DLM Module 11.pdf

Full Transcript

Patients entrust us with, or allow us to gather, sensitive information relating
to their health and other matters as part of their seeking treatment. There
have been some high profile examples of breaches – for example, when
Richard Hammond was hospitalised following a brain injury in 2006, 300
medical staff accessed his records over a 24 hour period. It is estimated that
20 events were appropriate. In 2018, two staff were disciplined following
inappropriately accessing Ed Sheeran’s records.

After successful completion of this module, you should be able to:
From the Syllabus:
Candidates should have a detailed knowledge and understanding of the
law and ethics governing the duty of confidentiality, including:

1. 9.1. legal basis;
2. 9.2. GMC and NMC guidance;
3. 9.3. disclosures required by law;
4. 9.4. disclosures in the public interest;
5. 9.5. data protection legislation;
6. 9.6. patients' rights of access to health records and medical
reports;

7. 9.7. confidentiality and mentally incapacitated adults; and
8. 9.8. confidentiality after death.

By the end of this module a student should be able to understand: Confidentiality and Disclosure
Confidentiality and the Deceased Patient
Data Protection & General Data Protection Regulation (GDPR)
Child Protection

“And about whatever I may see or hear in treatment, or even without
treatment, in the life of human beings, I will remain silent, holding
such things to be unutterable.”

Hippocrates penned these words in the 5th Century BC and they still remain
an integral part of the Hippocratic Oath, underlining one of the central
tenets in the practice of medicine – the Duty of Confidentiality. It is the
inherent confidentiality which has always underpinned the absolute trust in
the Doctor-Patient relationship. https://www.gmc-uk.org/ethicalguidance/ethical-guidance-for-doctors/confidentiality/ethical-and-legalduties-of-confidentiality

Both deontological (duty-based) and consequentialist reasoning can be used
to justify the existence of a duty of confidence between patients and
clinicians.
Deontological arguments would emphasise the patient’s right to privacy and their right to
control access to sensitive and personal information.
Consequentialist arguments center around the need to ensure patients trust healthcare
professionals with their medical information and seek treatment, for the overall health of the
population.

Raanan Gillon states:
“Quite apart from the medical benefits to the patient, maintenance of
confidentiality may in some circumstances benefit others. In the
context of transmissible diseases, especially sexually transmissible
diseases, so long as the patient continues to trust his or her doctor, the
doctor is left in a position of being able to educate and influence the
patient in ways that can reduce the likelihood of the disease being
passed on. As soon as confidentiality is broken the trusting
relationship is likely to be undermined and the opportunity to help
reduce the spread of disease is lost.”

There are a number of sources of legal duty of confidence.
1. Common Law

There is a general common law duty imposed on a doctor to respect the
confidences of his/her/their patient. The nature of this obligation, which
applies to all confidential information was discussed by the Court of Appeal
in A-G –v- Guardian Newspapers ltd (No 2) [1990]AC 109, also known as
the ‘Spycatcher case”.
Lord Goff:
“[A] duty of confidence arises when confidential information comes to
the knowledge of a person (the confidant) in circumstances where he
has notice, or is held to have agreed, that the information is
confidential, with the effect that it would be just in all the
circumstances that he should be precluded from disclosing the
information to others.”

Lord Goff further suggested three limiting principles:

With regards to medical information – this is normally clearly confidential,
and the doctor-patient relationship is one in which a duty of confidence
exists.

Boreham J stated in Hunter v Mann:
“in common with other professional men, for instance a priest… the doctor is under a duty not
to disclose, without the consent of his patient, information which he, the doctor has gained in
his professional capacity, save… in very exceptional circumstances.”

In the case of W-v- Egdell [1990]Ch359
a secure prisoner obtained a Psychiatric report with a view to transfer to a less secure unit. The
report was unfavourable to W, and his application was aborted. However, a routine review of
his detention was due and when the Psychiatrist became aware that his report was not to be
included in the patient’s notes, he feared that the decision would be made without accurate up
to date information and would be potentially dangerous to the public. As such he informed the
hospital’s medical director and the Home Office of his findings and W brought an action
against the Psychiatrist alleging breach of duty of confidentiality.

The action failed. The fear of a real risk to public safety entitled a doctor to take reasonable steps to
communicate the grounds of his concern to the appropriate authorities.

