Confidentiality: good practice in handling patient information

Disclosing patients' personal information: a framework

When you can disclose personal information

9

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies.

  1. The patient consents, whether implicitly or explicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes (see paragraphs 13 - 15).
  2. The patient has given their explicit consent to disclosure for other purposes (see paragraphs 13 - 15 ).
  3. The disclosure is of overall benefit4 to a patient who lacks the capacity to consent and the dislcosure is made in line with the relevant capacity legislation (see paragraphs 41 - 49).
  4. The disclosure is required by law (see paragraphs 17 - 19), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20 - 21).
  5. The disclosure can be justified in the public interest (see paragraphs 22 - 23).
13

Asking for a patient’s consent to disclose information shows respect, and is part of good communication between medical professionals and patients. Under the common law duty of confidentiality, consent may be explicit or implied.6

  1. Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
  2. Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.
14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3. the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
15

If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

13

Asking for a patient’s consent to disclose information shows respect, and is part of good communication between medical professionals and patients. Under the common law duty of confidentiality, consent may be explicit or implied.6

  1. Explicit (also known as express) consent is given when a patient actively agrees, either orally or in writing, to the use or disclosure of information.
  2. Implied consent refers to circumstances in which it would be reasonable to infer that the patient agrees to the use of the information, even though this has not been directly expressed.
14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3. the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
15

If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

41

You must work on the presumption that every adult patient has the capacity to make decisions about the disclosure of their personal information. You must not assume a patient lacks capacity to make a decision solely because of their age, disability, appearance, behaviour, medical condition (including mental illness), beliefs, apparent inability to communicate, or because they make a decision you disagree with.

42

You must assess a patient’s capacity to make a particular decision at the time it needs to be made, recognising that fluctuations in a patient’s condition may affect their ability to understand, retain or weigh up information, or communicate their wishes.

43

We give detailed advice on assessing a patient’s mental capacity in our guidance Decision making and consent. Practical guidance is also given in the Adults with Incapacity (Scotland) Act 2000 and Mental Capacity Act 2005 codes of practice.14 

44

You may disclose personal information if it is of overall benefit to patient who lacks the capacity to consent. When making the decision about whether to disclose information about a patient who lacks capacity to consent, you must:

  1. make the care of the patient your first concern
  2. respect the patient’s dignity and privacy
  3. support and encourage the patient to be involved, as far as they want and are able, in decisions about disclosure of their personal information. 
45

You must also consider:

  1. whether the patient’s lack of capacity is permanent or temporary and, if temporary, whether the decision to disclose could reasonably wait until they regain capacity
  2. any evidence of the patient’s previously expressed preferences
  3. the views of anyone the patient asks you to consult, or who has legal authority to make a decision on their behalf, or has been appointed to represent them 
  4. the views of people close to the patient on the patient’s preferences, feelings, beliefs and values, and whether they consider the proposed disclosure to be of overall benefit to the patient
  5. what you and the rest of the healthcare team know about the patient’s wishes, feelings, beliefs and values. 
46

You might need to share personal information with a patient’s relatives, friends or carers to enable you to assess the overall benefit to the patient. But that does not mean they have a general right of access to the patient’s records or to be given irrelevant information about, for example, the patient’s past healthcare.

47

You must share relevant information with anyone who is authorised to make health and welfare decisions on behalf of, or who is appointed to support and represent, a patient who lacks capacity to give consent. This might be a welfare attorney, a court-appointed deputy or guardian, or an independent mental capacity advocate. You should also share information with independent mental health advocates in some circumstances.15 

48

If a patient asks you not to disclose personal information about their condition or treatment, and you believe they lack capacity to make that decision, you should try to persuade them to allow an appropriate person to be given relevant information about their care. In some cases, disclosing information will be required or necessary, for example under the provisions of mental health and mental capacity laws (see paragraph 47).

