up of those health and social care professionals who provide direct care to the patient, and others, such as administrative staff, who directly support that care.


In England the Health and Social Care (Safety and Quality) Act 2015 created a duty to share information for direct care except in certain circumstances. See the legal annex to this guidance for more information.


For example, if staff providing treatment may be at risk of serious harm which cannot be managed through the use of universal precautions. See our guidance Disclosing information about serious communicable diseases. You can find all GMC guidance on professional standards and ethics at


Patients are also entitled to access their health records under the data protection law. See endnote 54.


The main provisions of the Mental Capacity Act (Northern Ireland) 2016 have not yet come into force. The common law duty to act in the best interests of a patient who lacks capacity to consent therefore continues until the Act is commenced.


Independent mental health advocates should also be given the information listed in section 130B of the Mental Health Act 1983. Guidance on the roles of independent mental health advocates is given in the Mental Health Act 1983 Code of Practice 2015.


Protecting children and young people: the responsibilities of all doctors (General Medical Council, 2012). You can find all GMC guidance on professional standards available on our website.


0–18 years: guidance for all doctors (General Medical Council, 2007). You can find all GMC guidance on professional standards and ethics available on our website.


The requirements of the relevant Acts – the Adult Support and Protection (Scotland) Act 2007, the Social Services and Well-being (Wales) Act 2014 and the Care Act 2014 – are summarised in the Confidentiality: key legislation factsheet.


In very exceptional circumstances, disclosure without consent may be justified in the public interest to prevent a serious crime such as murder, manslaughter or serious assault even where no one other than the patient is at risk. This is only likely to be justifiable where there is clear evidence of an imminent risk of serious harm to the individual, and where there are no alternative (and less intrusive) methods of preventing that harm. This is an uncertain area of law and, if practicable, you should seek independent legal advice before making such a disclosure without consent.


The Department of Health and Social Care in England has published Information sharing and suicide prevention: consensus statement (2021), which is consistent with the principles in this guidance.


Safelives has published guidance on disclosing information to multi-agency risk assessment conferences (MARACs), which are local meetings established to discuss how to help individuals who are at high risk of murder or serious harm. The guidance is available on the Safelives website. Personal information may be disclosed to a MARAC with consent, or if the disclosure can be justified in the public interest (see paragraphs 63–70 in this guidance).


See ‘The duties of a doctor registered with the General Medical Council’ available only in the pdf/publication versions at the front of the guidance.


There is no agreed definition of ‘serious crime’. The Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures (Department of Health, 2003) gives some examples of serious crime. These include crimes that cause serious physical or psychological harm to individuals (such as murder, manslaughter, rape and child abuse); and crimes that cause serious harm to the security of the state and public order; and ‘crimes that involve substantial financial gain or loss’ are also mentioned in the same category. It also gives examples of crimes that are not usually serious enough to warrant disclosure without consent (including theft, fraud, and damage to property where loss or damage is less substantial).


We give specific advice on reporting concerns about patients’ fitness to drive in our guidance Confidentiality: Patients’ fitness to drive and reporting concerns to the DVLA or DVA. That guidance deals specifically with drivers on the roads, but the same principles apply to drivers and pilots of other kinds of  regulated transport, including by rail, water and air. You can find all GMC guidance on professional standards and ethics on our website.


You should consider the assessment of risk posed by patients made by other professionals and by groups established for that purpose, but you must make your own assessment and decision as to whether disclosure is justified. Your assessment of risk is a matter of professional judgement in which an offender’s past behaviour will be a factor. The Royal College of Psychiatrists publishes guidance for psychiatrists about sharing information in the context of public protection, including participation in multi-agency public protection arrangements (MAPPA) and panels. You can find this in Good Psychiatric Practice: Confidentiality and Information Sharing (Royal College of Psychiatrists, third edition, 2017).


