An Introduction to Confidentiality

Confidentiality is a fundamental principle of medical ethics and is central to the relationship of trust between patients and doctors. Without assurances about confidentiality, patients may be reluctant to seek medical advice and treatment.

The duty of confidentiality is not without exception

Doctors have a legal and ethical duty to keep all information relating to patients secure and not to disclose information to third parties without a patient’s consent. However, the duty of confidentiality as a principle is not absolute, and doctors should be familiar with the exceptions to the duty.

For example, exceptions arise when doctors are required to disclose information by law or under their ethical or contractual obligations. If a doctor decides to disclose information without consent, they should be prepared to justify their decision. However, there may be certain circumstances, such as when the disclosure is of overall benefit to a patient who lacks capacity, when a doctor may disclose personal information.

The General Medical Council (GMC) sets out in “Confidentiality: good practice in handling patient information” (2017) the principles of confidentiality and respect for patients’ privacy that doctors are expected to understand and follow.

What is confidential information?

All information about a patient is confidential. This includes any information that could identify an individual, for example:

• medical records
• current illness or condition and ongoing treatment
• personal details such as name, address, age, marital status, sexuality, race, religion, etc.
• record of appointments
• a picture, photograph, video, audiotape or other images of the patient
• the fact that a person is or was your patient

The legal framework

In the UK, the legal framework covering how patient data must be looked after and processed is outlined in the Data Protection Act (DPA) 2018, which brought the EU General Data Protection Regulation (GDPR) into law, and the common law duty of confidentiality. Post Brexit, the UK GDPR was introduced to complement the DPA 2018. Detailed guidance on complying with the data protection law is available on the ICO website.

Healthcare professionals are obliged, both legally and professionally, to abide by the following data protection principles:

• Only use the minimum necessary personal information to fulfil the intended purpose. If practicable, use anonymised information if it will serve the purpose.
• Ensure any personal information they process or control is effectively protected at all times against improper access, use, disclosure or loss.
• Be aware of and comply with the principles of the Data Protection Act 2018 and UK GDPR. Clinicians should be satisfied that they are controlling or processing personal information lawfully.
• Seek explicit consent to disclose personal information about patients for purposes other than direct care or local clinical audit, unless the disclosure is required by law.
• Seek consent from patients about any disclosures of personal information that they would not reasonably expect, unless this is not practicable or would undermine the purpose of the disclosure. Keep a record of all decisions to disclose or not to disclose information.
• Assist and support patients’ rights to access their information. Respect patients’ legal rights to be informed about how their information will be used and to have access to or copies of their health records.
• Clinicians should ensure they respect the general right of confidentiality extending beyond death. This is particularly relevant where a patient has specifically requested that certain information remains confidential following their death.

Request for medical records

Patients have a right to obtain copies of their medical records unless this is likely to cause serious harm to their physical or mental health. If a doctor receives a request from a patient seeking access to their records, the records should be carefully reviewed, and any information relating to other people should be removed unless those people have given consent to the disclosure.

Medical reports

A doctor may only prepare a medical report on a patient with the patient’s consent.

Consent should be obtained in writing either from the patient or from their authorised representative. In addition, a doctor can also accept an assurance from an officer of a government department or agency, or another healthcare professional, that such informed consent has been obtained.

Before providing any report, the doctor should be satisfied that the patient understands what information is being requested, the reason for the request and the potential consequences of disclosing information.

The GMC advises in para 115 of “Confidentiality: good practice in handling patient information” that “only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record. However, it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits.”

The patient is entitled to be shown, on request, a medical report written about them for an employer or insurance company. The GMC also advises doctors to offer to show patients their reports or give them copies before disclosure, whether or not the law requires it.

Recording

Any audio, visual or photographic recordings of a patient or relative of a patient in which the person is identifiable should only be made with the express consent of that person. Recordings made as part of the patient’s care form part of the medical record and should be treated in the same way as written material in terms of security and decisions about disclosures. The recordings should be kept confidential as part of the patient’s records. Doctors should be aware of security risks when sharing information by electronic means and do all that’s reasonably practicable to protect confidentiality, which could include encryption measures.

The GMC states in “Making and using visual and audio recordings of patients” para 15: “You will usually need the patient’s consent before disclosing recordings from which the patient can be identified. But disclosures may also be made where they are required by law, directed by the judge or other presiding officer of a court, or can be justified in the public interest.”

Young people and confidentiality

Children have a right to confidential medical treatment. Clinicians should apply the same principles of confidentiality when using, sharing or disclosing information about children and young people as they would when dealing with adult patients. Please refer to the GMC “0–18 years: guidance for all doctors”, paras 42–52.

Complaints and claims against doctors for breaches of confidentiality are relatively rare. However, when they do occur, they are usually inadvertent and avoidable. If a breach of confidentiality does occur in a healthcare setting, depending on the circumstances, it is usually best to inform the patient as soon as possible.

If you have any queries or concerns surrounding the issues raised in this fact sheet, please do not hesitate to call the PMP medicolegal helpline. The PMP medicolegal helpline is available to customers 24/7. The contact details are in your policy documents, or you can access the helpline through the PMP WebApp.