This was an important decision in that the important principle of medical
confidentiality emerged relatively unscathed as W’s case was extreme and
Courts would not condone a breach of confidence on less urgent grounds.
However, this case clearly highlighted that there are circumstances where it
could be permissible to breach this enshrined duty of confidentiality.
2. Statute
- The Human Rights Act 1998

Human Rights Act 1998 Schedule 1 Article 8

8(1) Everyone has the right to respect for his private and family life, his
home and his correspondence
8(2) There shall be no interference by a public authority with the
exercise of this right except such as in accordance with the law and is
necessary in a democratic society in the interests of national security,
public safety or the economic well-being of the country, for the
prevention of disorder or crime, for the protection of health or morals,
or for the protection of the rights and freedoms of others.

Whilst there have been a number of cases where patients have relied upon
Article 8 when complaining about disclosure of medical information, it has
proven fairly difficult for them to establish that disclosure constitutes a
prima facie violation of Article 8, as it has often been possible for public
authorities to establish that disclosure was justifiable under 8(2).
Z v Finland (1997) 25 EHRR 371

Z’s husband was charged with a number of sexual offences. He
was HIV positive. In order to ascertain when he became aware
of his HIV status, police sought and gained access to his wife,
Z’s, medical records.
The ECtHR held that this was not a violation of Z’s Article 8
rights because there were good reasons for requiring this
information.

Stone v South East Coast SHA [2006] EWHC 1668

Michael Stone, a convicted murderer, sought to suppress publication of

a homicide inquiry containing details about his medical treatment.
Although the judge acknowledged his right to privacy, this was
outweighed by the public interest in knowing more about the treatment
which Mr Stone had and had not received.

Article 8 must also be balanced against Article 10 – the right to freedom of
expression. An example of this is:
Campbell v MGN Ltd [2004] UKHL 22
Naomi Campbell, a ‘super model’, sued the Mirror newspaper for
revealing information about her addiction and attendance at Narcotics
Anonymous. Whilst she accepted that the newspaper was entitled, in
the public interest, to disclose that she was a drug addict and was
receiving treatment (which she had previously denied publicly), she
claimed that details of her attending Narcotics Anonymous and the
accompanying photographs amounted to a breach of privacy.

In this case, the House of Lords found that an obligation of confidence
existed because of the nature of the information about Ms Campbell’s
treatment for drug addiction.

As a result of a European Union (EU) Directive, until 25 May of 2018 the Data Protection
Act 1998 applied UK wide and provided a right of access to health records of living
people. The General Data Protection Regulation (GDPR) replaced the Data Protection Act
1998. The Data Protection Act 2018 implemented the EU’s General Data Protection
Regulation and is not limited to the UK GDPR provisions.
What else does the DPA 2018 cover?
The DPA 2018 has a part dealing with processing that does not fall within EU law, for example, where it is
related to immigration. It applies GDPR standards, but it has been amended to adjust those that would not work
in the national context.
It also has a part that transposes the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into
domestic UK law. The Directive complements the General Data Protection Regulation (GDPR) and Part 3 of the
DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
National security is also outside the scope of EU law. The Government has decided that it is important the
intelligence services are required to comply with internationally recognised data protection standards, so there are
provisions, based on Council of Europe Data Protection Convention, which apply to them
There are also separate parts to cover the Information Commissioners Office (ICO) and its duties, functions and
powers.

THE DATA PROTECTION ACT 2018 and GDPR now govern access to health
records of living individuals.

Key areas to be aware of:

What are the 6 principles of GDPR?

These replace the previous ‘8 principles’ of the DPA 1998
1. Lawful, fair and transparent
2. Limited for its purpose
3. Adequate and necessary
4. Accurate
5. Not kept longer than needed
6. Integrity and confidentiality
What does GDPR say about consent?
Art 7(4)
“Consent should not be regarded as freely given if the data subject has no genuine
or free choice or is unable to refuse or withdraw consent without detriment and
further consent should not provide a valid legal ground… where there is a clear
imbalance between the data subject and the controller, in particular where the
controller is a public authority.”

Definitions
Data controller

A person who (either alone or jointly or in common with other persons) determines
the purposes for which and the manner in which any personal data are, or are to be
processed.
GDPR mandates that data controllers ensure contracts with data processors are up to
date and reviewed.
Data processor

In relation to personal data – any person (other than an employee of the data
controller), who processes data on behalf of the data controller. The GDPR places new
specific legal obligations on data processors:
To maintain records of personal data and processing activities
To comply with GDPR and not act contrary to the lawful instructions of the data controller

Data processors can now be fined

Processing

Obtaining, recording or holding information or data
Data Protection Officer

A requirement under GDPR. Responsible for overseeing data protection strategy and
implementation to ensure compliance with GDPR requirements.
Personal data
"data from which a living individual can be identified or identifiable (by anyone), whether directly or
indirectly, by all means reasonably likely to be used" ICO

