Introduction to Confidentiality

An Introduction to Confidentiality

Confidentiality is a fundamental principle of medical ethics and is central to the relationship of trust between patients and doctors. Without assurances about confidentiality, patients may be reluctant to seek medical advice and treatment.

The duty of confidentiality is not without exception

Doctors have a legal and ethical duty to keep all information relating to patients secure and not to disclose information to third parties without a patient’s consent. However, the duty of confidentiality as a principle is not absolute and doctors should be familiar with the exceptions to the duty.

For example, exceptions arise when doctors are required to disclose information by law or under their ethical or contractual obligations. If a doctor decides to disclose information without consent, they should be prepared to justify their decision. However, there may be certain circumstances, such as when the disclosure is of overall benefit to a patient who lacks capacity, when a doctor may disclose personal information.

The General Medical Council (GMC) sets out in “Confidentiality: good practice in handling patient information” (2017) the principles of confidentiality and respect for patients’ privacy that doctors are expected to understand and follow.

What is confidential information?

All information about a patient is confidential. This includes any information that could identify an individual, for example:

  • medical records
  • current illness or condition and ongoing treatment
  • personal details such as name, address, age, marital status, sexuality, race, religion etc.
  • record of appointments
  • a picture, photograph, video, audiotape or other images of the patient
  • the fact that a person is or was your patient.

The legal framework

In the UK, the legal framework covering how patient data must be looked after and processed is outlined in the Data Protection Act (DPA) 2018, which brought the EU General Data Protection Regulation (GDPR) into law, and the common law duty of confidentiality. Detailed guidance on complying with the data protection law is available on the ICO website.

Healthcare professionals are obliged, both legally and professionally, to abide by the following data protection principles:

  • Only use the minimum necessary personal information to fulfil the intended purpose. If practicable, use anonymised information if it will serve the purpose.
  • Ensure any personal information they process or control is effectively protected at all times against improper access, use, disclosure or loss.
  • Be aware of and comply with the principles of the Data Protection Act 2018. Clinicians should be satisfied that they are controlling or processing personal information lawfully.
  • Seek explicit consent to disclose personal information about patients for purposes other than direct care or local clinical audit, unless the disclosure is required by law.
  • Seek consent from patients about any disclosures of personal information that they would not reasonably expect unless this is not practicable or would undermine the purpose of the disclosure. Keep a record of all decisions to disclose or not to disclose information.
  • Assist and support patients’ rights to access their information. Respect patients’ legal rights to be informed about how their information will be used and to have access to or copies of their health records.
  • Clinicians should ensure they respect the general right of confidentiality extending beyond death. This is particularly relevant where a patient has specifically requested that certain information remains confidential following their death.

Request for medical records

Patients have a right to obtain copies of their medical records unless this is likely to cause serious harm to their physical or mental health. If a doctor receives a request from a patient seeking access to their records, the records should be carefully reviewed, and any information relating to other people should be removed unless those people have given consent to the disclosure.

Medical reports

A doctor may only prepare a medical report on a patient with the patient’s consent.

Consent should be obtained in writing either from the patient or from their authorised representative. In addition, a doctor can also accept an assurance from an officer of a government department or agency, or another healthcare professional, that such informed consent has been obtained.

Before providing any report, the doctor should be satisfied that the patient understands what information is being requested, the reason for the request and the potential consequences of disclosing information. The GMC advises in para 115 of “Confidentiality: good practice in handling patient information” that “only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record. However, it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits.

The patient is entitled to be shown, on request, a medical report written about them for an employer or insurance company. The GMC also advises doctors to offer to show patients their reports or give them copies before disclosure, whether or not the law requires it.


Any audio, visual or photographic recordings of a patient or relative of a patient in which the person is identifiable should only be made with the express consent of that person. Recordings made as part of the patient’s care form part of the medical record and should be treated in the same way as written material in terms of security and decisions about disclosures. The recordings should be kept confidential as a part of the patient’s records. Doctors should be aware of security risks when sharing information by electronic means and do all that’s reasonably practicable to protect confidentiality which could include encryption measures.

The GMC states in “Making and using visual and audio recordings of patients” para 15: “You will usually need the patient’s consent before disclosing recordings from which the patient can be identified. But disclosures may also be made where they are required by law, directed by the judge or other presiding officer of a court, or can be justified in the public interest.

Young people and confidentiality

Children have a right to confidential medical treatment. Clinicians should apply the same principles of confidentiality when using, sharing or disclosing information about children and young people as they would when dealing with adult patients. Please refer to the GMC “0–18 years: guidance for all doctors” paras 42 – 52.

How to avoid accidental breaches of confidentiality

Standards of confidentiality apply to all health professionals, students, administrative and ancillary staff, including receptionists, secretaries and cleaners. Therefore, all staff members working in a healthcare setting must know and understand the rules of confidentiality. All patient information is confidential, from the most sensitive diagnosis to the fact that the patient has attended a consultation.

It might be helpful to consider the following factors when trying to avoid inadvertent breaches of confidentiality:

  • Physical environment – be mindful of room design, such as proximity of waiting room to reception, positioning of computer screens and telephones or seating.
  • Medical records – be aware of safety in the system of filing records or transferring or disposing of records securely. Do not leave patients’ paper or electronic records unattended or where they can be seen by other patients, unauthorised staff or the public.
  • IT systems – be sure that the IT system is robust in terms of backing up files, audit logs, firewalls, virus protection and appropriate encryptions. Do not share login details and ensure all staff with access to the system know that this practice is not allowed.
  • Training and education – it is recommended that all staff members be trained in the principles of maintaining patient confidentiality. Additionally, these principles should be regularly reinforced. All staff members should be encouraged to work together to ensure that standards of confidentiality are upheld, improper disclosures avoided and a ‘no gossip’ culture is adopted.
  • Confidentiality agreement – ensure that all staff, including students and temporary staff, sign a confidentiality agreement that includes reference to the use of social media sites.
  • Communication by fax/text – have a policy in place to manage the disclosure of confidential information about patients by electronic means and ensure staff are familiar with the policy.

Complaints and claims against doctors for breaches of confidentiality are relatively rare. However, when they do occur, they are usually inadvertent and avoidable. Ensuring all staff receive training on policies relating to confidentiality, with regular reinforcement, should help mitigate the risk of avoidable or inadvertent errors being made. If a breach of confidentiality does occur in a healthcare setting, depending on the circumstances, it is usually best to inform the patient as soon as possible. Depending on the circumstances, you may also be required to notify the Information Commissioner.

If you have any queries or concerns surrounding the issues raised in this fact sheet, please do not hesitate to call the PMP medicolegal helpline. The helpline is open 24/7, and contact details can be found on your policy documents or customer card.

Reviewed and updated April 2023

Originally published June 2021

This document does not constitute legal or medical advice and should not be construed as rules or establishing a standard of care. We recommend that you seek independent legal and/or professional advice in relation to your legal or medical obligations or rights. Premium Medical Protection Limited is the owner of this material and its contents are protected by copyright law © 2023. All such rights are reserved.

For more information regarding the hyperlinks referenced in this document, click here