- 24-hour Emergency Line: 0300 30 32 442
According to 2025 data from the Information Commissioners Office (ICO), health is the most common sector for data security incidents making up 18% of all recorded incidents. Despite the ever increasing threats from hackers and other rogue agents, human error is still the main cause of these incidents, with the most common type being emailing the wrong recipient.
With our ever increasing reliance on email and electronic patient management systems, health professionals must be alert to their ethical and legal responsibilities to patient confidentiality in this complex environment. Confidentiality is fundamental to the trust between patients and healthcare professionals and underpins safe and effective care.
Confidentiality is the foundation on which the “doctor-patient” relationship is built. Patients must feel safe to share personal information with a healthcare professional which in turn needs them for accurate diagnosis and treatment.
Patients are more likely to seek medical help and be open with healthcare professionals if they trust that their information will be kept private. Breaching a patient’s privacy can cause harm to their reputation, job or relationships. Their privacy, and their right to control their personal information is crucial and must be respected.
The common law duty of confidentiality is a legal obligation to protect personal information shared in confidence from unauthorised disclosure. This duty arises from the reasonable expectation that information shared in confidence will not be used or shared without valid consent. The Data Protection Act 2018 and UK GDPR set out the legislation for processing of personal data lawfully, fairly and securely.
The ethical and legal framework for confidentiality mean that healthcare professionals have professional accountability, and breaches of confidentiality can result in disciplinary action by employers, regulators and even legal claims. The GMC, GDC and NMC have all published detailed guidance for healthcare professionals which provide further information about the circumstances in which confidential information can and should be disclosed.
Confidentiality however, is not absolute, and there are situations where healthcare professionals have a legal obligation to disclose information even without the consent of the patient. These situations include where there is a public interest, for example to prevent serious harm.
There are also statutory requirements for disclosure, including about notifiable diseases, child protection and female genital mutilation. Disclosure is also a legal requirement in response to a court order or when information is required by a Coroner to investigate a death.
However, even in these instances the information disclosed should be limited to the minimum necessary for the purpose. If you have any doubt about when and what to disclose, before you do anything, seek advice from your organisation’s Caldicott Guardian, Information Governance Lead or your medical defence organisation.
Maintaining patient confidentiality is crucial for healthcare professionals, not only for ethical reasons, maintaining trust and patient autonomy, but also due to significant legal obligations under common law, the Data Protection Act 2018, and UK GDPR.
While confidentiality is not absolute, disclosures must be carefully considered and justified, often requiring legal or public interest grounds, and always limited to the minimum necessary information.
Adhering to practical guidance, such as obtaining informed consent, secure data storage, and mindful communication is essential. MDS can provide support and advice to navigate complex confidentiality concerns, which may prevent escalation and will ensure best practice in handling sensitive patient information.
We can give advice on whether a disclosure without patient consent is justified by law or in the public interest.
We can support our members when a confidentiality concern is raised against them. We can give guidance on responding to complaints or investigations involving data breaches.
If you are in need of medico-legal support for a confidentiality concern it is vital to contact us early for advice as our recommended actions may prevent escalation.
If you are a Medical Defence Shield member, and you find you might need our help, please do not hesitate to contact us on 0300 30 32 442 or [email protected] and we will be more than happy to assist you further.
Not an MDS member? Get in touch and join today!
