This site is intended for healthcare professionals only

Journal of
Diabetes Nursing


Share this article

Understanding confidentiality in health care

Chris Cox

Healthcare professionals are often unclear about the circumstances in which health information about a particular individual may be disclosed to a third party. Confidential health information falls into the category of “sensitive personal data” under the Data Protection Act and although healthcare professionals generally understand this, there are often specific circumstances where more advice is needed. This article describes some of the basic and straightforward principles that govern the handling of confidential information.

Over the years a common enquiry to the Royal College of Nursing telephone advice line has been about confidentiality. In particular, healthcare professionals are often unclear about the circumstances in which health information about a particular individual may be disclosed to a third party.

Everyone appears to know that such information is generally “confidential”, and falls into a category of “sensitive personal data” under the Data Protection Act, 1998. Despite this understanding, when it comes to the following typical scenarios, uncertainty often arises:

  1. The individual has refused to give me permission to disclose her health information to anyone, and I believe that this could be detrimental to the person’s health and wellbeing. Can I disclose?
  2. Someone has arrived in A&E with evidence of involvement in a criminal activity. Do I have to tell the authorities, such as the police?
  3. As an occupational health nurse, I have been asked by the solicitors for the employer to disclose the occupational health records of an employee, without seeking the employee’s consent. Should I?
  4. I have been treating a 15-year-old girl as a school nurse and she has insisted that I do not tell her parents about her presenting health problems. Does a 15-year-old have a right to confidentiality?

As with my earlier articles in this journal on legal accountability and consent, the basic principles governing the handling of confidential information are straightforward. The reasoning process that I suggest is adopted by healthcare professionals is a sequence of questions:

  1. Is the information confidential?
  2. If so, and I believe that I should disclose to a third party, have I got my patient’s consent? “Consent” implies that the patient is: legally competent; suitably informed about what information will be disclosed, to whom, and why; and that the assent is freely given (without duress).
  3. If my patient withholds their consent to disclosure, does the law require me to disclose? (Am I under a legal duty and have no choice?)
  4. If the law does not oblige me to disclose, could I nevertheless disclose in breach of my patient’s confidentiality? In other words, does the public interest in disclosure outweigh the confidentiality of the patient?
  5. Have I told the patient? If I am going to breach my patient’s confidentiality, then ordinarily I should let the patient know in advance, except in very exceptional circumstances.

Legal duty of confidentiality
The courts (common law) have long recognised a legal duty of confidentiality imposed on healthcare professionals in relation to patient information. This is also an explicit requirement of the Nursing and Midwifery Council (NMC) code of practice (paragraph 5), and can be found in the ethical codes of all other health professions.

In addition, health information is “sensitive personal data” (i.e. information about an individual’s physical or mental health, or condition) as defined under the Data Protection Act and may only be processed in accordance with the provisions of that Act. Electronic data and administrative technology present a considerable challenge for healthcare organisations and professionals so far as the handling of health information is concerned, and the risks of inadvertent disclosure are the subject of almost weekly news reports. Therefore, extra care should be taken.

Fair and lawful disclosure
In relation to the Data Protection Act, one common error needs to be highlighted. The Data Protection Act states that sensitive personal data should only be processed (which obviously includes sharing) where it is done “fairly and lawfully” and at least one of the conditions in both Schedule 2 and Schedule 3 of the Act are met. However, simply satisfying a condition in Schedules 2 and 3 respectively, will not necessarily amount to “fair and lawful” processing. In other words, by way of illustration, the police may state that they require access to patient information that is relevant to the detection and prosecution of a serious crime (and this satisfies conditions in both Schedules), but that does not mean that, under the Act, the processing will be “fair and lawful”. To satisfy those requirements, I suggest you need to still follow the reasoning process I described above for handling all confidential information.

When a patient discloses personal health information to a health professional, it is recognised that the provision of health care often cannot function without the sharing of that information, whether in a hospital or community setting, with others who have a genuine “need to know”. This may be with other healthcare professionals or administrative staff. Consent to disclosure must generally be explicit, though in these circumstances, it is arguable that by disclosing personal health information and seeking health care, the patient is impliedly consenting to the sharing of their information with others. However, do not rely mechanically on implied consent and ensure that disclosure is absolutely required for essential health care when you share it. In any event, anyone who handles patient information (not just the healthcare professional) must understand the duty of confidentiality.

When a patient does not consent to information being shared
Should the patient expressly state that they do not want the information to be shared with anyone else and even objects to the information being recorded, the healthcare professional has no permission to do either. Although this may prevent the healthcare professional from giving the care required, this should, of course, be discussed with the patient, but ultimately it may be that the healthcare professional is only able to record in the notes that the patient is withholding consent to record/disclose (unless public interest considerations warrant sharing – see below). Often, in my experience, patients will withhold consent because they do not fully understand what information will be disclosed, to whom, and why. Once this has been explained, most people are satisfied and give their consent.