For more information, see Consent and confidentiality in clinical genetic practice: Guidance on genetic testing and sharing genetic information – A report of the Joint Committee on Medical Genetics (Royal College of Physicians, second edition, 2011).


You can find the Information Commissioner’s Office (ICO) Anonymisation: managing data protection risk code of practice (2012) on the ICO website.


Other potential identifiers include the patient’s initials, postcode, NHS or CHC number, local identifiers (such as hospital numbers), national insurance number, and key dates (such as birthdate, date of diagnosis or date of death).


See endnote 29 for the reference to ICO guidance.


The NHS Constitution for England and NHS Scotland’s The Charter of Patient Rights and Responsibilities both set out the rights of a patient to object to how their information is used. Under data protection law, a data subject has a right to object to processing if it causes unwarranted and substantial damage or distress. For more information, see the Guide to Data Protection on the ICO website.


Please see our legal factsheet for further information about precognition.


See endnote 10 for the definition of ‘direct care’ in this guidance. Guidance on sharing information for direct care purposes is given in paragraphs 26–33.


In this guidance ‘clinical audit’ means the evaluation of clinical performance against standards or through comparative analysis, to inform the management of services.


See Good medical practice (2024), paragraph 50. Formerly known as national confidential inquiries, clinical outcome review programmes are systematic reviews that are carried out with the aim of supporting changes that can help improve the quality and safety of healthcare delivery. You can find more information on the website of the Healthcare Quality Improvement Partnership. You can find all GMC guidance on professional standards and ethics, available on our website.


Commissioners have limited rights to request personal information held by general practices for defined purposes, although they should usually respect patients’ objections. See the directions on confidentiality and disclosure of information and the code of practice for the relevant country for more information. Confidentiality and Disclosure of Information (General Medical Services, Personal Medical Services, Alternative Provider Medical Services) Directions 2013 and Code of Practice (Department of Health, 2013); Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions (Northern Ireland) 2006 and Code of Practice (Department of Health, Social Services and Public Safety, 2006); Confidentiality and Disclosure of Information: General Medical Services (GMS), Section 17c Agreements, and Health Board Primary Medical Services (HBPMS) Code of Practice and Directions; Confidentiality and Disclosure of Information: General Medical Services and Alternative Provider Medical Services Directions 2006 and Code of Practice (Welsh Assembly Government, 2005).


We give guidance on professional and organisational duties of candour in Openness and honesty when things go wrong: the professional duty of candour (General Medical Council and Nursing and Midwifery Council, 2015). You can find all GMC guidance on professional standards and ethics, available on our website.


The obligations associated with the statutory duty of candour in England are contained in regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014. In Scotland they are contained in section 22 of the Health (Tobacco, Nicotine etc. and Care) (Scotland) Act 2016. The Health and Social Care (Quality and Engagement) (Wales) Act 2020 places a duty of candour on NHS bodies in Wales.


Disclosures permitted under regulations 2 and 3 of the Health Service (Control of Patient Information) Regulations 2002 may, in some circumstances, be required rather than permitted. The Confidentiality Advisory Group of the Health Research Authority will not usually authorise disclosures under regulation 5 to which the patient has objected. See the legal annex to this guidance for more detail on the regulations.


In Scotland, the Public Benefit and Privacy Panel for Health and Social Care scrutinises requests for access to some (but not all) NHS Scotland originated data. You may disclose personal information if the disclosure has been approved by the Public Benefit and Privacy Panel for Health and Social Care.


The Confidentiality Advisory Group (CAG) of the Health Research Authority publishes a range of guidance for CAG applicants, which you may find helpful. It is available at


Disclosure of the whole record may breach the principles of data protection law, as the full record may contain information that is excessive and not relevant for the purpose.


If any of the exceptions set out in paragraph 115(d) of this guidance apply, you should still disclose as much of the report as you can. The Department for Work and Pensions publishes advice about reports for benefits purposes.