PERSONAL DATA EXAMPLES
Name
NHS number
Location data
Online identifier
Some pseudonymised data

To legitimately process personal data, processors must have a schedule 2 (article 6) condition:

Public authorities can no longer rely on ‘legitimate interests’.https://ico.org.uk/fororganisations/guide-to-data-protection/guide-to-the-general-data-protectionregulation-gdpr/lawful-basis-for-processing/legitimate-interests/
Special category data

Race
Ethnic origin
Politics
Religion
Trade union membership
Genetics
Biometrics
Health
Sex life or sexual orientation

To legitimately process special category data, processors must have a schedule 3
(article 9) condition:

A request for access to health records under DPA and GDPR is known as a
subject access request. Healthcare professionals need to familiarise
themselves with the legislation and regulation. Any 3rd party information
(e.g. relatives' comments or contact details must be removed). If a data
breach occurs e.g. if a patient’s personal data or records are disclosed to the
wrong party the patient has a right to compensation if he suffers damage as a
result of the breach. The healthcare professional may also face a financial
penalty.

Who can make a subject access request (SAR)?
1. Patients with capacity. It is not necessary for a patient to give a reason why they want access
to their records. The request is free of charge.
2. A Third Party authorised by the patient with capacity e.g. a Solicitor acting on their behalf.
3. Parents with parental responsibility. Not all parents have parental responsibility. Who has
parental responsibility?
(a) The mother; and also the father of a child, if born after 01 December 2003 in England
and Wales, after 15 April 2002 in Northern Ireland and after 04 May 2006 in Scotland,
provided the father is registered on the child’s birth certificate.

(b) For children born before the above dates, a biological father will only automatically
acquire parental responsibility if the parents were married at the time of the child’s birth or
sometime after.
(c) If the parents of a child were never married, only the mother automatically has parental
responsibility but a father may acquire it by a Court Order or agreement.

Where more than one person has parental responsibility each may
independently exercise rights of access to health records. It is not
necessary to inform the other parent of the request. However,
consideration must be given to a potential breach of the European
Convention for Human Rights and the right to private and family life
in not informing the other parent.
(d) A Guardian appointed by the Court or a local authority which
has been granted a Care Order may acquire parental responsibility.
(e) adoptive parents where a child has been formally adopted.
4. Children aged over 16
5. Children aged under 16 in England, Wales and Northern Ireland who
demonstrate that they have sufficient understanding of what is proposed
are entitled to make a subject access request. Children aged 12 and over
are expected to have competence to give or withhold consent to release
of information from their health records.
6. Where a child between 12 and 16 is considered capable of making
decisions about access to their medical records the consent of the child
must be sought before a parent or third party is given access to the
records via a subject access request.
BEWARE - A person describing themself as a next of kin has no right of
access to medical records.
A clinician should review records prior to disclosure to check:
For information which is likely to cause serious physical or mental
harm to the patient or another person

For data relating to third party (other than a healthcare professional)
who has not given consent for disclosure
Information which a third party or the patient has asked to be kept
confidential
Information restricted by court orders
Information relating to the keeping or use of gametes or embryos
In the case of child records, disclosure prohibited by law e.g. pertaining
to adoption
An important case relating to mixed data, is the case: Dr DB v. General Medical Council
[2018] EWCA Civ 1497.
In this case P requested disclosure of an expert report which described “below standard”
care by Dr DB.
GMC asked Dr DB’s consent to release – he refused.
GMC decided to release but agreed not to do so pending Dr DB’s appeal.
Court decision:
Where one party objects to disclosure of the information this does not create a
presumption or starting point against disclosure in the balancing exercise.
Even if the requesting party is seeking legal action, this motive does not diminish
their rights to receive the information, but can be a relevant factor, depending on
the circumstances and the impact, on the other individual’s rights.
Data controllers are given a wide discretion in the factors to be considered in the
balancing exercise, and the weight placed on those factors.

The ICO (https://ico.org.uk) is the UK's independent body set up to uphold
information rights; it is an independent public body and the Department for
Digital, Culture Media and Sport is the ICO’s sponsoring department within
Government.

