- You, and anyone you employ, must protect patient information.
- You may disclose patient information in some circumstances where it is required by law or where the patient or others might be at risk of serious harm.
- You may share some limited patient information with others who provide care to your patients.
- Disclosing any other information about a patient requires their consent.
- You should anonymise patient information, where possible, and guard against unintentional or improper disclosures.
- Disclosing information about a child requires their consent, or that of their parents, unless it is in the child’s best interests or they are at risk of serious harm.
- There are limitations on disclosing information to patients’ relatives or carers.
- Patient information remains confidential after their death, with exceptions, for example where it is required by a court of law.
- You must respect and protect patient information.215 See section on Patient records.
- Patients must consent before you share any information about them. See section on Consent. When asking for consent you should tell the patient:
- what information you want to share
- who you want to share it with, and
- how the information will be used.216
- You must keep confidential all patient identifiable information, including information which is handwritten, digital, visual, audio or retained in your memory and this includes:
- clinical information about a patient’s diagnosis or treatment
- when the patient attended the practice, and
- anything else that can be used to identify patients directly or indirectly, especially if combined with the patient’s name or address or full postcode or date of birth.
- If an adult patient with capacity tells you not to share information with other people, you should firstly discuss this with them, and explain why you need to share the information. If they still refuse, you should not share their information, even if failure to share would leave the patient (but no one else) at risk of serious harm or death. If you believe that the patient’s decision to refuse a service puts them at risk of serious harm, you must discuss this issue with appropriate colleagues,217 whilst respecting the patient’s confidence.218 This can be done by discussing the case in general without revealing details which may identify the patient. You can share patient identifiable information if you are required to do so by law, or disclosure is justified in the public interest.
- There are exceptions to the rule of protecting patients’ confidentiality which are:
- you may be required to provide information by law, for example if ordered by a court, or
- you may need to disclose information if it is in the public interest, for example where failing to disclose information would expose other members of the public to risk of death or serious harm.219
- You may disclose information without patient consent if you have reason to believe that asking for consent would put you or other people at risk of serious harm.220
215 Department of Health (2013) Information, to share or not to share. The information governance review, (Chairman: Dame Fiona Caldicott) [Accessed 6 Nov2017]
216 General Medical Council (2012) Protecting children and young people: the responsibilities of all doctors, paragraph 35 [Accessed 6 Nov 2017]
217 General Optical Council (2017) Supplementary guidance on consent, para 41 [Accessed 27 Jul 2018]
218 General Optical Council (2016) Standards of practice for optometrists and dispensing opticians para 11.7 [Accessed 6 Nov 2017]
219 Department of Health (2010) Confidentiality: NHS code of practice. Supplementary guidance: public interest disclosures [Accessed 6 Oct 2017]
220 General Medical Council (2017) Confidentiality: good practice in handling patient information [Accessed 6 Nov 2017]
- You should explain to patients that you will share information where it is in their best interests unless they object, while observing principles of confidentiality set out in this guidance. People expect professionals to share information with other members of the care team, so good sharing of information, where sharing is appropriate, is as important as maintaining confidentiality.221
- You may rely on implied consent to share confidential information with those who are providing (or supporting the provision of) direct care to the patient if you are satisfied that all of the following apply:222
- the person accessing or receiving the information is providing or supporting the patient’s care
- information is readily available to patients explaining how their information will be used (for example, in leaflets, posters, on websites or face-to-face), and they have a right to object
- the patient has not objected, and
- that anyone to whom confidential information is disclosed understands that it is given to them in confidence, which they must respect.
221 Department of Health (2013) Information, to share or not to share. The information governance review, (Chairman: Dame Fiona Caldicott) [Accessed 6 Nov 2017]
222 General Optical Council (2017) Supplementary guidance on consent, para 47 [Accessed 27 Jul 2018]
- If you disclose information about a patient, you must:
- be satisfied that the patient:
- has been informed that their personal information might be disclosed for the sake of their own care, or for local clinical audit, and that they can object, and
- has not objected
- get the patient’s consent if identifiable information is to be disclosed for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest. The public interest is unlikely to be justified if the same purpose can be achieved with anonymised information
- keep disclosures to the minimum
- observe all relevant legal requirements, including the common law and data protection legislation 223
- be able to justify why you disclosed the information, and
- keep a record of when you disclose information, what you disclose, and to whom.
- be satisfied that the patient:
- If you, or others, wish to use patient identifiable information for teaching or research purposes, for example patient photographs, you must apply the principles in this guidance by:
- gaining patient consent
- making sure the patient understands what they are consenting to and how the information will be used, and
- only using or releasing the minimum information that is necessary for the purpose.
- If you are using or disclosing information which does not require patient identifiable information you should use anonymised or coded information, for example in clinical audit or for reporting quality measures.
- Improper disclosures can be unintentional. You should not:
- share identifiable information about patients where you can be overheard, for example in the practice reception area, a public place or in an internet chat forum, or
- share passwords or leave patient records, either on paper or on screen, unattended or where they can be seen by other patients, unauthorised practice staff, or the public.
