Case study: Sealed envelope

...Later that day Mrs J opens the envelope to read the referral letter and discovers the child protection disclosure naming her sister-in-law as the source...

  • Date: 31 May 2017

Day one

MRS B attends the local surgery with her young child who is suffering from an earache. A GP – Dr L – examines the child and offers treatment advice before Mrs B mentions another difficult matter she would like to discuss. Her sister-in-law – Mrs J – is also a patient at the practice and has two young daughters. Recently Mrs B has become concerned over her sisterin- law’s excessive drinking in combination with the use of over-the-counter pain medication. On two occasions she has visited Mrs J in the middle of the day to find her “passed-out” in the bedroom with the two girls left unwatched and “filthy” with soiled nappies. Mrs B is worried the girls may someday come to harm. Later that day Dr L discusses the matter with the practice manager and a senior partner. A decision is made to report the concerns over Mrs J to social services as they judge that the practice has a duty of care to do so, regardless of the consent of the person who made the disclosure.

Two months later

A visit by social services results in Mrs J agreeing to get help with her addiction and a child protection plan is put in place. Mrs J is unaware how the situation was brought to the attention of social services and assumes it was a neighbour who reported it.

Six months later

Mrs J attends the surgery with one of her daughters who has been complaining over the last few weeks of a very sore tummy. Dr L decides to refer the child for emergency assessment and tries to contact the hospital numerous times without success. In the end she prints off the full consultation notes for the girl, places them in a sealed envelope and asks Mrs J to present them at the hospital. Before attending the hospital later that day Mrs J opens the envelope to read the referral letter and discovers the child protection disclosure naming her sister-in-law as the source. She phones the practice angry and upset that she had not been informed that the disclosure had come from her sister-in-law via the practice. She disputes the information in the notes and wants it removed.


THE practice contacts MDDUS for guidance on how to deal with the matter. First the practice is urged to contact Mrs B by letter informing her of the confidentiality breach and providing an account of the incident along with an appropriate apology. This should be followed by the results of a significant event analysis, including lessons learned and measures implemented to ensure such an incident does not happen again (i.e. new practice procedures and further staff training).

A written response to Mrs J should also include an apology for not first seeking consent before referring the matter to social services. This should be accompanied by an explanation of how the incident occurred and steps taken to tighten up practice procedures to ensure it will not happen again in future.

In regard to the disputed details, the practice is advised to inform Mrs J that these now form part of the permanent medical record for her child and should not be removed. Mrs J should be informed that she can annotate the records to set out her position.

The practice completes the NHS Digital Information Governance Toolkit regarding the data breach and goes on to inform the Information Commissioner’s Office (ICO) of the issue. A few months later the ICO responds informing the practice that no further action will be taken at this stage. It takes the view that the GP acted reasonably in providing a hard copy of the notes given the circumstances – and that the mother should not have opened the envelope which was sealed and addressed to the hospital consultant. The ICO acknowledges that any inappropriate information should have been redacted from the records but it is unlikely that significant detriment has been caused to Mrs J by the disclosure as it may already have been known to her. The ICO does not comment on the impact of the breach on Mrs B.

Both parties express their deep dissatisfaction with the practice at the breach but the complaint is taken no further.


  • When third parties provide information about patients, seek consent to disclose their identity to the patient (or patient’s parent in this case).
  • Should consent to disclose not be provided ensure that information which would reveal third party identity is redacted from disclosed patient records.
  • Disputed details should not be removed from records but patients do have right of comment.
  • Always consider consulting with parents before referring to external agencies in circumstances such as these.

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Read more from this issue of Practice Manager

Practice Manager is published twice yearly and distributed to MDDUS practice managers and others with management responsibility in dental and medical surgeries. It features articles on employment law, health and safety, risk as well as profiles of practices across the UK. Browse our current and back issues below.
In this issue

Related Content

Coroner's inquests

Confidentiality for GPs

Care navigation

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

For registration, or any login issues, please visit our login page.