Search the guidance

Make your search more specific...

Guidance areas


As well as searching, you can browse the Guidance.

  • You, and anyone you employ, must protect patient information.
  • You may disclose patient information in some circumstances where it is required by law, or where the patient or others might be at risk of serious harm.
  • You may share some limited patient information with others who provide care to your patients.
  • Disclosing any other information about a patient requires their consent.
  • You should anonymise patient information, where possible, and guard against unintentional or improper disclosures.
  • Disclosing information about a child requires their consent, or that of their parents, unless it is in the child’s best interests, or they are at risk of serious harm.
  • There are limitations on disclosing information to patients’ relatives or carers.
  • Patient information remains confidential after their death, with exceptions, for example where it is required by a court of law.
This Guidance does not change what you must do under the law.
You must respect and protect patient information.259 See section on Patient records.
Patients must consent before you share any information about them. See section on Consent. When asking for consent you should tell the patient:
  1. what information you want to share
  2. who you want to share it with
  3. how the information will be used.260, 261
Anyone you employ must also protect patient information.
You must keep confidential all patient identifiable information, including information which is handwritten, digital, visual, audio or retained in your memory and this includes:
  1. clinical information about a patient’s diagnosis or treatment
  2. when the patient attended the practice
  3. anything else that can be used to identify patients directly or indirectly, especially if combined with the patient’s name or address full postcode or date of birth.
If an adult patient with capacity tells you not to share information with other people, you should firstly discuss this with them, and explain why you need to share the information. If they still refuse, you should not share their information, even if failure to share would leave the patient (but no one else) at risk of serious harm or death. If you believe that the patient’s decision to refuse a service puts them at risk of serious harm, you must discuss this issue with appropriate colleagues,262 whilst respecting the patient’s confidence.263 This can be done by discussing the case in general without revealing details which may identify the patient. You can share patient identifiable information if you are required to do so by law, or disclosure is justified in the public interest.
There are exceptions to the rule of protecting patients’ confidentiality which are:
  1. you may be required to provide information by law, for example if ordered by a court 
  2. you may need to disclose information if it is in the public interest, for example where failing to disclose information would expose other members of the public to risk of death or serious harm.264, 265, 266
You may disclose information without patient consent if you have reason to believe that asking for consent would put you or other people at risk of serious harm.267


