All patients can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when somebody is at grave risk of serious harm).

All information held at the practice about patients is confidential, whether held electronically or in hard copy. Other information about the practice (e.g. staff records and financial matters) is confidential.

Staff will, by necessity, have access to such confidential information from time to time.


The policy applies to all practice employees and partners, and also applies to other people who work at the practice e.g. Locum GPs, Non-employed nursing staff, Individuals on training placements, temporary staff and contractors.

Importance of Confidentiality

Confidentiality is a fundamental part of health care and crucial to the trust between doctors and patients. Patients entrust their practice with sensitive information relating to their health and other matters in order to receive the treatment and services they require. They should be able to expect that this information will remain confidential unless there is a compelling reason why it should not. All staff in the NHS has legal, ethical and contractual obligations of confidentiality and must ensure they act appropriately to protect patient information against improper disclosure.

Some patients may lack the capacity to give or withhold their consent to disclosure of confidential information but this does not diminish the duty of confidence. The duty of confidentiality applies to all patients regardless of race, gender, social class, age, religion, sexual orientation, appearance, disability or medical condition.

Information that can identify individual patients must not be used or disclosed for purposes other than healthcare unless the patient (or appointed representative) has given explicit consent, except where the law requires disclosure or there is an overriding public interest to disclose. All patient identifiable health information must be treated as confidential information, regardless of the format in which it is held. Information which is effectively anonymised can be used with fewer constraints.

The confidentiality of other sensitive information held about the practice and staff must also be respected.

Obligations for all staff

Staff must regard all patient information as confidential and must not, under any circumstances, disclose patient information to anyone outside the practice, except to other health professionals on a need to know basis, or where the patient has provided written consent.

Staff must not, under any circumstances, disclose other confidential information about the practice to anyone outside the practice, unless with the express consent of the Practice Manager / Senior Partner.

Staff should limit any discussion about confidential information only to those who need to know within the practice.

Staff must be aware of and conform to the requirements of the Caldicott recommendations:

  • Electronic transfer of any confidential information, once approved by the practice Manager / Senior Partner, must be transmitted via the NHS Net.
  • Staff must take particular care that confidential information is not transmitted in error by email or over the internet
  • Staff who suspects a breach of confidentiality must inform the practice Manager / Senior Partner immediately.
  • Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.
  • Staff remain bound by the requirement to keep information confidential, even when they are no longer employed at the practice.
  • All staff will be required to sign the practices Confidentiality Statement, as detailed below.
  • It is expected that members of staff will comply with the law and guidance / codes of conduct laid down by their respective regulatory and professional bodies.

Obligations for employers

The employer must ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality. The employer must make sure that all individuals to whom this protocol is relevant have read, understood and signed this protocol. The employer must review and update this protocol on a regular basis.

Children and Young People

The practice recognises that the principles of confidentiality apply equally to all patients, irrespective of age.

The practice will ensure that its staff recognise that all patients under 16 are entitled to the same level of confidentiality as all other patients, including being respectful of any request to withhold information from their parents or guardians and take all necessary steps to ensure that this right of confidentiality is not inadvertently breached.

Where a young person requests a consultation at the practice premises, they will be booked in to see a clinician in the normal way.

In the event that a young person attends the surgery without a pre-booked consultation and without adult support, the normal procedure for providing them with a consultation appointment will take place.

If the request is for an urgent appointment, the young person will be triaged by referral to a practice nurse.

Should the young person independently request medical advice or treatment (including contraceptive advice, abortion, other treatments and surgical procedures), the practice clinician involved in the consultation with the young person will determine their competency and capability to understand the choices of treatment available and the consequences of such treatment. If the young person is under the age of 16, the clinician will try to take reasonable steps to persuade them to involve the parent(s).

When such competency and capability is deemed to exist, the practice clinician will provide appropriate medical advice or initiate suitable treatment.

Information disclosures

When a decision is taken to disclose information about a patient to a third party due to safeguarding concerns / public information, the patient should always be told and asked for consent before the disclosure unless it would be unsafe or not practical to do so.

In the circumstances that consent can not be sought, then there must be clear reasons and necessity for sharing the information.

Disclosures or confidential information about patients to a third party must be made to the appropriate person or organisation and in accordance with the principles of the Data Protection Act 1998 (Annex1), the NHS Confidentiality Code of Practice and the GMC’s Good Medical Practice.