49

If the patient still does not want you to disclose information, but you consider that it would be of overall benefit to the patient and you believe they lack capacity to make that decision, you may disclose relevant information to an appropriate person or authority. In such cases, you should tell the patient before disclosing the information and, if appropriate, seek and carefully consider the views of an advocate or carer. You must document in the patient’s records your discussions and the reasons for deciding to disclose the information.14 

17

You must disclose information if it is required by statute, or if you are ordered to do so by a judge or presiding officer of a court (see paragraphs 87 - 94).

18

You should satisfy yourself that the disclosure is required by law and you should only disclose information that is relevant to the request. Wherever practicable, you should tell patients about such disclosures, unless that would undermine the purpose, for example by prejudicing the prevention, detection or prosecution of serious crime.

19

Laws and regulations sometimes permit, but do not require, the disclosure of personal information.8  If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

20

You may disclose personal information without consent if the disclosure is permitted or has been approved under section 251 of the National Health Service Act 2006 (which applies in England and Wales) or the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016. These pieces of law allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymised information and where seeking consent is not practicable. There is no comparable legal framework in Scotland.

21

If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not usually disclose the information unless it is required under the regulations. You can find more guidance on disclosures with specific statutory support in paragraphs 103 - 105.

22

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information if the benefits to an individual or society outweigh both the public and the patient’s interest in keeping the information confidential. For example, disclosure may be justified to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime. You can find guidance on disclosing information in the public interest to prevent death or serious harm in paragraphs 63 - 70.

23

There may also be circumstances in which disclosing personal information without consent is justified in the public interest for important public benefits, other than to prevent death or serious harm, if there is no reasonably practicable alternative to using personal information. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure. You can find further guidance in paragraphs 106 - 112.

4

We use the term ‘overall benefit’ to describe the ethical basis on which decisions are made about treatment and care for adult patients who lack capacity to decide. Our guidance on overall benefit is consistent with the legal requirement to consider whether treatment ‘benefits’ a patient (as the term is used in the Adults with Incapacity (Scotland) Act 2000), or is in the patient’s ‘best interests’ (as the term is used in the Mental Capacity Act 2005 in England and Wales, and in the common law in Northern Ireland). The use of the term is also consistent with the legal requirement to apply the other principles set out in the Mental Capacity Act 2005 and Adults with Incapacity (Scotland) Act 2000.

10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 
5

Medical professionals working in a managed environment will do this largely by understanding and following this guidance and corporate information governance and confidentiality policies. If you are a data controller, you are personally responsible for understanding and meeting your responsibilities under the data protection law. See the legal annex to this guidance for more information.

11

When you are satisfied that information should be disclosed, you should act promptly to disclose all relevant information. You should keep a record of your decision and actions.

12

You should tell patients about disclosures you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure – for example, by prejudicing the prevention, detection or prosecution of serious crime.

Disclosures required or permitted by law

17

You must disclose information if it is required by statute, or if you are ordered to do so by a judge or presiding officer of a court (see paragraphs 87 - 94).

87

There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.

88

You must disclose information if it is required by law. You should:

  1. satisfy yourself that personal information is needed, and the disclosure is required by law
  2. only disclose information relevant to the request, and only in the way required by the law
  3. tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
  4. abide by patient objections where there is provision to do so.32 
89

You can find advice about disclosures that are permitted but not required by law in paragraph 19.

90

The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.

91

You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.

92

If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.

93

You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.

94

In Scotland, under the process of precognition disclosure, if you receive a precognition request, in some cases you will have a legal duty to share information, and in other cases disclosure would be voluntary and subject to the guidance at paragraph 9.33 

18

You should satisfy yourself that the disclosure is required by law and you should only disclose information that is relevant to the request. Wherever practicable, you should tell patients about such disclosures, unless that would undermine the purpose, for example by prejudicing the prevention, detection or prosecution of serious crime.

19

Laws and regulations sometimes permit, but do not require, the disclosure of personal information.8  If a disclosure is permitted but not required by law, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

9

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies.

