All information that we hold about you is kept confidential and secure, whether it is held electronically or on paper and including all of the information held in your medical record. This information is held solely for the purpose of providing medical care, and it will only be shared with your permission and to aid your health and treatment. All staff, whether permanent or temporary, are required by their contracts (and professional codes of conduct in the case of the clinicians) to maintain confidentiality of all personal data that they may come into contact with during the course of their work. There are also legal requirements placed upon all staff by the Common Law Duty of Confidentiality and the Data Protection Act.

There are limited cases in which we can release personal information without a patient’s permission, including when it is in the public interest or there is a legal requirement to do so. However, these cases will be very rare and where appropriate we would still seek permission before releasing information in such a situation.

Image of Confidential Files

For further information on the situations in which this could occur, please visit the Information Commissioner's Office website.

For further information on specific data-sharing arrangements, please see below:


Confidentiality of Patient Information Policy


This policy outlines the confidential nature of patient information and provides guidance to Practice staff on the disclosure of this information.



Whilst it is vital for the proper care of individuals that detailed records are kept of their medical history and that those concerned with their care have ready access to this information, it is also important that patients can trust that personal information will be kept confidential and that their privacy is respected.

All staff have an obligation to safeguard the confidentiality of personal information. This is governed by law, their contracts of employment and, in many cases, professional codes of conduct. A statement of duty of confidentiality is signed by all work experience students and visiting staff who have access to personal information while at the Practice. All staff should be aware that breach of confidentiality could be a matter for disciplinary action and provides grounds for a complaint against them.


Disclosure of Information to Third Parties

It is understood that information will need to be shared between providers of care for patients to receive efficient and appropriate treatment and support. It is neither practical nor necessary to seek an individual’s explicit consent each time information needs to be shared or passed on in this way. Therefore, as long as the patient is aware of what information is to be shared with whom and of their right to refuse then implied consent can be assumed. If an individual does not consent to information about themselves being shared in this way, the individual’s wishes should be respected unless there are exceptional circumstances. Every
effort should be made to explain to the individual the consequences of their refusal for care and planning but the final decision should rest with the individual.

Clarity about the purpose to which personal information is to be put is essential and only the minimum identifiable information necessary to satisfy that purpose should be made available. Access to personal information should be on a need-to-know basis. Having said this, in situations which require the provision of patient information to other care providers it is important that all information necessary to ensure full and effective treatment is passed on.

The principles of confidentiality apply equally to all patients, regardless of age. Young people are equally as entitled to confidentiality as all other patients. This means that 16 and 17 yearolds, as well as those under 16 who are ‘Gillick competent’, can been seen by a Doctor/Nurse, consent to treatment and expect that this and other medical information about them will be kept confidential, even from their parents, unless they consent to this information being shared. This applies equally to all treatments, including contraception and abortion. A ‘Gillick competent’ child is one who is able to understand fully the options  available to them and the consequences of each one. More guidance on this can be found in the Consent Protocol.


Sharing Patient Information

Sharing of patient-identifiable information is governed by the 6 Caldicott Principles:

  1. Justify the purpose(s)
  2. Don’t use patient-identifiable information unless it is absolutely necessary
  3. Use the minimum necessary patient-identifiable information
  4. Access to patient-identifiable information should be on a strict need-to-know basis
  5. Everyone with access to patient-identifiable information should be aware of their responsibilities
  6. Understand and comply with the law
  7. The duty to share information can be as important as the duty to protect patient confidentiality

All staff are aware of these principles and of their legal obligations. They are also provided with examples of best practice methods for secure transfer of confidential information (See the guidance ‘Information Handling – Best Practice’).

  • Verbal permission must be obtained from the patient before divulging information. In certain cases, written consent should be obtained.
  • The patient must be clear to whom information will be given and why, and that they have the right to withdraw consent after it has been given.
  • Verbal permission must be documented in the patient's medical record.
  • Written permission must be filed or scanned into the patient’s notes.
  • If a patient requests that certain information be kept from their family or friends this request must be respected.

