Confidentiality: good practice in handling patient information

The main principles of this guidance


The advice in this guidance is underpinned by the following eight principles.3 

  1. Use the minimum necessary personal information. Use anonymised information if it is practicable to do so and if it will serve the purpose.
  2. Manage and protect information. Make sure any personal information you hold or control is effectively protected at all times against improper access, disclosure or loss.
  3. Be aware of your responsibilities. Develop and maintain an understanding of information governance that is appropriate to your role.
  4. Comply with the law. Be satisfied that you are handling personal information lawfully.
  5. Share relevant information for direct care in line with the principles in this guidance unless the patient has objected.
  6. Ask for explicit consent to disclose identifiable information about patients for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest.
  7. Tell patients about disclosures of personal information you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure. Keep a record of your decisions to disclose, or not to disclose, information.
  8. Support patients to access their information. Respect, and help patients exercise, their legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.

These principles are aligned with the Caldicott principles for information governance within health and social care.