Department of Health Skip to content

Please note that this website has a UK government access keys system.

You are here:


The requirement to maintain confidentiality is absolute during the complaints process. This section introduces you to the law and confidentiality and other issues such as access to records, consent, sharing information and Caldicott Guardians.

The law and confidentiality

The Data Protection Act 1998 became effective from 1 March 2000, and superseded the Data Protection Act 1984 and the Access to Health Records Act 1990. The Data Protection Act 1998 gives every living person the right to apply for access to his or her health records. The exception to this is the records of deceased persons, which are still governed by the Access to Health Records Act 1990.

A health record is defined as a record consisting of information about the physical or mental health or condition of an identifiable individual made by or on behalf of a health professional in connection with the care that individual. Individuals have a right to apply for access to records irrespective of when they were compiled.

The Act does not provide applicants with a right to directly inspect health records, although this can, of course, be agreed between the patient and the data controller. It remains Department of Health policy that patients who wish to actually see what is written about them in their records should be allowed to do so, subject to given exemptions and unless there are compelling reasons to the contrary.

Responsibility for dealing with a subject access request lies with the "data controller". A data controller is defined as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data about an individual are, or are to be, processed.

Under the Data Protection Act 1998 there are certain circumstances in which the record holder may withhold information. Access may be denied, or limited, where the information might cause serious harm to the physical or mental health or condition of the patient, or any other person, or where giving access would disclose information relating to or provided by a third person who had not consented to the disclosure.

Where the applicant is not the patient, the applicant should have access to only the information and explanation, which would otherwise have been made available to the patient.

A request from a solicitor acting on behalf of a patient should be dealt with in exactly the same way as a request from a patient. As a general rule a person with parental responsibility will have the right to apply for access to a child's health record. A parental responsibility for a child is defined in the Children's Act 1989 as "all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property".

Access to records

Access to clinical records should not be confused with access to the NHS Complaints Procedure, which are separate processes. However, it will often be the case that a complaint will relate to a clinical issue and will therefore require disclosure of clinical records to the patient or their representative.

Under the Data Protection Act 1998, all patients have a right of access to their clinical records, unless the contents of those records were to pose a serious threat to their mental stability. Complaints about any aspect of an application to obtain access to health records can be made under the NHS Complaints Procedure.

If the representative for a patient competent to consent wishes to have access, or discuss any aspect of their clinical records, they must supply a written statement from the patient authorising the hospital and the medical/nursing staff to reveal to, or discuss with, the representative any and all clinical information.

Where a patient is unable to give consent and manage their own affairs, any person appointed by a court to manage those affairs may give consent for the release of clinical records and information to the representative of the patient (unless the representative of the patient is already the person appointed by the court).

Access to the health records of a deceased person is governed by the Access to Health Records Act 1990. Under this legislation where the patient has died, their personal representative or executor or administrator or anyone having a claim resulting from the death, has the right to apply for access to the deceased's health records. This could be, for example, a spouse/partner, son, or daughter.

It is absolutely imperative that confidentiality is maintained throughout these procedures. Complaint records should be kept separate from health records, subject to the need to record information, which is strictly relevant to the patient's health. Such records must be treated with the same degree of confidentiality as normal medical records and would be open to disclosure in legal proceedings.

Confidentiality and consent

Health information is collected from patients in confidence and attracts a legal duty of confidence until it has been effectively anonymised. This legal duty (established under common law) prohibits information use and disclosure without consent - effectively providing individuals with a degree of control over who sees information they provide in confidence. This duty can only be overridden if there is a statutory requirement, a court order, or if there is a robust public interest justification.

The Information Commissioner advises that most uses or disclosures of medical data will be justified by having obtained the consent of patients. There is no single definition of consent. The EU Directive, for instance, defines consent as: "...any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

On one reading this definition suggests that the giving of consent may not legitimately be made a condition of receiving a service such as health care since to impose conditions might mean that consent had not been "freely given". Were a data controller to seek to rely upon consent as a condition of processing medical data such a strict reading of the definition in the Directive might invalidate the consent that had apparently been obtained.

In considering the common law duty of confidence, however, the courts have not generally found that consent is rendered invalid by having conditions attached, providing that those conditions are not unduly onerous. In considering the common law duty of confidence, it is this approach to consent that the Commissioner will follow, taking three key considerations.

Firstly, consent must be informed. The data subject must know, in other words, what are the proposed uses or disclosures of personal data. In effect a patient will be able to give informed consent if he or she has been supplied with the fair processing information discussed earlier. It follows from this that a patient cannot be deemed to have consented to something of which he or she is ignorant.