In the absence of consent, where the healthcare professional believes that it is nevertheless necessary for others to be informed, when does the law place the professional under a legal obligation to disclose? The fact is that the circumstances where the law requires disclosure are very few. Without listing the Acts of Parliament here, they generally cover public health, sexually transmitted diseases, terrorism offences, abortion, drugs and so on. There is a limited duty under road traffic legislation to provide the police, on request, with information that might identify a driver who has committed a traffic offence, but generally it should be noted there is no legal obligation on anyone to volunteer information to the police to assist them with their enquiries into alleged criminal offences. Many of us will decide to do so, however, out of a sense of public responsibility. But if you do, it is important to take note of the following considerations.

Assuming that the healthcare professional is in possession of confidential health information, which the patient has refused permission to disclose, and there is no Act of Parliament obliging the professional to share, in what circumstances may disclosure nevertheless be legally justified? All healthcare professional codes of ethical behaviour recognise that the duty of confidentiality is not absolute, and that it may be qualified in certain circumstances. In this respect, the various codes mirror the general law (for example, the human rights legislation is clear that the right to privacy – Article 8 of the European Convention on Human Rights – is not absolute and may be breached in exceptional circumstances).

Example cases
In W versus Egdell [1990] 1 All ER 835, W was detained in a secure hospital following a string of serious offences. In accordance with his right under the mental health legislation, he applied for a review of his detention and requested a transfer to a less secure regional unit. His solicitors sought a medical report to support W’s application, and approached a consultant psychiatrist, Dr Egdell. Dr Egdell was very unsupportive and so the review/application was withdrawn. Owing to information that had come to light during Dr Egdell’s examination of W, and which he believed was very relevant to the issue of public safety and future reviews of W’s detention, he disclosed a copy of his report to the Home Office and to the medical director of the secure hospital. W sued for breach of confidentiality. W lost in both the High Court and Court of Appeal.

From this judgement, I suggest that in weighing up whether a disclosure in breach of confidence is justified, for example, the public interest in disclosure outweighs the public interest in the confidentiality of health information, the healthcare professional should consider the following:

  1. Was there a real and serious (not hypothetical) risk of danger to the public or identifiable individual, which would justify a breach of patient confidentiality?
  2. Disclosure must be to a person who has a legitimate interest to receive the information. So, for example, a disclosure to the press in the Egdell case would have been an actionable breach of confidentiality and unjustified.
  3. Disclosure must be confined to that which is strictly necessary in order to avert or mitigate the danger that would otherwise be presented by maintaining confidentiality.

Conversely, in the case of X versus Y [1988] 2 All ER 649, the High Court held that the public interest in favour of freedom of the press in debating the risks presented by healthcare professionals with HIV infection, and identifying them, did not outweigh the public interest in respecting the confidentiality of the healthcare professionals concerned, particularly given the risks to the public health policy of encouraging individuals to present themselves for testing, counselling and treatment.

Protection of the patient
Is it justified to breach patient confidentiality to protect the patient him or herself? It may be, particularly in the case of a child or young person, or someone who is legally competent but vulnerable, perhaps. The balancing exercise is, I suggest, rather more acute in these circumstances, with arguments around paternalism and so on.

You may be justified in breaching your patient’s confidentiality because of public interest considerations, though the onus is clearly on you to satisfy the above requirements. It is my advice to health professionals in this situation to clearly record the above reasoning process, and in most instances, to warn the patient in advance of the disclosure why you are having to take this step. It is far better to afford the patient an opportunity to further discuss your concerns, than to wait for them to be surprised to learn that their confidence has been broken.

Finally, do under 16 year olds have a legal right to confidentiality? The answer is yes and I refer readers back to the Gillick case, described in my previous article on the law of consent. A mature minor has a legal right to confidentiality, though again, it is not absolute and may breached in certain circumstances (such as child protection concerns).

In my experience, the most difficult situation is often presented in schools, with a nursing or medical service that comes under pressure from either teachers or the parents of children, or both, to disclose information about a child in the care of the healthcare professional. To avoid conflicts, I suggest that all healthcare providers (whether in community, primary or acute care settings) have appropriate policies on confidentiality and the handling of patient information, irrespective of the age of the patients concerned. These should be shared with everyone who may come into contact with the health service and, in particular, those (such as parents) who believe (often mistakenly) that they have a legal right to access such information, with or without the consent of the patient. Nothing undermines a health service more quickly than a reputation for inappropriate handling of confidential health information.

Related content
Genetic insights into type 2 diabetes and some cancers
Free for all UK & Ireland healthcare professionals

Sign up to all DiabetesontheNet journals


By clicking ‘Subscribe’, you are agreeing that are able to email you periodic newsletters. You may unsubscribe from these at any time. Your info is safe with us and we will never sell or trade your details. For information please review our Privacy Policy.

Are you a healthcare professional? This website is for healthcare professionals only. To continue, please confirm that you are a healthcare professional below.

We use cookies responsibly to ensure that we give you the best experience on our website. If you continue without changing your browser settings, we’ll assume that you are happy to receive all cookies on this website. Read about how we use cookies.