259 Department of Health (2013) Information, to share or not to share. The information governance review, (Chairman: Dame Fiona Caldicott) [Accessed 1 Nov 2023]
260 General Medical Council (2018) Confidentiality: good practice in handling patient information, paras 9 and 10  [Accessed 1 Nov 2023]
261 General Medical Council (2018) Protecting children and young people: the responsibilities of all doctors, paragraph 35 [Accessed 1 Nov 2023]
262 General Optical Council (2017) Supplementary guidance on consent, para 41 [Accessed 1 Nov 2023]
263 General Optical Council (2016) Standards of Practice for Optometrists and Dispensing Opticians para 11.7  [Accessed 1 Nov 2023]
264 Department of Health (2010) Confidentiality: NHS code of practice. Supplementary guidance: public interest disclosures [Accessed 1 Nov 2023]
265 It is the view of the British Medical Association that the Counter-Terrorism and Security Act 2015, which places a duty on some organisations – including health bodies in England, Scotland and Wales – to have ‘due regard to the need to prevent people from being drawn into terrorism’, creates ‘no new obligations or immunities with regards to the sharing of confidential information’. ‘In almost all circumstances, therefore, doctors should seek consent for the sharing of this information’. [Accessed 1 Nov 2023].
266 General Optical Council (2020) Disclosing confidential information [Accessed 1 Nov 2023]
267 General Medical Council (2018) Confidentiality: good practice in handling patient information [Accessed 1 Nov 2023]
You should explain to patients that you will share information where it is in their best interests unless they object, while observing principles of confidentiality set out in this guidance. People expect professionals to share information with other members of the care team, so good sharing of information, where sharing is appropriate, is as important as maintaining confidentiality.268
You may rely on implied consent to share confidential information with those who are providing (or supporting the provision of) direct care to the patient if you are satisfied that all of the following apply:269
  1. the person accessing or receiving the information is providing or supporting the patient’s care
  2. information is readily available to patients explaining how their information will be used (for example, in leaflets, posters, on websites or face-to-face), and they have a right to object
  3. the patient has not objected
  4. anyone to whom confidential information is disclosed understands that it is given to them in confidence, which they must respect.
If you disclose information about a patient, you must:
  1. be satisfied that the patient:
    • has been informed that their personal information might be disclosed for the sake of their own care, or for local clinical audit, and that they can object
    • has not objected
  2. get the patient’s consent if identifiable information is to be disclosed for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest. The public interest is unlikely to be justified if the same purpose can be achieved with anonymised information
  3. keep disclosures to the minimum
  4. observe all relevant legal requirements, including the common law and data protection legislation 
  5. be able to justify why you disclosed the information
  6. keep a record of when you disclose information, what you disclose, and to whom.
If you, or others, wish to use patient identifiable information for teaching or research purposes, for example patient photographs, you must apply the principles in this guidance by:
  1. gaining patient consent
  2. making sure the patient understands what they are consenting to and how the information will be used
  3. only using or releasing the minimum information that is necessary for the purpose.
If you are using or disclosing information which does not require patient identifiable information, you should use anonymised or coded information, for example in clinical audit or for reporting quality measures.
Improper disclosures can be unintentional. You should not:
  1. share identifiable information about patients where you can be overheard, for example in the practice reception area, a public place or in an internet chat forum
  2. share passwords or leave patient records, either on paper or on screen, unattended or where they can be seen by other patients, unauthorised practice staff, or the public.
Employers must make sure staff are trained to avoid improper disclosures.
If you think the patient may be engaging in an activity where they pose a very real risk of danger to the public, such as the patient operating heavy machinery or driving when they are not fit to do so 270, but you are not sure whether you should act, ask yourself: 
  1. what might the outcome be in the short- or longer-term if I do not raise my concern? 
  2. how could I justify not raising the concern?
If you decide to proceed, you should:
  1. first tell the patient that they are unfit to engage in the activity in question and give the reasons
  2. tell the patient to tell the relevant authority
  3. put your advice in writing to the patient, if appropriate
  4. keep a copy of any correspondence with the patient on the patient record.
Sometimes the actions in paragraph C92 might not achieve their aim or would take too long to do so. You have a duty of confidentiality to the patient, but this is not absolute and can be broken if it is in the public interest to do so. Guidance from the Department of Health includes the example of reporting a driver who rejects medical advice not to drive as one where the public interest can be a defence to breaching patient confidentiality.271
If you conclude that the public interest outweighs the duty of confidentiality, for example a patient who has told you that they intend to commit a crime or who continues to drive after being told not to, you should: 
  1. notify the relevant authority, and, if appropriate, provide evidence of clinical findings
  2. notify the patient’s GP of the action being taken
  3. notify the patient if appropriate.
If you disclose confidential information about a patient you must be prepared to explain and justify that decision. If you are unsure if this is appropriate, seek advice.
In other circumstances, you should not disclose any clinical, personal or non-clinical information about a patient to a third party, even if that person says they are family or a close friend. This is because it might harm the patient if you divulge the information, for example, if the patient is a victim of abuse. This includes the patient’s: 
  1. name
  2. contact details
  3. personal circumstances
  4. any other information that might disclose the individual’s whereabouts, for example whether they have been in your practice.
If a patient lacks capacity, you should share relevant information in accordance with the advice in paragraphs C84 and C85 and the section on Consent. Unless they indicate otherwise, it is reasonable to assume that patients would want those closest to them to be kept informed of their general condition and prognosis.
You must share relevant information with anyone who is authorised to make healthcare decisions on behalf of an adult patient who lacks capacity. This may be someone who has a welfare lasting power of attorney or equivalent. See section on Consent.
You must seek the consent of a child who has the capacity to consent before you share any confidential information about them. In Scotland, anyone aged 12 or over is legally presumed to have capacity to allow or prevent access to their health records by others, including their parents. In the rest of the UK, competence is assessed depending upon the child’s level of understanding.272 See section on Consent.
You may discuss matters regarding a child who does not have the capacity to consent with someone with parental responsibility. See section on Consent.
A parent who does not have parental responsibility for a child does not have an automatic right of access to confidential information.
Not all parents have parental responsibility. If the parents were married at or after the child’s conception, both will have parental responsibility, even if they have later divorced. Unmarried parents both have parental responsibility if they are named on the child’s birth certificate and the child was born on or after:
  1. 1 December 2003 in England and Wales
  2. 15 April 2002 in Northern Ireland
  3. 4 May 2006 in Scotland.
You should take the following steps to clarify parental responsibility and information sharing:
  1. note in the child’s record the name of the person who accompanies the child
  2. try to ascertain whether the person has parental responsibility
  3. if the person does not have parental responsibility, you will need to decide whether they can provide effective authority to proceed. If in any doubt, consult your professional or representative body.
If anyone else asks for information about the child (this can include the other parent without parental responsibility), you should direct them to the responsible person with whom you have already shared information.
You can share confidential information about a child or young person without their consent if you consider that the benefits to the child or young person that will arise from sharing will outweigh the public and patient’s interest in keeping the information confidential. If a child or young person refuses to consent to you sharing the information, you should consider their reasons for refusing, and weigh the possible consequences of not sharing the information against the harm that sharing may cause.273 You should only disclose information about a child or young person to an appropriate body without their, or their parents’, consent if:
  1. it is in their best interests
  2. failure to do so might place them at risk of serious harm
  3. the information would help prevent, detect or prosecute a serious crime.
You should record your reasons for doing this in the patient notes.
You should discuss with the patient what information they want you to share, with whom, and in what circumstances. This will be important if the patient has fluctuating or diminished capacity or is likely to lose capacity, even temporarily. This can help to avoid disclosures that patients would object to. It can also help to avoid misunderstandings with relatives or carers.
If anyone close to the patient wants to discuss their concerns about the patient’s eye health, you should tell them, before they begin, that you might need to tell the patient about the conversation if the information affects your care of the patient.
You should not refuse to listen to a patient’s relatives or carers on the basis of confidentiality. The information they provide might be helpful in your care of the patient. You should, however, consider whether it would be a breach of your patient’s trust to do this, especially if they have asked you not to listen to particular people.
The phrase ‘next of kin’ has no legal definition or status. You should not share information with a person who the patient nominates as their next of kin unless the patient has authorised you to do so. 
You should treat patient information as confidential, even after a patient has died. Whether you disclose personal information and what personal information you disclose after a patient’s death will depend on the circumstances. If the patient had asked for information to remain confidential, you should respect their wishes. If you are unaware of the patient’s wishes, and are asked to disclose information, you should consider:
  1. the purpose of the disclosure
  2. whether the information is likely to benefit or cause distress to the patient’s family
  3. whether the information is already in the public domain
  4. whether the information can be anonymised.
Information must only be disclosed to someone who is authorised to receive it, such as the executor of the will. You should ask to see the patient’s death certificate before disclosing information.
There are exceptions to maintaining patient confidentiality after death, for example, if you are required to provide information by a court of law.
Print Friendly and PDF