Confidentiality: good practice in handling patient information

About our Confidentiality guidance

Our core guidance, Good medical practice, makes clear that patients have a right to expect that their personal information will be treated as confidential. This guidance, which forms part of the professional standards, sets out the principles of confidentiality and respect for patients’ privacy that you are expected to understand and follow.

This guidance outlines the framework for considering when to disclose patients’ personal information and then applies that framework to:

  1. disclosures to support the direct care of an individual patient
  2. disclosures for the protection of patients and others
  3. disclosures for all other purposes.

This guidance also sets out the responsibilities of all doctors, physician associates and anaesthesia associates for managing and protecting patient information.

In this guidance, we use the terms ‘you must’ and ‘you should’ in the following ways.

  • ‘You must’ is used for a legal or ethical duty you’re expected to meet (or be able to justify why you didn’t). 
  • 'You should’ is used for duties or principles that either:
    • may not apply to you or to the situation you’re currently in, or
    • you may not be able to comply with because of factors outside your control.  

The standards of good practice apply to doctors, physician associates and anaesthesia associates (collectively referred to as medical professionals and whom we address directly as ‘you’ throughout the guidance). As with all our professional standards, this guidance applies to all our registrants to the extent it is relevant to the individual’s practice.

The professional standards describe good practice, and not every departure from them will be considered serious. You must use your professional judgement to apply the standards to your day-to-day practice. If you do this, act in good faith and in the interests of patients, you will be able to explain and justify your decisions and actions. We say more about professional judgement, and how the professional standards relate to our fitness to practise processes, appraisals and revalidation, at the beginning of Good medical practice

If in doubt, you should seek the advice of an experienced colleague, a Caldicott or data guardian1 or equivalent, a data protection officer, your defence body or professional association, or seek independent legal advice.

1

Caldicott or data guardians are senior people in the NHS, local authority social care services, and partner organisations, who are responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. Data protection officers have a statutory  function under the General Data Protection Regulation to monitor a data controller’s compliance with the GDPR.

Other materials available

Further guidance is available on our website explaining how these principles apply in situations we know can be difficult in practice. At the time of publishing this core guidance, we are also publishing guidance on:

  1. patients’ fitness to drive and reporting concerns to the DVLA or DVA
  2. disclosing information about serious communicable diseases
  3. disclosing information for employment, insurance and similar purposes
  4. disclosing information for education and training purposes
  5. reporting gunshot and knife wounds
  6. responding to criticism in the media.