However, the right to confidentiality is not absolute. That right – whilst guarded by healthcare professionals on behalf of their patients – may sometimes be at odds with the law. Legislation and guidance governing the collection and maintenance of clinical information is ever-expanding, as are the increasingly diverse methods of processing and sharing such information. Keeping up to date in this area is an important challenge for healthcare providers.
There are three generally recognised scenarios when confidential information may be disclosed:
- where disclosure is judged necessary and the patient to whom the information relates grants consent
- where disclosure is a legal obligation
- where disclosure constitutes an overriding public interest to do so.
Unlawful or unjustified disclosure of confidential information could expose a practitioner to:
- Breach of statutory duty under the Data Protection Act 2018.
- Disciplinary proceedings: an unauthorised breach of confidentiality can lead to fitness to practise proceedings by the GMC, GDC and other regulatory bodies.
- Disciplinary action by employers in relation to capability and professional conduct.
- Civil action: a patient alleging breach of confidentiality can seek damages in civil courts.
In general, a practitioner should always seek the consent of the patient for the disclosure of confidential information and keep disclosure to the minimum necessary for the intended purpose. Should consent be refused or otherwise unobtainable, seek medico-legal advice.
Make a record of all confidential disclosure decisions, along with the reasoning behind such decisions and be prepared to explain and justify the decision. Contact MDDUS for medicolegal advice before disclosure takes place, if in any doubt.
Patient information can be requested for purposes other than direct care. It can be used to enable health services to function more effectively and safely in research, future service planning or financial audit. Other uses may serve wider public interests, such as disclosures for public protection.
If you are unsure about how to handle a particular request or situation, you should consult a Caldicott or data guardian, data protection officer or the MDDUS for further advice.
Data protection principles
Healthcare professionals are obliged, both legally and professionally, to abide by the following data protection principles:
- Only use the minimum necessary personal information to fulfil the intended purpose. If practicable use anonymised information if it will serve the purpose.
- Ensure that any personal information you process or control is effectively protected at all times against improper access, use, disclosure or loss.
- Be aware of and comply with the principles of the Data Protection Act 2018. Be satisfied that you are controlling or processing personal information lawfully.
- Seek explicit consent to disclose personal information about patients for purposes other than direct care or local clinical audit, unless the disclosure is required by law.
- Seek consent from patients about any disclosures of personal information that they would not reasonably expect, unless this is not practicable or would undermine the purpose of the disclosure. Keep a record of all your decisions to disclose or not to disclose information.
- Assist and support patients’ rights to access their own information. Respect patients’ legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.
- Ensure that you respect the general right to confidentiality extending beyond death. This is particularly relevant where a patient has specifically requested that certain information remains confidential following their death.
Personal information may be disclosed without breaching confidentiality where the following circumstances are present:
- The patient has consented, either implicitly or explicitly in connection with their own care or for local clinical audit.
- The disclosure in question is in the best interests of a patient who lacks the capacity to consent.
- Disclosure is required by a relevant law or court order.
- Disclosure can be justified in the public interest.
In disclosing confidential information about a patient you must try to:
- Use anonymised information if it will serve the intended purpose and is practicable.
- Satisfy yourself that the patient has access to information explaining how their personal information will be used for their own care and that they have the legal right to object. In all cases check that the patient has not objected.
- Obtain the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their own care, unless the disclosure is required by law. Ensure that disclosures are kept to the minimum necessary for the purpose at hand.
- Failure to obtain the consent of the patient for disclosure of confidential information.
- Failure to keep disclosure to the minimum necessary for the intended purpose.
- Failure to keep a record of all confidential disclosure decisions and justification.
- Providing identifiable personal information where anonymised data would suffice.
- Failure to maintain adequate security measures in order to keep confidential patient data safe.
- Failure to inform patients about any disclosures or sharing of personal information that they would not reasonably expect.
- Lack of systems/procedures to address breaches of confidentiality.
- The provision of confidential medical care is in itself recognised in law as being in the public interest and patients are therefore actively encouraged to seek advice and treatment from health professionals.
- Occasions arise when disclosure of confidential information in the public interest is necessary to protect either the individual or society from the risks of serious harm.
- Seek out advice and support from your medical defence organisation, information governance officer or Caldicott guardian if necessary or practicable before disclosing confidential information.
- GMC. Confidentiality: good practice in handling patient information (Disclosures for the protection of patients and others): https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality/disclosures-for-the-protection-of-patients-and-others
- ICO. Health sector resources: https://ico.org.uk/for-organisations/resources-and-support/health-sector-resources/
- GDC. Focus on standards (Principle 4: Maintain and protect patients’ information): https://standards.gdc-uk.org/pages/principle4/principle4.aspx
MDDUS Training & CPD resources: https://www.mddus.com/training-and-cpd/training-for-members