Confidentiality: good practice in handling patient information

Disclosures for the protection of patients and others

Disclosing information to protect patients

50

All patients have the right to a confidential medical service. Challenging situations can however arise when confidentiality rights must be balanced against duties to protect and promote the health and welfare of patients who may be unable to protect themselves.

Disclosing information about children who may be at risk of harm

51

For specific guidance on confidentiality in the context of child protection, see our guidance Protecting children and young people.16  For general advice on confidentiality when using, accessing or disclosing information about children and young people, see our guidance 0–18 years.17 

16

Protecting children and young people (General Medical Council, 2012). You can find all GMC guidance on professional standards available on our website.

17

0–18 years (General Medical Council, 2007). You can find all GMC guidance on professional standards and ethics available on our website.

Disclosing information about adults who may be at risk of harm

52

As a rule, you should make decisions about how best to support and protect adult patients in partnership with them, and should focus on empowering patients to make decisions in their own interests. You must support and encourage patients to be involved, as far as they want and are able, in decisions about disclosing their personal information.

Disclosing information to protect adults who lack capacity

55

You must disclose personal information about an adult who may be at risk of serious harm if it is required by law (see paragraph 53). Even if there is no legal requirement to do so, you must give information promptly to an appropriate responsible person or authority if you believe a patient who lacks capacity to consent is experiencing, or at risk of, neglect or physical, sexual or emotional abuse, or any other kind of serious harm, unless it is not of overall benefit to the patient to do so.

56

If you believe it is not of overall benefit to the patient to disclose their personal information (and it is not required by law), you should discuss the issues with an experienced colleague. If you decide not to disclose information, you must document in the patient’s records your discussions and the reasons for deciding not to disclose. You must be able to justify your decision.

The rights of adults with capacity to make their own decisions

57

As a principle, adults who have capacity are entitled to make decisions in their own interests, even if others consider those decisions to be irrational or unwise. You should usually ask for consent before disclosing personal information about a patient if disclosure is not required by law, and it is practicable to do so. You can find examples of when it might not be practicable to ask for consent in paragraph 14.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3. the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
58

If an adult patient who has capacity to make the decision refuses to consent to information being disclosed that you consider necessary for their protection, you should explore their reasons for this. It may be appropriate to encourage the patient to consent to the disclosure and to warn them of the risks of refusing to consent.

59

You should, however, usually abide by the patient’s refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of death or serious harm.19, 20  You should do your best to give the patient the information and support they need to make decisions in their own interests – for example, by arranging contact with agencies to support people who experience domestic violence.21  Adults who initially refuse offers of assistance may change their decision over time.

19

In very exceptional circumstances, disclosure without consent may be justified in the public interest to prevent a serious crime such as murder, manslaughter or serious assault even where no one other than the patient is at risk. This is only likely to be justifiable where there is clear evidence of an imminent risk of serious harm to the individual, and where there are no alternative (and less intrusive) methods of preventing that harm. This is an uncertain area of law and, if practicable, you should seek independent legal advice before making such a disclosure without consent.

20

The Department of Health and Social Care in England has published Information sharing and suicide prevention: consensus statement (2021), which is consistent with the principles in this guidance.

21

Safelives has published guidance on disclosing information to multi-agency risk assessment conferences (MARACs), which are local meetings established to discuss how to help individuals who are at high risk of murder or serious harm. The guidance is available on the Safelives website. Personal information may be disclosed to a MARAC with consent, or if the disclosure can be justified in the public interest (see paragraphs 63–70 in this guidance).

Disclosing information to protect others

60

Medical professionals owe a duty of confidentiality to their patients, but they also have a wider duty to protect and promote the health of patients and the public.22 

22

See ‘The duties of medical professionals registered with the General Medical Council’ available only in the pdf/publication versions at the front of the guidance.

Disclosing information in the public interest

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

23

There is no agreed definition of ‘serious crime’. The Confidentiality: NHS Code of Practice Supplementary Guidance: Public Interest Disclosures (Department of Health, 2003) gives some examples of serious crime. These include crimes that cause serious physical or psychological harm to individuals (such as murder, manslaughter, rape and child abuse); and crimes that cause serious harm to the security of the state and public order; and ‘crimes that involve substantial financial gain or loss’ are also mentioned in the same category. It also gives examples of crimes that are not usually serious enough to warrant disclosure without consent (including theft, fraud, and damage to property where loss or damage is less substantial).

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

24

We give specific advice on reporting concerns about patients’ fitness to drive in our guidance Confidentiality: Patients’ fitness to drive and reporting concerns to the DVLA or DVA. That guidance deals specifically with drivers on the roads, but the same principles apply to drivers and pilots of other kinds of  regulated transport, including by rail, water and air. You can find all GMC guidance on professional standards and ethics on our website.

67

Before deciding whether disclosure would be justified in the public interest you should consider whether it is practicable or appropriate to seek consent (see paragraph 14). You should not ask for consent if you have already decided to disclose information in the public interest but you should tell the patient about your intention to disclose personal information, unless it is not safe or practicable to do so. If the patient objects to the disclosure you should consider any reasons they give for objecting.