It covers a number of regulations including:
Data Protection Act
Freedom of Information Act
Privacy and Electronic Communications Regulations
General Data Protection Regulation
Environmental Information Regulations
INSPIRE regulations
eIDAS Regulation
Re-use of Public Sector Information Regulations
NIS Regulations
Investigatory Powers Act

ICO Powers include:
Carry out audits
Impose improvement notices
Issue orders to cease operations
Notify data subjects of a breach
Restrict or erase data
Issue fines not just for personal data breaches but also for lack of, or insufficient systems and
processes.

GDPR has brought in a new requirement to report ‘High risk’ breaches to
the ICO and the relevant data subjects within 72 hours. Failure to notify a
breach can result in a significant fine of up to 10 million euros or up to 2%
of the total worldwide annual turnover.
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-thegeneral-data-protection-regulation-gdpr/personal-data-breaches

Department of Health: NHS Code of Practice (2003) available at:
https://www.gov.uk/government/publications/confidentiality-nhs-codeof-practice
National Data Guardian standards:

1. All staff ensure that personal confidential data is handled, stored

2.

3.
4.

5.
6.

7.

and transmitted securely, whether in electronic or paper form.
Personal confidential data is only shared for lawful and
appropriate purposes.
All staff understand their responsibilities under the National Data
Guardian’s Data Security Standards, including their obligation to
handle information responsibly and their personal accountability
for deliberate or avoidable breaches.
All staff complete appropriate annual data security training and
pass a mandatory test, provided through the revised Information
Governance Toolkit.
Personal confidential data is only accessible to staff who need it
for their current role and access is removed as soon as it is no
longer required. All access to personal confidential data on IT
systems can be attributed to individuals.
Processes are reviewed at least annually to identify and improve
processes which have caused breaches or near misses, or which
force staff to use workarounds which compromise data security.
Cyber-attacks against services are identified and resisted and
CareCERT security advice is responded to. Action is taken
immediately following a data breach or a near miss, with a report
made to senior management within 12 hours of detection.
A continuity plan is in place to respond to threats to data security,
including significant data breaches or near misses, and it is tested
once a year as a minimum, with a report to senior management.

8. No unsupported operating systems, software or internet browsers

are used within the IT estate.
9. A strategy is in place for protecting IT systems from cyber threats
which is based on a proven cyber security framework such as
Cyber Essentials. This is reviewed at least annually.
10. IT suppliers are held accountable via contracts for protecting the
personal confidential data they process and meeting the National
Data Guardian’s Data Security Standards.
NHS England Data Security and Protection Toolkit (previously known
as the IG toolkit) is an online self-assessment tool that allows
organisations to measure their performance against the National Data
Guardian’s 10 data security standards. All organisations that have
access to NHS patient data and systems must use this toolkit to provide
assurance that they are practising good data security and that personal
information is handled correctly.
With the advent of Electronic Health Care records, clinicians must be
particularly mindful of the need to obtain informed consent prior to
accessing. Organisations must have the appropriate policies and
protocols in place for protecting against unauthorised access.
Specific roles within organisations include:
Caldicott Guardian – all NHS organisations and local authorities which
provide social services must have a Caldicott Guardian
A Caldicott Guardian register is maintained by NHS England
A Caldicott Guardian is a senior person responsible for protecting the
confidentiality of people’s health and care information and making
sure it is used properly. They should provide leadership and informed
guidance on complex matters involving confidentiality and
information sharing.
This is an advisory role

Described as ‘the conscience of the organisation’

Senior Information Risk Owner (SIRO)
This is an accountable role
Fosters a culture for protecting and using data
Provides a focal point for managing information risks and incidents
Concerned with management of all information assets

Common Law

Statute

AG v Guardian
Newspapers

ECHR Article 8

Negligence – breach of
duty of care

1. Respect private
and family life
2. Qualifies
Campbell v MGN

Breach of contract –
private patients

Z v Finland

GDPR
6 principles

General Medical Council (GMC)
Whilst this does not have the status of law, breach of GMC guidance may
lead to disciplinary proceedings and may be used as evidence in a civil suit
of breach of duty of care.
Candidates should be familiar with GMC guidance available at:

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality
Key areas of guidance:
Confidentiality: disclosing information for education and training purposes
Confidentiality: disclosing information for employment, insurance and similar purposes
Confidentiality: disclosing information about serious communicable diseases
Confidentiality: patients’ fitness to drive and reporting concerns to the DVLA or DVA
Confidentiality: Reporting gunshot and knife wounds
Confidentiality: responding to criticism in the media

Nursing and Midwifery Council (NMC)
The Code: https://www.nmc.org.uk/standards/code/read-the-code-online
The Health and Care Professions Council (HCPC)
The Standards: https://www.hcpc-uk.org/standards

