Search the guidance

Make your search more specific...

Guidance areas


As well as searching, you can browse the Guidance.

Principles of patient confidentiality

You must respect and protect patient information.259 See section on Patient records.
Patients must consent before you share any information about them. See section on Consent. When asking for consent you should tell the patient:
  1. what information you want to share
  2. who you want to share it with
  3. how the information will be used.260, 261
Anyone you employ must also protect patient information.
You must keep confidential all patient identifiable information, including information which is handwritten, digital, visual, audio or retained in your memory and this includes:
  1. clinical information about a patient’s diagnosis or treatment
  2. when the patient attended the practice
  3. anything else that can be used to identify patients directly or indirectly, especially if combined with the patient’s name or address full postcode or date of birth.
If an adult patient with capacity tells you not to share information with other people, you should firstly discuss this with them, and explain why you need to share the information. If they still refuse, you should not share their information, even if failure to share would leave the patient (but no one else) at risk of serious harm or death. If you believe that the patient’s decision to refuse a service puts them at risk of serious harm, you must discuss this issue with appropriate colleagues,262 whilst respecting the patient’s confidence.263 This can be done by discussing the case in general without revealing details which may identify the patient. You can share patient identifiable information if you are required to do so by law, or disclosure is justified in the public interest.
There are exceptions to the rule of protecting patients’ confidentiality which are:
  1. you may be required to provide information by law, for example if ordered by a court 
  2. you may need to disclose information if it is in the public interest, for example where failing to disclose information would expose other members of the public to risk of death or serious harm.264, 265, 266
You may disclose information without patient consent if you have reason to believe that asking for consent would put you or other people at risk of serious harm.267


259 Department of Health (2013) Information, to share or not to share. The information governance review, (Chairman: Dame Fiona Caldicott) [Accessed 1 Nov 2023]
260 General Medical Council (2018) Confidentiality: good practice in handling patient information, paras 9 and 10  [Accessed 1 Nov 2023]
261 General Medical Council (2018) Protecting children and young people: the responsibilities of all doctors, paragraph 35 [Accessed 1 Nov 2023]
262 General Optical Council (2017) Supplementary guidance on consent, para 41 [Accessed 1 Nov 2023]
263 General Optical Council (2016) Standards of Practice for Optometrists and Dispensing Opticians para 11.7  [Accessed 1 Nov 2023]
264 Department of Health (2010) Confidentiality: NHS code of practice. Supplementary guidance: public interest disclosures [Accessed 1 Nov 2023]
265 It is the view of the British Medical Association that the Counter-Terrorism and Security Act 2015, which places a duty on some organisations – including health bodies in England, Scotland and Wales – to have ‘due regard to the need to prevent people from being drawn into terrorism’, creates ‘no new obligations or immunities with regards to the sharing of confidential information’. ‘In almost all circumstances, therefore, doctors should seek consent for the sharing of this information’. [Accessed 1 Nov 2023].
266 General Optical Council (2020) Disclosing confidential information [Accessed 1 Nov 2023]
267 General Medical Council (2018) Confidentiality: good practice in handling patient information [Accessed 1 Nov 2023]