14

You may disclose information on the basis of implied consent for direct care when the conditions in paragraphs 28 and 29 are met, and for local clinical audit when the conditions in paragraph 96 are met. In other cases, you should ask for explicit consent to disclose personal information unless it is not appropriate or practicable to do so.

For example, this might be because:

  1. the disclosure is required by law (see paragraphs 17 - 19)
  2. you are satisfied that informed consent has already been obtained by a suitable person7 
  3. the patient does not have capacity to make the decision. In such a case, you should follow the guidance on disclosures about patients who lack capacity to consent (see paragraphs 41 - 49)
  4. you have reason to believe that seeking consent would put you or others at risk of serious harm
  5. seeking consent would be likely to undermine the purpose of the disclosure, for example by prejudicing the prevention, detection or prosecution of a serious crime
  6. action must be taken quickly, for example in the detection or control of outbreaks of some communicable diseases where there is insufficient time to contact the patient
  7. seeking consent is not feasible given the number or age of records, or the likely traceability of patients.
  8. you have already decided to disclose information in the public interest (see paragraphs 63 - 70).
68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in medical professionals generally – for example, if it is widely perceived that doctors, physician associates or anaesthesia associates will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

Responding to requests for information

71

You must consider seriously all requests for relevant information about patients who may pose a risk of serious harm to others. For example, you must participate in procedures set up to protect the public from violent and sex offenders, such as multi-agency public protection arrangements (MAPPA) in England, Wales and Scotland and public protection arrangements in Northern Ireland (PPANI).27  You must also consider seriously all requests for information needed for formal reviews (such as inquests and inquiries, serious or significant case reviews, case management reviews, and domestic homicide reviews) that are established to learn lessons and to improve systems and services.

27

You should consider the assessment of risk posed by patients made by other professionals and by groups established for that purpose, but you must make your own assessment and decision as to whether disclosure is justified. Your assessment of risk is a matter of professional judgement in which an offender’s past behaviour will be a factor. The Royal College of Psychiatrists publishes guidance for psychiatrists about sharing information in the context of public protection, including participation in multi-agency public protection arrangements (MAPPA) and panels. You can find this in Good Psychiatric Practice: Confidentiality and Information Sharing (Royal College of Psychiatrists, third edition, 2017).

72

If you disclose personal information without consent, you must be satisfied that there is a legal basis for breaching confidentiality (see paragraph 9). You must also be satisfied that the other relevant requirements for disclosing information are met (see paragraph 10).

9

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies.

  1. The patient consents, whether implicitly or explicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes (see paragraphs 13 - 15).
  2. The patient has given their explicit consent to disclosure for other purposes (see paragraphs 13 - 15 ).
  3. The disclosure is of overall benefit4 to a patient who lacks the capacity to consent and the dislcosure is made in line with the relevant capacity legislation (see paragraphs 41 - 49).
  4. The disclosure is required by law (see paragraphs 17 - 19), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20 - 21).
  5. The disclosure can be justified in the public interest (see paragraphs 22 - 23).
10

When disclosing information about a patient you must:

  1. use anonymised information if it is practicable to do so and if it will serve the purpose
  2. be satisfied the patient:
    1. has ready access to information explaining how their personal information will be used for their own care or local clinical audit, and that they have the right to object
    2. has not objected
  3. get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  4. keep disclosures to the minimum necessary for the purpose
  5. follow all relevant legal requirements, including the common law and data protection law.5 

Disclosing genetic and other shared information

73

Genetic and some other information about your patient might also be information about others with whom the patient shares genetic or other links. The diagnosis of a patient’s illness might, for example, point to the certainty or likelihood of the same illness in a blood relative.

74

Most patients will readily share information about their own health with their children and other relatives, particularly if they are told it might help those relatives to:

  1. get prophylaxis or other preventative treatments or interventions
  2. make use of increased surveillance or other investigations
  3. prepare for potential health problems.28 
28

For more information, see Consent and confidentiality in clinical genetic practice: Guidance on genetic testing and sharing genetic information – A report of the Joint Committee on Medical Genetics (Royal College of Physicians, second edition, 2011).

75

If a patient refuses to consent to information being disclosed that would benefit others, disclosure might still be justified in the public interest if failure to disclose the information leaves others at risk of death or serious harm (see paragraphs 63 - 70). If a patient refuses consent to disclosure, you will need to balance your duty to make the care of your patient your first concern against your duty to help protect the other person from serious harm.

63

Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23 

64

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.

65

Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.

66

Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25  or poses a serious risk to others through being unfit for work.26 

68

When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:

  1. the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
  2. the potential harm to trust in medical professionals generally – for example, if it is widely perceived that doctors, physician associates or anaesthesia associates will readily disclose information about patients without consent
  3. the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
  4. the potential benefits to an individual or to society arising from the release of the information
  5. the nature of the information to be disclosed, and any views expressed by the patient
  6. whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.

70

Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.

69

You must document in the patient’s record your reasons for disclosing information with or without consent.  You must also document  any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.

76

If practicable, you should not disclose the patient’s identity in contacting and advising others about the risks they face.