General Rules when disclosing information
Obtain explicit consent (unless required by law or in public interest)
Satisfy yourself that
Patient has not objected
Patient has access to information explaining how their information
will be used and that they have a right to object.
Anonymise information if practicable.
Keep disclosure to the necessary minimum.
Follow all legal requirements including the common law and data
protection law.
The British Medical Association provide a confidentiality aid:
https://www.bma.org.uk/advice/employment/ethics/confidentiality-andhealth-records
Also consider GMC guidance: “Good Medical Practice”:
https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/good-medical-practice
https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality

With explicit consent

Consent can be explicit (or express) when the patient actively agrees
either orally or in writing to the information disclosure.
With implied consent
GMC guidance regarding this for direct patient care is as follows:

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality/using-and-disclosing-patient-information-for-directcare

This is one of the most important exceptions to the duty of confidentiality.

See AG v Guardian Newspapers Ltd (No.2) [1988] 3 WLR 776 at 807
There are three public interest disclosures to consider:
1. To prevent harm to others
2. To prevent or detect crime
3. Teaching, research and audit
1. Prevent harm to others

As per GMC and BMA guidance there must be
A REAL risk of SERIOUS harm
See the case of W v Egdell discussed above.
In Palmer v Tees Health Authority [1999], a claim was made for damages,
on behalf of the estate of a murdered child and her mother for psychiatric
damage. The claim against the Health Authority, was made as it was said to
have been negligent in having failed to manage a psychiatric patient who had
abducted and murdered the girl. The Court found the Health Authority was
liable (so not negligent) for failing to restrict the freedom of the patient, who
was an out-patient and had threatened to kill. Although the patient did kill
the child, the threat was said not to be specific enough.

See: http://www.bailii.org/ew/cases/EWCA/Civ/1999/1533.html

Another interesting case is the US case of Tarasoff v Regents of the
University of California. See:
https://www.courtlistener.com/opinion/1175611/tarasoff-v-regents-ofuniversity-of-california

This involved a patient confiding to his university psychotherapist,
Dr Moore, that he intended to harm T, a fellow student. The
therapist informed the University police, but did not inform T,
whom the patient subsequently murdered.

The California Supreme Court held that the University’s employee was
under a duty to protect T by disclosing these threats to her.
GMC guidance regarding public interest disclosures, in guidance
“Disclosing Information about Serious Communicable Diseases”:

68. When deciding whether the public interest in disclosing
information outweighs the patient’s and the public interest in
keeping the information confidential, you must consider:
a. the potential harm or distress to the patient arising from the disclosure – for example, in
terms of their future engagement with treatment and their overall health

b. the potential harm to trust in doctors generally – for example, if it is widely perceived
that doctors will readily disclose information about patients without consent

c. the potential harm to others (whether to a specific person or people, or to the public
more broadly) if the information is not disclosed

d. the potential benefits to an individual or to society arising from the release of the
information

e. the nature of the information to be disclosed, and any views expressed by the patient

f. whether the harms can be avoided or benefits gained without breaching the patient’s
privacy or, if not, what is the minimum intrusion.

If you consider that failure to disclose the information would leave
individuals or society exposed to a risk so serious that it outweighs
the patient’s and the public interest in maintaining confidentiality,
you should disclose relevant information promptly to an
appropriate person or authority.

Another interesting case is that of X v Y [1988] 2 All ER 648. A newspaper
had obtained information from a Health Authority employee that two
GPs were HIV positive. The newspaper argued that it was in the public
interest to disclose this information. The court supported an injunction
preventing disclosure of the names of the GPs on the grounds that the risks
of individuals with HIV not seeking treatment that would be created if the
information were published, was greater than the public interest in
publishing.
So what about the patient who tests positive for HIV and refuses to
disclose to his wife?
12

You should explain to patients who have serious communicable
diseases how they can protect others from infection, including from
sexually transmitted diseases. This includes the practical measures
they can take to avoid transmission, and the importance of
informing people with whom they have sexual contact about the
risk of sexual transmission of serious communicable diseases.
13
You may disclose information [sufficient information, not identify
the person] to a person who has close contact with a patient who

has a serious communicable disease if you have reason to think
that:
a. the person is at risk of infection that is likely to result in serious harm
b. the patient has not informed them and cannot be persuaded to do so.

https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality---disclosing-information-about-seriouscommunicable-diseases/disclosing-information-about-seriouscommunicable-diseases
2. Preventing or Detecting Crime