When Information can be disclosed without consent

  • The Mental Capacity Act allows for the creation of certain positions, such as a Lasting Power of Attorney, a Court of Protection-appointed deputy or an Independent Mental Capacity Advocate, who assume the responsibility of discussing and agreeing upon healthcare decisions for a patient who is incapacitated. In these instances certain aspects of the patient’s records must be shared to ensure an informed decision can be made. However, only information relevant to the treatment being proposed can be shared, and should the patient have expressed a wish that the information remain confidential – whether generally or from a specific person/group – then this must be respected. The same applies to carers, friends or family involved in healthcare decisions on behalf of an incapacitated person, but consideration should be given to exactly how much information is necessary and the potential sensitive or harmful nature of the information.
  • Anonymous data can be used without a patient’s consent, but if data used for research or education makes a patient in any way identifiable then explicit consent must be obtained from the patient for its use.
  • Some legislation sets out a legal requirement that patient information be disclosed in certain circumstances, for example where information could help in the prevention, detection or prosecution of serious crime. Such legislation includes the Road Traffic Act (1988), the Children Act (1989) and the Terrorism Act (2000).
  • Patient consent is also not needed if it is deemed to be in the public interest or in an individual’s vital interest to release certain information, for example if a patient has contracted an infectious disease which might pose a public health risk.
  • In all cases where consent is not needed, it is still advisable to inform the patient unless this could prove harmful in some way.

The decision to release information in the exceptional circumstances detailed above should be made by a senior member of staff and it may be necessary to seek legal advice. Any situation in which there is doubt over whether or not to disclose patient information without consent should be referred to Medical Defence for consideration and legal counsel. In all cases where there is a potential public interest in releasing information, consideration should be given to the potential harm of with-holding the information to protect confidentiality and the potential harm – both to the patient in question and the public trust in the NHS – which disclosure may cause. For guidance on issues of confidentiality in relation to safeguarding patients who may be at risk of harm, please see the Child Protection Policy or the Safeguarding Adults Policy as appropriate.

There are also some statutory restrictions on the disclosure of information relating to AIDS, HIV and other sexually transmitted diseases, assisted conception and abortion. In these situations, advice should be sought.

Where information on individuals has been aggregated or anonymised, it should still only be used for justified purposes. Care should be taken to ensure that individuals cannot be identified from this type of information as it is frequently possible to identify individuals from limited data e.g. age and post code may be sufficient.

Any loss or incorrect disclosure of confidential information must be reported to the Information Governance lead, and the patient concerned should be informed of the situation.


Data Protection

The Practice not only has a responsibility to ensure that confidential information is shared appropriately and legally, but also to maintain adequate security for that information, protecting it against unauthorised access, unlawful processing and loss or destruction.

  • All staff will be given guidance on ensuring that confidential information is dealt with as securely as possible.
  • The Practice will take all reasonable care to protect the physical security of information technology and the data contained within it.
  • All data stored electronically will be backed up regularly and stored in a secure location.
  • Any issues raised about the security of information will be addressed promptly.
  • Any significant events involving breach of confidentiality or data protection will be reported, and measures will be taken to prevent the same circumstance from arising again.
  • All information systems will be password protected.
  • All personal files must be kept secure.

See also the Information Governance Policy.

For further guidance, see the NHS Confidentiality Code of Practice.

Other relevant Policies include:

  • Access to Medical Records Policy
  • Consent Protocol
  • Information Governance Policy
  • Child Protection Policy
  • Safeguarding Adults Policy

Children and confidentiality

Children have the same rights over their personal data as adults. This means that any child that has capacity (to understand their rights and the implications of releasing or withholding data) will need to provide consent before that data can be released to anyone else, including parents. From the age of 14 this capacity is assumed by the practice. Under the age of 14 a clinician may determine that the child has capacity to exercise these rights. If a child does not have capacity then those with parental responsibility may exercise these rights on behalf of the child, so long as it is deemed to be in the child's best interests.

If any patient aged 14+ wishes to allow their personal data to be shared with their parent, carer or any other third party, they will need to complete a consent form which you can request from reception and return it to the practice so that we can add this consent to their record. For patients aged 14 or 15, this consent will be reviewed once they turn 16 to determine if it is still appropriate.