Department of Health

Website of the Department of Health

Please note that this website has a UK government access keys system.

Records Management: NHS Code of Practice Part 1 and Part 2

You are here:

The Common Law Duty of Confidentiality

(See Confidentiality: NHS Code of Practice:

Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Therefore, under the common law, a healthcare provider wishing to disclose a patient's personal information to anyone outside the team providing care should first seek the consent of that patient.

Where this is not possible, an organisation may be able to rely on disclosure being in the overriding public interest. However, whether a disclosure is in the public interest is not a decision to be taken lightly. Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed. Any decision to disclose should be fully documented.

Disclosures required by court order should be referred to the organisation's legal advisors as promptly as possible, so that any necessary representations may be made to the court, for example to limit the information requested.

If a disclosure is made which is not permitted under common law the patient can bring a legal action not only against the organisation but also against the individual responsible for the breach.

Records management considerations

All persons involved in the records management function should be aware of their responsibility for maintaining confidentiality of records. Employees should only have access to those parts of the record required to carry out their role. Requests for records access by other staff members should be logged and periodically audited. Particular care should be taken during the transportation of health records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.

Confidentiality: NHS Code of Practice

The Confidentiality Code of Practice is a result of a major public consultation that included patients, carers and citizens, the NHS, other healthcare providers, professional bodies and regulators.

The Code offers detailed guidance on:

  • protecting confidential information;
  • informing patients about uses of their personal information;
  • offering patients appropriate choices about the uses of their personal information; and
  • the circumstances in which confidential information may be used or disclosed.

The Code can be accessed from the Department of Health website at:

Disclosure after a patient's death

There are no clear legal obligations of confidentiality that apply to the deceased. Nevertheless the Department of Health and the General Medical Council agree there is an ethical obligation to the relatives of the deceased in requiring that confidentiality obligations continue to apply.

However, disclosures may be necessary:

  • to assist a coroner or other similar officer in connection with an inquest or fatal accident inquiry;
  • as part of national confidential enquiries; or
  • on death certificates.

Deceased patient records are public records under the Public Records Act and it has been argued that they should be accessible under the Freedom of Information Act 2000. This issue is currently under consideration by the Department of Constitutional Affairs in conjunction with the Department of Health. Until the guidance is available, organisations should not release the health records of deceased patients unless it is to comply with the Access to Health Records Act.

Access keys