Section 11 of the Police and Criminal Evidence Act 1984 classes medical
records as ‘excluded material’, which means that police will not normally be
allowed access to them. However, there is an exception for “serious
arrestable offences” e.g. rape, murder, kidnapping, death through dangerous
driving.
The police should provide a “121” form referring to the relevant part of the
Data Protection Act 2018 – Schedule 1, Part 2, Clause 1. These forms were
previously known as ‘Section 28’ forms, under the DPA 1998.
However, healthcare professionals must also have regard to their
professional obligations when disclosing information.
There are a number of other situations where the police may require
information:
S172 RTA 1988 – name and address should be provided (no access to medical information) See
Hunter v Mann, where a doctor was convicted for failure to provide information regarding two
patients he had treated following an alleged hit and run.
Terrorism Prevention and Investigation Measures Act 2011
Section 5B, Female Genital Mutilation Act 2003
Section 5, Criminal Law Act (Northern Ireland) 1967

Other scenarios relevant to disclosure include:

Medical Act 1983 – disclosure of patient information to the GMC when they request it for
fitness to practice enquiries against a doctor
Disclosure to Coroner
Accountable Officers – Controlled Drugs Regulations
Care Quality Commission
NHS Counter Fraud Authority
HMRC: Schedule 36 Part 1 of the Finance Act 2008
Notification of infectious diseases (The Health Protection (Notification) Regulations 2010)
Criminal Appeal Act 1995
Health and Social Care Act 2008
Health and Social Care (Community Health Standards) Act 2003
Regulation of Care (Scotland) Act 2001
Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland)
Order 2003
Public Health (Control of Disease) Act 1984
NHS Act 2006; NHS (Wales) Act 2006

You must disclose information if required by statute or ordered by the court.
For example:
i. a statutory requirement of a registered medical practitioner to notify the ‘proper officer’ of
certain infectious diseases; and whilst this is a legal duty for doctors, it is noted that: ”…
however, it is good practice for all clinical staff.”

See: https://assets.publishing.service.gov.uk/government/uploads/syste
m/uploads/attachment_data/file/773214/PHE_Notifiable_diseases_post
er_NE___NCL_HPT.PDF

ii. a statutory duty to report to the Police, Female genital Mutilation in those under the age of 18
years; s74 Serious Crime Act, 2015. See:
http://www.legislation.gov.uk/ukpga/2015/9/part/5/crossheading/female-genitalmutilation/enacted

iii. Notifications required by the Abortion regulations, 1991. See:
http://www.legislation.gov.uk/cy/uksi/1991/499/made
If you are required by statute to disclose, make sure: 1. Personal information is needed and is indeed required by law.

2. You disclose only information relevant to the request and only in the way required by
law.

3. You tell patients about the disclosure unless it would undermine the purpose of the
disclosure

4. You abide by patient objections if there are provisions to do so.

If you are ordered by the court to disclose information, ensure: 1. You only disclose information required by the court.
2. You object to attempts to get you to disclose irrelevant information.
3. You tell the Judge if you think a disclosure might put someone at risk of harm
4. You understand the basis for the disclosure

There is extensive guidance published by the General Medical Council
advising practitioners about the issues regarding confidentiality, available
at: https://www.gmc-uk.org/ethical-guidance/ethical-guidance-fordoctors/confidentiality
3. Teaching, Research and Audit

Relevant case law: R v Department of Health, ex parte Source Informatics
[2001] QB 242 – this relates to anonymisation of data for research purposes.
However, it should be noted, that under the Data Protection Act 2018, the
process of anonymisation, involves ‘processing’ of sensitive personal data,
and is therefore subject to the Data Protection Act.
The following, allow for processing of data, when it is not possible to use
anonymised data and seeking consent is impracticable for activities such as
medical research or the proper running of the health service:
NHS Act 2006 section 251 – England and Wales

Confidentiality Advisory Group
See: https://www.hra.nhs.uk/approvals-amendments/what-approvals-do-ineed/confidentiality-advisory-group

251(1) The Secretary of State may by regulations make such
provision for and in connection with requiring or regulating the
processing of prescribed patient information for medical purposes
as he considers necessary or expedient –
a. In the interests of improving patient care, or
b. In the public interests
(4) Regulations under subsection (1) may not make provision
requiring the processing of confidential patient information for any
purpose if it would be reasonably practicable to achieve that
purpose otherwise than pursuant to such regulations, having regard
to the cost of and the technology available for that purpose.

