Confidentiality: good practice in handling patient information

Ethical and legal duties of confidentiality


Trust is an essential part of the doctor-patient relationship and confidentiality is central to this. Patients may avoid seeking medical help, or may under-report symptoms, if they think their personal information will be disclosed2 by doctors without consent, or without the chance to have some control over the timing or amount of information shared.


In this guidance, ‘personal information’ means information from which individuals can be identified either in itself or in combination with other available information. ‘Disclosure’ means the provision or passing of information about a patient to anyone other than the patient, regardless of the purpose. Sharing information within healthcare teams is a form of disclosure, as is providing access to patients’ records.


Doctors are under both ethical and legal duties to protect patients’ personal information from improper disclosure. But appropriate information sharing is an essential part of the provision of safe and effective care. Patients may be put at risk if those who are providing their care do not have access to relevant, accurate and up-to-date information about them.


There are also important uses of patient information for purposes other than direct care. Some of these are indirectly related to patient care in that they enable health services to function efficiently and safely. For example, large volumes of patient information are used for purposes such as medical research, service planning and financial audit. Other uses are not directly related to the provision of healthcare but serve wider public interests, such as disclosures for public protection reasons.


Doctors’ roles are continuing to evolve and change. It is likely to be more challenging to make sure there is a legal and ethical basis for using patient information in a complex health and social care environment than in the context of a single doctor-patient relationship.

In this guidance, we aim to support individual doctors to meet their professional responsibilities while working within these complex systems.

Acting within the law


Doctors, like everyone else, must comply with the law when using, accessing or disclosing personal information. The law governing the use and disclosure of personal information is complex, however, and varies across the four countries of the UK. 


In the legal annex to this guidance, we summarise some key elements of the relevant law, including the requirements of the common law, data protection law and human rights law. In the main body of the guidance, we give advice on how to apply ethical and legal principles in practice, but we do not refer to specific pieces of law unless it is necessary to do so.


If you are not sure how the law applies in a particular situation, you should consult a Caldicott or data guardian, a data protection officer, your defence body or professional association, or seek independent legal advice.