223 Data Protection Act 2018
- If you think the patient may be engaging in an activity where they pose a very real risk of danger to the public, such as the patient operating heavy machinery or driving when they are not fit to do so 224, but you are not sure whether you should act, ask yourself:
- what might the outcome be in the short- or longer-term if I do not raise my concern? And,
- how could I justify why I did not raise the concern?
- If you decide to proceed, you should:
- first tell the patient that they are unfit to engage in the activity in question and give the reasons
- tell the patient to tell the relevant authority
- put your advice in writing to the patient, if appropriate, and
- keep a copy of any correspondence to the patient on the patient record.
- Sometimes the actions in para C.86 might not achieve their aim, or would take too long to do so. You have a duty of confidentiality to the patient, but this is not absolute and can be broken if it is in the public interest to do so. Guidance from the Department of Health includes the example of reporting a driver who rejects medical advice not to drive as one where the public interest can be a defence to breaching patient confidentiality.225
- If you conclude that the public interest outweighs the duty of confidentiality, for example a patient who has told you that they intend to commit a crime or who continues to drive after being told not to, you should:
- notify the relevant authority, and, if appropriate, provide evidence of clinical findings
- notify the patient’s GP of the action being taken, and
- notify the patient if appropriate.
- If you disclose confidential information about a patient you must be prepared to explain and justify that decision. If you are unsure if this is appropriate, seek advice.
- In other circumstances, you should not disclose any clinical, personal or non-clinical information about a patient to a third party, even if that person says they are family or a close friend. This is because it might harm the patient if you divulge the information, for example, if the patient is a victim of abuse. This includes the patient’s:
- contact details
- personal circumstances, and
- any other information that might disclose the individual’s whereabouts, for example whether they have been in your practice.
224 Driver & Vehicle Licensing Agency (DVLA) (2016) Assessing fitness to drive: a guide for medical professionals Chapter 6 Visual disorders [Accessed 6 Nov 2017]
225 Department of Health (2010) Confidentiality: NHS code of practice. Supplementary guidance: public interest disclosures [Accessed 6 Nov 2017]
- If a patient lacks capacity, you should share relevant information in accordance with the advice in paras C78 and C79 and the section on Consent. Unless they indicate otherwise, it is reasonable to assume that patients would want those closest to them to be kept informed of their general condition and prognosis.
- You must share relevant information with anyone who is authorised to make healthcare decisions on behalf of an adult patient who lacks capacity. This may be someone who has a welfare lasting power of attorney or equivalent. See section on Consent.
- You must seek the consent of a child who has the capacity to consent before you share any confidential information about them. See section on Consent.
- You may discuss matters regarding a child who does not have the capacity to consent with someone with parental responsibility. See section on Consent.
- A parent who does not have parental responsibility for a child does not have an automatic right of access to confidential information.
- Not all parents have parental responsibility. If the parents were married at or after the child’s conception, both will have parental responsibility, even if they have later divorced. For unmarried parents, both will have parental responsibility if they are named on the child’s birth certificate and the child was born on or after:
- 1 December 2003 in England and Wales
- 15 April 2002 in Northern Ireland, and
- 4 May 2006 in Scotland.
- You should take the following steps to clarify parental responsibility and information sharing:
- note in the child’s record the name of the person who accompanies the child
- try to ascertain whether the person has parental responsibility
- if the person does not have parental responsibility you will need to decide whether the person can provide effective authority to proceed. If in any doubt, consult your professional or representative body.
- You can share confidential information about a child or young person without their consent if you consider that the benefits to the child or young person that will arise from sharing will outweigh the public and patient’s interest in keeping the information confidential. If a child or young person refuses to consent to you sharing the information you should consider their reasons for refusing, and weigh the possible consequences of not sharing the information against the harm that sharing may cause.226 You should disclose information about a child or young person to an appropriate body without their, or their parents’, consent only if:
- it is in the child or young person’s best interests, or
- failure to do so might place the child or young person at risk of serious harm or where the information would help prevent, detect or prosecute a serious crime.
- You should discuss with the patient what information they want you to share, with whom, and in what circumstances. This will be important if the patient has fluctuating or diminished capacity or is likely to lose capacity, even temporarily. This can help to avoid disclosures that patients would object to. It can also help to avoid misunderstandings with relatives or carers.
- If anyone close to the patient wants to discuss their concerns about the patient’s eye health, you should tell them, before they begin, that you might need to tell the patient about the conversation if the information affects your care of the patient.
- You should not refuse to listen to a patient’s relatives or carers on the basis of confidentiality. The information they provide might be helpful in your care of the patient. You should, however, consider whether it would be a breach of your patient’s trust to do this, especially if they have asked you not to listen to particular people.
- You should treat patient information as confidential, even after a patient has died. Whether and what personal information you disclose after a patient’s death will depend on the circumstances. If the patient had asked for information to remain confidential, you should respect their wishes. If you are unaware of the patient’s wishes and are asked to disclose information you should consider:
- the purpose of the disclosure
- whether the information is likely to benefit or cause distress to the patient’s family
- whether the information is already in the public domain
- whether the information can be anonymised.
- Information must only be disclosed to someone who is authorised to receive it, such as the executor of the will. You should ask to see the patient’s death certificate before disclosing information.