Using and disclosing patient information for secondary purposes
Many important uses of patient information contribute to the overall delivery of health and social care. Examples include health services management, research, epidemiology, public health surveillance, and education and training. Without information about patients the health and social care system would be unable to plan, develop, innovate, conduct research or be publicly accountable for the services it provides.
There are also important uses of patient information that are not connected to the delivery of health or social care, but which serve wider purposes. These include disclosures for the administration of justice, and for purposes such as financial audit and insurance or benefits claims.
Anonymised information will usually be sufficient for purposes other than the direct care of the patient and you must use it in preference to identifiable information wherever possible. If you disclose identifiable information, you must be satisfied that there is a legal basis for breaching confidentiality.
You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.
- The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
- The patient has given explicit consent (see paragraph 95).
- The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
- The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).
You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).
There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.
You must disclose information if it is required by law. You should:
- satisfy yourself that personal information is needed, and the disclosure is required by law
- only disclose information relevant to the request, and only in the way required by the law
- tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
- abide by patient objections where there is provision to do so.32
You can find advice about disclosures that are permitted but not required by law in paragraph 19.
The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.
You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.
If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.
You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.
In Scotland, under the process of precognition disclosure, if you receive a precognition request, in some cases you will have a legal duty to share information, and in other cases disclosure would be voluntary and subject to the guidance at paragraph 9.33
You should ask for consent to disclose personal information for purposes other than direct care34 or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph 14 for examples of when this might be the case).
In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.
Section 251 of the National Health Service Act 2006 (which applies in England and Wales) and the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. You can find more detail about these statutory arrangements in the legal annex.
You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006 or under the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.40
In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.
You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.
If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41
Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42
When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:
- the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
- the disclosure is the minimum necessary for the purpose
- the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
- information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).
You must keep a record of what information you disclosed, your reasons, and any advice you sought.
When disclosing information about a patient you must:
- use anonymised information if it is practicable to do so and if it will serve the purpose
- be satisfied the patient:
- has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
- has not objected
- get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
- keep disclosures to the minimum necessary for the purpose
- follow all relevant legal requirements, including the common law and data protection law.5
Anonymised information
The Information Commissioner’s Office anonymisation code of practice (ICO code) considers data to be anonymised if it does not itself identify any individual, and if it is unlikely to allow any individual to be identified through its combination with other data.29 Simply removing the patient’s name, age, address or other personal identifiers is unlikely to be enough to anonymise information to this standard.30
You can find the Information Commissioner’s Office (ICO) Anonymisation: managing data protection risk code of practice (2012) on the ICO website.
Other potential identifiers include the patient’s initials, postcode, NHS or CHC number, local identifiers (such as hospital numbers), national insurance number, and key dates (such as birthdate, date of diagnosis or date of death).
The ICO code also makes clear that different types of anonymised data pose different levels of re-identification risk. For example, data sets with small numbers may present a higher risk of re-identification than large data sets. The risk of re-identification will also vary according to the environment in which the information is held. For example, an anonymised data set disclosed into a secure and controlled environment could remain anonymous even though the same data set could not be made publically available because of the likelihood of individuals being identified.
You should follow the ICO code, or guidance that is consistent with the ICO code, or seek expert advice, if you have a role in anonymising information or disclosing anonymised information.
The process of anonymising information
Information may be anonymised by a member of the direct care team who has the knowledge, skills and experience to carry out the anonymisation competently, or will be adequately supervised.
If it is not practicable for the information to be anonymised within the direct care team, it may be anonymised by a data processor under contract, as long as there is a legal basis for any breach of confidentiality (see paragraph 80), the requirements of data protection law are met (see the legal annex) and appropriate controls are in place to protect the information (see paragraph 86).
You may disclose personal information without breaching duties of confidentiality when any of the following circumstances apply.
- The disclosure is required by law, including by the courts (see paragraphs 87 - 94).
- The patient has given explicit consent (see paragraph 95).
- The disclosure is approved through a statutory process that sets aside the common law duty of confidentiality (see paragraphs 103 - 105).
- The disclosure can, exceptionally, be justified in the public interest (see paragraphs 106 - 112).
You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).