Health and Social Care (Care of Data Processing) Act (Northern
Ireland) 2016 – Northern Ireland
In Scotland the regulations are different and as such reference should be
given to the Scottish Government’s publication:
“Scottish Government Records Management: NHS Code of Practice
(Scotland) Version 2.0” available at:
https://www.gov.scot/publications/scottish-government-recordsmanagement-nhs-code-practice-scotland-version-2-0/pages/6

Gender Recognition Act 2004 (UK) – Protected information or
information about a patient’s application for gender recognition or their
gender history after a gender change is protected and it is an offence to
disclose this information unless a named exception is present to make it
justified.
Human Fertilisation and Embryology Act 1990 (UK) – Protects the
confidentiality of information kept by the Human Fertilisation and
Embryology Authority and such information can only be accessed or
disclosed in circumstances laid out in the legislation.
The National Health Service (Venereal Diseases) Regulations 1974
(Wales) - provide that any information capable of identifying an individual
who is examined or treated for any STD shall not be disclosed other than to
a medical practitioner in connection with the treatment of the individual in
relation to that disease or for the prevention of the spread of the disease.

What does lacking mental capacity mean?
The Mental Capacity Act, 2005
[https://www.legislation.gov.uk/ukpga/2005/9/contents]

s2: ‘For the purposes of this Act, a person lacks capacity in relation to a
matter if at the material time he is unable to make a decision for himself in
relation to the matter because of an impairment of, or a disturbance in the
functioning of, the mind or brain.’
s3: ‘For the purposes of section 2, a person is unable to make a decision for
himself if he is unable
a. to understand the information relevant to the decision,
b. to retain that information,
c. to use or weigh that information as part of the process of making the
decision, or
d. to communicate his decision (whether by talking, using sign language
or any other means).
The relevant legislation pertaining to these matters:
England & Wales

Mental Capacity Act 2005

Scotland

Adults with Incapacity (Scotland) Act 2000

Northern Ireland

Mental Capacity (NI) Act 2016 - not yet
fully in force

General principles:

Relevant information about a patient who lacks capacity to consent may be disclosed if it is of
overall benefit to the patient – ‘best interests’. Students should review Mental Capacity Act
2005 guidance on how to assess best interests
Capacity should be presumed
Capacity is time and decision specific

Regarding the disclosure – if disclosure is of overall benefit to the patient
lacking consent, when making the decision whether to disclose you must:
Make patient care primary concern
Respect the patient’s dignity and privacy
Support and encourage the patient to be involved in decision making if possible.

Also consider:
Is the patient’s capacity temporary or permanent
Are there any previously expressed preferences
The views of other relevant persons i.e. those close to the patient, one the patient asks you to
consult or a legal representative/appointee
What the healthcare team know about the patient’s wishes, feelings, beliefs and values.

See MCA Code of Practice:
https://www.gov.uk/government/publications/mental-capacity-act-code-ofpractice

See NHS England: Records Management Code of Practice for further
details.

However, GP electronic patient records must not be deleted, see:
https://www.bma.org.uk/advice/employment/ethics/confidentiality-andhealth-records/retention-of-health-records

THE DUTY OF CONFIDENTIALITY CONTINUES AFTER A
PATIENT HAS DIED.
The Access to Health Records Act 1990 (England, Wales and
Scotland) and the Access to Health Records (Northern Ireland)
Order 1993 have been repealed to the extent that they now only
affect the health records of deceased patients.

When can deceased patients’ records be disclosed?
1. If disclosure is required by law or Court order e.g. if a child has died

and abuse or neglect is suspected.
2. To assist the Coroner with an inquest.
3. Where disclosure is justified in the public interest to protect others from
risk of death or serious harm.
4. Where a person has a right to access under the Access to Health
Records Act/Order.

Who has the right of access under the Act/Order?
A personal representative of the deceased (the executor or administrator of
the deceased person's estate) OR
A person who may have a claim arising from the patient’s death.
N.B Only information directly relevant to the claim will be disclosed.
See: https://www.nhs.uk/common-health-questions/nhs-services-andtreatments/can-i-access-the-medical-records-health-records-of-someonewho-has-died

A deceased’s patient’s records SHOULD NOT be disclosed if

a. they identify a third party without that person’s consent unless the third

party is a health professional.
b. if disclosure is likely to cause serious harm/death to a third party’s
physical or mental health.
c. the deceased patient gave the information in the record in the past on
the understanding that it would be kept confidential.

