Patient confidentiality

Person responsible for review of this protocol:  Practice Manager


The purpose of the protocol is to set out the obligations for all those working at The Alexandra Practice concerning the confidentiality of information held about patients and The Alexandra Practice.

This protocol is relevant to anyone who works at the practice, including non-clinical staff. Individuals on training placements and visitors/observers on the premises must also adhere to this.

This protocol will be reviewed every 2 years to ensure that it remains effective and relevant.

Importance of confidentiality

Confidentiality is a fundamental part of health care and crucial to the trust between doctors and patients. Patients entrust their practice with sensitive information relating to their health and other matters in order to receive the treatment and services they require. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not. All staff in the NHS has legal, ethical and contractual obligations of the common law duty of confidentiality and must ensure they act appropriately to protect patient information against improper disclosure.

Some patients may lack the capacity to give or withhold their consent to the disclosure of confidential information but this does not diminish the duty of confidence. The duty of confidentiality applies to all patients regardless of race, gender, gender reassignment (trans status), social class, age, religion, sexual orientation, appearance, disability or medical condition.

Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient (or appointed representative) has given explicit consent in line with GDPR 25.05.2018, except where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held. Information which is effectively anonymised can be used with fewer constraints.

The confidentiality of other sensitive information held about the practice and staff must also be respected.

Obligations for all staff

All staff must:

  • Always endeavour to maintain patient confidentiality;
  • not discuss confidential information with colleagues without patient consent

(unless it is part of the provision of care);

  • not discuss confidential information in a location or manner that allows it to be overheard;
  • handle patient information received from another provider sensitively and confidentially;
  • not allow confidential information to be visible in public places;
  • store and dispose of confidential information in accordance with the Data Protection Act 1998 and the Department of Health’s Records Management Code of Practice (Part 2);
  • not access confidential information about a patient unless it is necessary as part of their work;
  • not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient, the appropriate technical safeguards are in place and there is agreement from the information governance lead (Dr A Larkin) or Caldicott Guardian; Dr Sam Campbell
  • contact the information governance lead or Caldicott Guardian if there are barriers to maintaining confidentiality;
  • report any loss, inappropriate storage or incorrect disclosure of confidential information to the information governance lead or Caldicott Guardian; within 24 hours

It is expected that members of staff will comply with the law and guidance/codes of conduct laid down by their respective regulatory and professional bodies.

Information disclosures:

When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns/public interest, the patient should always be told and asked for consent before the disclosure unless it would be unsafe or not practical to do so. In the circumstances that consent can not be sought, then there must be clear reasons and necessity for sharing the information.

Disclosures of confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the GDPR, the NHS Confidentiality Code of Practice (see below) and the GMC’s Good Medical Practice.

The 2004 Gender Recognition Act (GRA) makes it a criminal offence to disclose an individual’s transgender history to a third party without their written consent if that individual holds a Gender Recognition Certificate (GRC). Patients do not need to show a GRC or birth certificate in order for the GRA 2004 to be in effect, so it is best practice to act as though every trans patient has one. This means always obtaining a trans patient’s written consent before sharing details about their social or medical transition, sometimes also called gender reassignment, with other services or individuals. This includes information such as whether a patient is currently taking hormones or whether they have had any genital surgery, as well as information about previous names or the gender they were given at birth. Consent should always be obtained before information relating to the patient being trans is shared in referrals and this information should only be shared where it is clinically relevant.

Obligations for employers

The employers at the practice must:

  • Ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality;
  • make sure that all individuals to whom this protocol is relevant have read, understood and signed this protocol;
  • review and update this protocol on a regular basis.

This protocol is subject to the provisions set out in the legislation and guidance listed below:

GDPR 2018; The Information Commissioners’ Office guide to data protection

The Department’s Code of Practice for Records Management (Part 2)

Human Rights Act 1998 / The Common Law Duty of Confidence

Access to Health Records Act 1990 / Confidentiality: NHS Code of Practice 2003

NHS Care Record Guarantee 2009

Reviewed & updated 28.09.2021 MJ / Review due 29.09.2023 or as needed

Date published: 10th October, 2014
Date last updated: 21st November, 2022