Disclosing anonymised information
If you decide to disclose anonymised information, you must be satisfied that appropriate controls are in place to minimise the risk of individual patients being identified. The controls that are needed will depend on the risk of re-identification, and might include signed contracts or agreements that contain controls on how the information will be used, kept and destroyed, as well as restrictions to prevent individuals being identified. You should refer to specialist advice or guidance when assessing risk, or considering what level of control is appropriate.31
See endnote 29 for the reference to ICO guidance.
Disclosures required by statutes or the courts
Disclosure required by statute
There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.
You must disclose information if it is required by law. You should:
- satisfy yourself that personal information is needed, and the disclosure is required by law
- only disclose information relevant to the request, and only in the way required by the law
- tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
- abide by patient objections where there is provision to do so.32
The NHS Constitution for England and NHS Scotland’s The Charter of Patient Rights and Responsibilities both set out the rights of a patient to object to how their information is used. Under data protection law, a data subject has a right to object to processing if it causes unwarranted and substantial damage or distress. For more information, see the Guide to Data Protection on the ICO website.
You can find advice about disclosures that are permitted but not required by law in paragraph 19.
Laws and regulations sometimes permit, but do not require, the disclosure of personal information.8 If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).
Disclosing information to the courts, or to obtain legal advice
The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.
You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.
If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.
You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.
In Scotland, under the process of precognition disclosure, if you receive a precognition request, in some cases you will have a legal duty to share information, and in other cases disclosure would be voluntary and subject to the guidance at paragraph 9.33
Please see our legal factsheet for further information about precognition.
Consent
You should ask for consent to disclose personal information for purposes other than direct care34 or local clinical audit unless the information is required by law, or it is not appropriate or practicable to obtain consent (see paragraph 14 for examples of when this might be the case).
You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.
For example, this might be because:
- the disclosure is required by law (see paragraphs 17 - 19)
- you are satisfied that informed consent has already been obtained by a suitable person7
- the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
- you have reason to believe that seeking consent would put you or others at risk of serious harm
- seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
- action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
- seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
- you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
See endnote 10 for the definition of ‘direct care’ in this guidance. Guidance on sharing information for direct care purposes is given in paragraphs 26–33.
Requests from employers, insurers and other third parties
Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:
- be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be concealed or withheld
- obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
- only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record,43 although it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits
- offer to show your patient, or give them a copy of, any report you write about them for employment or insurance purposes before it is sent, unless:
- they have already indicated they do not wish to see it
- disclosure would be likely to cause serious harm to the patient or anyone else
- disclosure would be likely to reveal information about another person who does not consent.44, 45
Disclosure of the whole record may breach the principles of data protection law, as the full record may contain information that is excessive and not relevant for the purpose.
If any of the exceptions set out in paragraph 115(d) of this guidance apply, you should still disclose as much of the report as you can. The Department for Work and Pensions publishes advice about reports for benefits purposes.
In some circumstances, patients are entitled to see a report that has been written about them under the provisions of the Access to Medical Reports Act 1988. For more details see the Confidentiality: key legislation factsheet which you can find on our confidentiality guidance page, available on our website.
If a patient refuses or withdraws consent, or if it is not practicable to get their consent, you may still disclose information if it can be justified in the public interest (see paragraphs 63 - 70). You must disclose information if it is required by law (see paragraphs 87 - 94).
Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23
If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.
Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.
Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25 or poses a serious risk to others through being unfit for work.26
When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:
- the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
- the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
- the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
- the potential benefits to an individual or to society arising from the release of the information
- the nature of the information to be disclosed, and any views expressed by the patient
- whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.
If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.
Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.
You must document in the patient’s record your reasons for disclosing information with or without consent. You must also document any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.
There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.
You must disclose information if it is required by law. You should:
- satisfy yourself that personal information is needed, and the disclosure is required by law
- only disclose information relevant to the request, and only in the way required by the law
- tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
- abide by patient objections where there is provision to do so.32
You can find advice about disclosures that are permitted but not required by law in paragraph 19.
The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.
You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.
If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.
You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.
In Scotland, under the process of precognition disclosure, if you receive a precognition request, in some cases you will have a legal duty to share information, and in other cases disclosure would be voluntary and subject to the guidance at paragraph 9.33