Protecting children and vulnerable young people from harm is a high
priority for all doctors but for those in general practice and in forensic
practice there is more likely to be occasions when intervention to protect a
child from the risk of serious harm will be required. The need to disclose
information across specialties and professions to protect a child must
“trump” ethical concerns about breaching confidentiality and will apply
equally to information about third parties such as an adult who may be a
threat to a child. At all times the best interests of the child must be of
paramount importance.
In July 2012, the GMC published guidance entitled “Protecting Children
and Young People” which outlines the duties and responsibilities of doctors
in relation to the protection of children. It has a section on Confidentiality
and Sharing Information.
In the context of protecting children and young people a doctor can share
confidential information and otherwise breach the duty of confidentiality if
it is:
1. Justified in the public interest e.g. if the benefits to a child or young person that will arise from
the sharing of the information outweigh both the public and the individual’s interest in keeping
the information confidential. A doctor must weigh the harm that is likely to arise from not
sharing the information against the possible harm, both to the person and to the overall trust
between doctors and patients arising from releasing the information.

2. Required by law/statutory duty.
3. Ordered by a Court.

A doctor must tell an appropriate agency promptly if he is concerned that a child or a young
person is at risk of or is suffering abuse or neglect UNLESS it is not in their best interests to
do so.

A doctor should ask for consent before sharing confidential information
unless there is a compelling reason for not doing so e.g.
1. delay in sharing the information would increase the risk of harm
2. asking for consent may increase the risk of harm
3. disclosure is justified in the public interest.

If a child or young person objects to disclosure, a doctor must consider the
reasons and weigh the possible consequences of not sharing the information
against the harm that sharing the information might cause. If a child or
young person is at risk of or is suffering abuse or neglect it will usually be
in their best interests that information is disclosed to an appropriate agency.
If information is shared without consent the patient should be told why and
what information has been shared and with whom unless doing so would
put the child or young person or anyone's at increased risk.
If a doctor delays in sharing information he must be able to justify his
decision and a record should be kept explaining the decision not to
immediately share information.
Doctors should be aware that in sharing concerns about possible abuse and
neglect they are not making the final decision about how best to protect a
child or young person. That is the role of the local authority and ultimately
the Court.

Freedom of Information Act 2000 (England, Wales, Northern Ireland)
Relevant legislation in Scotland: Freedom of Information (Scotland)
Act 2002 (available
at: https://www.legislation.gov.uk/asp/2002/13/contents)

The Freedom of Information Act 2000 provides access to information
held by public authorities. For example:
Local authorities, health bodies and regulators, dentists, GPs,
optical contractors and pharmacies.
It requires public authorities to publish certain information about their
activities and entitles members of the public to request information.
The FOIA does not give people the right to:
access information about themselves (this should be a Subject
Access Request);
access personal, private or sensitive information about others;
access information about deceased patients.
For a request to be valid, it must be in writing.
The organisation has 20 working days within which to respond.

Governs access to medical reports made for insurance or employment
purposes.
The report must be made by a medical practitioner that is (or has been)
responsible for the patient’s clinical care.
Patients must be asked for consent before the report is prepared.
Patients have the following rights:
To see the report before sent to insurer/employer (subject to the
grounds for withholding access)
To ask for amendments
To be asked for consent before the report sent
To refuse to allow supply of the report

The patient can apply for access to the report at any time before it is supplied
to the employer/insurer and the medical practitioner should not supply the
report until this access has been provided unless 21 days have passed since the
patient has communicated with the doctor about making arrangements to see
the report.
Once the patient has access to the report, it should not be supplied to the
employer/insurer until the patient has given their consent. If an amendment is
requested, the medical practitioner should either:

a. Amend the report, if he/she/ deems or they deem it appropriate
b. Attach to the report a note of the patient’s views on the part of the
report which the doctor is declining to amend.

A medical practitioner may make a reasonable charge for supplying the
patient with a copy of the report.
The doctor should retain a copy of the report for at least six months
following its supply to the employer/insurer. During this period patients

continue to have a right of access.

Clinicians should ensure that they do not disclose confidential information
about patients on social media.
GMC guidance is available at: https://www.gmc-uk.org/ethicalguidance/ethical-guidance-for-doctors/doctors-use-of-social-media

NHS Employers has published guidance
at: https://www.nhsemployers.org/~/media/Employers/Publications/NOVE
MBER%20Your%20guide%20to%20using%20social%20media%20in%20t
he%20NHS.pdf

All sensitive information should be stored securely. Patients are
increasingly communicating with Healthcare Professionals via text
messages and emails. Such exchanges form part of the patient's records in
the same way as written correspondence.
When communicating with colleagues about patients, secure emails should
be used e.g. nhs.net.