In some circumstances, patients are entitled to see a report that has been written about them under the provisions of the Access to Medical Reports Act 1988. For more details see the Confidentiality: key legislation factsheet which you can find on our confidentiality guidance page, available on our website.


See also our guidance Using social media as a medical professional (General Medical Council, 2024). You can find all GMC guidance on professional standards and ethics, available on our website.


Raising and acting on concerns about patient safety (General Medical Council, 2012). You can find all GMC guidance on professional standards and ethics, available on our website


The GDPR defines a ‘data controller’ as: ‘the natural  or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Key definitions  of terms in the General Data Protection Regulation are available on the website of the Information Commissioner’s Office.


The Guide to data protection is available on the website of the Information Commissioner’s Office.


This is contained in the Guide to data protection; see endnote 49.

The Information Commissioner’s Office publishes technical guidance. NHS Digital formerly known as Health and Social Care Information Centre in England publishes good practice guidelines on technology-specific areas of information security and information governance. It also publishes the Data Security and Protection Toolkit, which allows NHS organisations to measure and publish their performance against the National Data Guardian’s ten data security standards. In Scotland, guidance and information governance standards are collected on the Knowledge Network. In Wales, organisations are expected to use the Welsh Information Governance Toolkit to measure their compliance against national Information Governance standards and legislation. GPs can check their compliance using the Welsh GMP Toolkit.

You can find guidance on the retention and destruction of these kinds of records in Information Management Policy – Retention and Destruction (Department of Health and Social Care, July 2015).


Schedules of minimum retention periods for different types of records are given in The Records Management Code of Practice 2021: A guide to the management of health and care records (NHSX, 2021); Records Management: Health and Social Care Code of Practice (Scotland) (Scottish Government, 2020); Records Management Code of Practice for Health and Social Care 2022: A Guide to the Management of Health and Care Records (Welsh Government, 2022) and Good Management, Good Records (Department of Health - Northern Ireland,2017). You should also consider any legal requirement of specialty-specific guidance that affects the period for which you should keep records. You should not keep records for longer than necessary.


Article 15 of the General Data Protection Regulation gives patients the right to access their personal information, although exemptions apply in certain circumstances. Most exemptions are contained in the Data Protection Act 2018. For example, an exemption applies if providing subject access to information about an individual’s physical or mental health or condition would be likely to cause serious harm to them or to another person’s physical or mental health or condition. You also do not have to supply a patient with information about another person or that identifies another person as the source of the information, unless that other person consents or it is reasonable in the circumstances to supply the information without their consent. The Information Commissioner’s Office provides guidance on dealing with subject access requests involving information about other individuals. 


The Scottish Government and NHS Scotland have published Using email in NHS Scotland: A Good Practice Guide (2014). The Professional Record Standards Body and the Health and Social Care Information Centre have published Faster, better, safer communications: Using email in health and social care (in England) (2015).


There is an obvious ethical obligation. There may also be a legal obligation: see Lewis v. Secretary of State for Health [2008] EWHC 2196. Section 38 of the Freedom of Information (Scotland) Act 2002 includes a deceased person’s medical records within the definition of personal information, which is exempt from the general entitlement to information.


See paragraph 98 of Good medical practice (General Medical Council, 2024) and paragraph 32 of our guidance Providing witness statements or expert evidence as part of legal proceedings (General Medical Council, 2024). You can find all our guidance on professional standards and ethics, available on our website.


See endnote 39 for references to statutory duties of candour.


The permission of a surviving relative or next of kin is not required for, and does not authorise, disclosure of confidential information, although the views of those who were close to the patient may help you decide if disclosure is appropriate.


See endnote 36 for a description of clinical outcome review programmes.


You should contact your organisation’s approved place of deposit or The National Archives, the Public Record Office of Northern Ireland or the National Records of Scotland for further advice about storage of, and access to, archives of records of ongoing research or historical value. Health records of deceased patients are exempt from the Freedom of Information (Scotland) Act 2002.