Secondly, the person giving consent must have some degree of choice. "Consent" given under duress or coercion is not consent at all. By contrast consent which is entirely optional and may be withheld without any consequences is clearly valid. Between these two extremes is consent which is more or less conditional upon agreement to some other term or condition. It would not necessarily be unfair that a patient should be asked to consent to the disclosure of data by, for example, a GP to a Health Authority for administrative purposes as a condition of receiving treatment from that GP. By contrast it could be argued that a requirement to consent to the disclosure of data to a medical student as a condition of receipt of treatment in a NHS hospital was unfair.

Thirdly, there must be some indication that the data subject has given his or her consent. This may be express (i.e. explicit) or implied. Express consent is given by a patient agreeing actively, usually orally or in writing, to a particular use or disclosure of information. Implied consent is given when an individual takes some other action in the knowledge that in doing so he or she has incidentally agreed to a particular use or disclosure of information. For instance a patient who visits a GP for treatment may be taken to imply consent to the GP consulting his or her medical records to assist diagnosis.

The Information Commissioner has the power to investigate complaints and to serve enforcement notices against NHS organisations who he believes are not complying with common law duties of confidence.

Sharing information

The Data Protection Act and the Medical Records Act control the release and sharing of information about individuals during the complaints process. When a complaint is made it is necessary to share patient information with those involved in the investigation. The type of information that may be shared is:

  • Any correspondence which relates directly to the complaint itself
  • In the case of a complaint about clinical care, any relevant extracts from the patient's medical records
  • If the complaint is made by someone other than the patient, it would be necessary to gain the patient's consent for the complainant to act on their behalf and to share information with those involved in the investigation.

At the Local Resolution stage of the complaint, information may be shared with those involved in the investigation. These will include: the individual(s) undertaking the investigation; individuals named in the complaint or who can assist in the investigation; recognised advisers to both the complainant or the complained against; a conciliator or other independent third party with the complainant's consent.

Following a request for an Independent Review, information may be shared with those considering this application: the manager(s) administering the request; the convener considering the request; an independent lay person consulted by the convener; an independent clinician consulted by the convener.

If the complaint reaches the stage of the Independent Review Panel, the information may be shared with: the manager administering the Panel; the convener; the chair; clinical assessors advising the panel; any advisers to both the complainant and the complained against; witnesses to the panel. The Panel report may be sent to all those involved in the Panel; all those interviewed; named Trust and NHS individuals. If the complainant approaches the Health Service Ombudsman, she may request the papers in the case.

The health economy wide group, Isle of Wight, Portsmouth and South East Hampshire Health Authority has published this guide to policy and procedures for the local health community:

The law and complaints - Caldicott guardians

Caldicott Guardians are the experts on confidentiality issues and access to patient records who are on-site to give you advice on any concerns that you may have about a case. They have already been working successfully for some time in acute trusts, and have just begun to operate in primary care trusts too.

They resulted from recommendations in Dame Fiona Caldicott's 1997 report on how patient information was used in the health service. The Chief Medical Officer in England had commissioned the review because of concerns that patient confidentiality was being undermined by the development of information technology the NHS, and the need to put in place safeguards.

The key recommendation out of the 16 in the report was that:
"a senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information". (Recommendation 3)

How it works
The Caldicott report sets the framework for the quality standards that Caldicott Guardians use to oversee the management of confidentiality and access to personal information.

Two key components of maintaining confidentiality are the integrity of information and its security. Integrity is achieved by safeguarding the accuracy and completeness of information through proper processing methods. Security measures are needed to protect information from a wide variety of threats.

The 'Caldicott' principles and recommendations apply specifically to patient-identifiable information, and emphasise the need for controls over the availability of such information and access to it. In particular, a Caldicott Guardian, appointed in each NHS organisation, has specific responsibilities to oversee an ongoing process of audit, improvement and control.

The six Caldicott principles, applying to the handling of patient-identifiable information, are:

  • justify the purpose(s) of every proposed use or transfer
  • don't use it unless it is absolutely necessary, and
  • use the minimum necessary
  • access to it should be on a strict need-to-know basis
  • everyone with access to it should be aware of their responsibilities, and
  • understand and comply with the law.

To ensure joint working between health and social services local authorities, or Councils with Social Services Responsibilities (CSSRs), have embraced this Caldicott standard.

The Department of Health is also looking at how to extend the principle to other local authority services.

Caldicott Guardians and the Data Protection Act 1998
The 1998 Data Protection Act is the key legislation covering all aspects of information processing. This includes security and confidentiality of personal information. The Caldicott requirements provide the framework to put the Data Protection Act into operation.


Access keys