  1. The patient consents, whether implicitly or explicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes (see paragraphs 13 - 15).
  2. The patient has given their explicit consent to disclosure for other purposes (see paragraphs 13 - 15 ).
  3. The disclosure is of overall benefit4 to a patient who lacks the capacity to consent and the dislcosure is made in line with the relevant capacity legislation (see paragraphs 41 - 49).
  4. The disclosure is required by law (see paragraphs 17 - 19), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20 - 21).
  5. The disclosure can be justified in the public interest (see paragraphs 22 - 23).
10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 
8

An example is the Crime and Disorder Act 1998. Section 115 permits disclosure to organisations such as the police, local authorities, or probation services but does not create a legal obligation to do so.

Disclosures in the public interest

22

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information if the benefits to an individual or society outweigh both the public and the patient’s interest in keeping the information confidential. For example, disclosure may be justified to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime. You can find guidance on disclosing information in the public interest to prevent death or serious harm in paragraphs 63 - 70.

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in medical professionals generally – for example, if it is widely perceived that doctors, physician associates or anaesthesia associates will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

23

There may also be circumstances in which disclosing personal information without consent is justified in the public interest for important public benefits, other than to prevent death or serious harm, if there is no reasonably practicable alternative to using personal information. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure. You can find further guidance in paragraphs 106 - 112.

106

In exceptional circumstances, there may be an overriding public interest in disclosing personal information without consent for important health and social care purposes if there is no reasonably practicable alternative to using personal information and it is not practicable to seek consent. The benefits to society arising from the disclosure must outweigh the patient’s and public interest in keeping the information confidential.

107

You should not disclose personal information without consent in the public interest if the disclosure falls within the scope of any of the regulations described in paragraphs 103 - 105, and the disclosure is not permitted, or has not been approved, under those regulations.

108

If the regulations described in paragraphs 103 - 105 do not apply, you may need to make your own decision about whether disclosure of personal information without consent is justified. The circumstances in which the public interest would justify such disclosures are uncertain, however, so you should seek the advice of a Caldicott or data guardian or a legal adviser who is not directly connected with the use for which the disclosure is being considered before making the disclosure.41 

109

Before considering whether disclosing personal information without consent may be justified in the public interest, you must satisfy yourself that it is either necessary to use identifiable information or not reasonably practicable to anonymise the information. In either case, you must be satisfied that it is not reasonably practicable to seek consent.42 

110

When considering whether disclosing personal information without consent may be justified in the public interest, you must take account of the factors set out in paragraph 67. You must also be satisfied that:

  1. the disclosure would comply with the requirements of data protection law and would not breach any other legislation that prevents the disclosure of information about patients (see the legal annex for examples)
  2. the disclosure is the minimum necessary for the purpose
  3. the information will be processed in a secure and controlled environment that has the capabilities and is otherwise suitable to process the information (see paragraph 86)
  4. information is readily available to patients about any data that has been disclosed without consent, who it has been disclosed to, and the purpose of the disclosure.
111

If you know that a patient has objected to information being disclosed for purposes other than their own care, you should not disclose information in the public interest unless failure to do so would leave others at risk of death or serious harm (see paragraphs 63 - 70).

112

You must keep a record of what information you disclosed, your reasons, and any advice you sought.

Disclosures prohibited by law

24

Health professionals are required by certain laws to restrict the disclosure of some types of information. You can find examples of disclosures prohibited by law in the legal annex.

Data protection law

25

This guidance focuses on medical professionals’ ethical and legal duties of confidentiality. But the processing of personal data must also satisfy the requirements of data protection  law, which imposes various duties on data controllers. Individual professionals can be data controllers in their own right (for instance if they are partners in general practice, or hold data about patients whom they treat privately), but in many cases the data controller will be the medical professional’s employer. This guidance aims to be consistent with data protection law, but it is not guidance on the law. You can however find an overview of data protection law and its relationship with the common law duty of confidence in the legal annex.

Decision tool

Confidentiality decision tool
Decide whether personal information needs to be disclosed and, if so, what the justification is for doing so