Confidentiality risks: disclosure without consent

Issues around confidentiality still feature commonly among calls to our advice line and some recent cases have highlighted complexities with regard to sharing patient information with third parties.

  • Date: 06 January 2015

Issues around confidentiality still feature commonly among calls to our advice line and some recent cases have highlighted complexities with regard to sharing patient information with third parties.

Our research finds that practices are receiving anywhere from 2–30 requests per month for copies or other information from patient records. These requests can come from many sources – the patient or their representative, insurance companies, lawyers and the police amongst many others. Dealing with such requests is time consuming for the practice and often the initial consideration of whether to share the information can be difficult.

Disclosure without consent

Clinicians are quite rightly protective of their patients’ records and the importance of a confidential medical service. However, there are occasions when the practice will be asked to share patient information without patient consent and these can be the trickiest scenarios to deal with. A common example is when the practice is being asked for patient information in relation to investigation of potential criminal activity. Often this is a request by the police but there may be similar requests from other organisations.

MDDUS case

A recent case at MDDUS involved a request for information by a benefit investigation officer. The GP received a letter asking for general health information over a period of time, related to a patient who was well known to her. In addition the GP was asked for information around the patient’s mental health, family situation and sexual orientation.

The GP contacted MDDUS as she was concerned that the level of information requested seemed excessive and of a particularly sensitive nature, which was difficult to relate to this type of investigation. The letter quoted section 29 of the Data Protection Act (DPA) which details the exemption from necessary patient consent when the information requested is in relation to prevention or detection of a crime.

Confidentiality and the GMC

The investigating officer here was correct – to an extent. However, the important point was that authority to release personal sensitive information under one piece of legislation does not necessarily mean that disclosure should be undertaken. In this case authority to release information under the DPA has to be considered alongside the common law duty of confidentiality and professional obligations, as set out by the GMC, in regard to clinical practice.

The GMC states that disclosure of personal information about a patient without consent may be justified in the public interest if failure to disclose may expose others to a risk of death or serious harm. Paragraph 54 then further details:

“Such a situation might arise, for example, when a disclosure would be likely to assist in the prevention, detection or prosecution of serious crime, especially crimes against the person.

The important inclusion here is the word ‘serious’. There is no agreed definition of a “serious crime”, although NHS guidance does provide some examples such as: murder, manslaughter, rape and child abuse. Crimes not usually viewed as serious enough to warrant disclosure without consent include theft, fraud and damage to property.

So there are two lots of guidance to be mindful of here. In this instance, the clinician could probably satisfy most of the conditions of the DPA (albeit the excessive nature of the request could still be queried) but they would be likely to face criticism from the GMC if disclosure were undertaken without further consideration of the duty of confidentiality.

MDDUS advice

The member was therefore advised to respond to the officer with a request for written patient consent before sharing information from the record. This would, almost always, be the starting point when asked for disclosure of patient information. It is only in unusual circumstances when patient consent might not be sought.

The member also asked for clarification on the sensitive and excessive nature of the information sought, before considering release. It is important to understand that exemptions in DPA do not compel clinicians to share information but rather are permissive clauses, which allow a clinician to exercise professional judgement in specific situations and disclose where appropriate. Disclosure of the minimum amount of information necessary is a principle of the DPA and requests for excessive or apparently irrelevant information should be questioned.

The decision to share information in these types of circumstances can be complex and often falls to the judgement of the clinician. Scenarios which involve sharing patient information without patient consent require serious thought and full understanding of the circumstances. As ever, comprehensive record keeping and documenting fully your thoughts, considerations and decision-making process are key in justifying your actions where there might be challenged.

In this case patient consent was received and the clinician responded to the request with their specific agreement, however members facing such scenarios are advised to contact our advice team – advice@mddus.com – who will be more than happy to provide specific guidance.

What challenges do you face in this area? Any comments, thought and suggestions are invited below.

This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.

Save this article

Save this article to a list of favourite articles which members can access in their account.

Save to library

Related Content

Equality, diversity and inclusion workshop

Equality, diversity and inclusion workshop

Equality, diversity and inclusion workshop

For registration, or any login issues, please visit our login page.