About This Page
This is a clinician-written, evidence-based summary aligned to the 2026 MLA Content Map. It is intended for medical students and junior doctors preparing for the UKMLA. Always cross-reference with NICE guidance, local protocols, and clinical judgement.
The Bottom Line
- Confidentiality is a legal, ethical, and professional duty — enshrined in common law, Data Protection Act 2018 (UK GDPR), and GMC guidance
- Patient information must NOT be disclosed without consent UNLESS: statutory requirement, public interest, or court order
- Statutory disclosures (no consent needed): notifiable diseases, terrorism, road traffic collisions (driver identity), fitness to drive (to DVLA after informing patient)
- Public interest disclosure: risk of serious harm to others (e.g. infectious disease contacts, violent intent). Must be proportionate and justified
- Caldicott principles: 7 principles governing use of patient-identifiable information in the NHS
- After death: duty of confidentiality persists but is not absolute — may be disclosed for public interest or statutory requirements
Overview
Confidentiality is a fundamental principle of medical practice. Patients share sensitive information in the expectation that it will be kept private, and this trust is essential for effective healthcare. The duty of confidentiality arises from multiple sources: the common law duty of confidence, Article 8 of the Human Rights Act 1998 (right to private and family life), the Data Protection Act 2018 (incorporating UK GDPR), and professional obligations under GMC guidance. However, confidentiality is NOT absolute — there are specific circumstances where disclosure is lawful, justified, or even mandatory. Understanding when to disclose and when to withhold information is a core UKMLA competency.
Epidemiology
Confidentiality scenarios arise daily in clinical practice. The Information Commissioner's Office (ICO) received over 2,000 data security incident reports from the health sector in 2023. Common breaches include inadvertent disclosure (sending information to the wrong person, conversations overheard in public areas), inappropriate access to records, and loss of unencrypted data. The GMC investigates approximately 200 complaints related to confidentiality breaches each year.
Key Scenarios
Symptoms
Patient requests that information NOT be shared with family members — must be respected if patient has capacity
Police request patient information about a suspect or victim
A patient discloses intent to harm a specific person
A patient is diagnosed with a notifiable disease (e.g. meningococcal meningitis)
An employer requests a medical report without patient consent
A patient's relative phones asking about their diagnosis or prognosis
A child or vulnerable adult discloses abuse
Signs
Disclosure IS required: notifiable diseases, terrorism (Terrorism Act 2000), court order, certain driving fitness situations
Disclosure MAY be justified: serious risk of harm to others (public interest), safeguarding children/adults at risk
Disclosure NEVER justified: media requests, curiosity, convenience, insurance companies without consent
Legal Framework
First-line
Common law duty of confidenceInformation given in confidence must not be used or disclosed without consent, unless there is an overriding public interest or legal requirement
Data Protection Act 2018 / UK GDPRHealth data is "special category" data requiring explicit consent or another lawful basis. Six principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality
Second-line
Caldicott Principles (2013, updated)7 principles: (1) justify purpose, (2) don't use identifiable data unless necessary, (3) use minimum necessary, (4) access on need-to-know basis, (5) everyone aware of responsibilities, (6) comply with law, (7) duty to share is as important as duty to protect
Human Rights Act 1998Article 8: right to respect for private and family life. Not absolute — may be overridden by Article 2 (right to life) or public interest
Specialist
GMC Confidentiality: good practice in handling patient information (2017)Comprehensive guidance on when disclosure is/is not appropriate. Key resource for exam preparation
NHS Code of Practice on ConfidentialityPractical guidance for NHS staff on handling patient information
1
Disclosure WITH consent
- Always seek consent before disclosing — this is the default position
- Consent can be explicit (written/verbal for a specific disclosure) or implied (within the healthcare team for direct care — "need to know" basis)
- Inform the patient about what will be shared, with whom, and why
2
Disclosure WITHOUT consent — statutory
- Notifiable diseases: statutory duty to notify the local authority (Public Health England)
- Terrorism: duty to disclose information that may prevent acts of terrorism (Terrorism Act 2000)
- Road Traffic Act 1988: must provide driver identity (not clinical details) to police if requested after a road traffic collision
- Court orders: must comply
- DVLA fitness to drive: if patient refuses to stop driving despite being medically unfit, may disclose to DVLA after informing the patient
3
Disclosure WITHOUT consent — public interest
- Justified when: risk of death or serious harm to others, benefits of disclosure outweigh patient's interest in confidentiality
- Must be proportionate — disclose only the minimum necessary information
- Safeguarding children and vulnerable adults: may override duty of confidentiality
- Contact tracing for serious communicable diseases: may disclose without consent if patient refuses to notify contacts
- Document the decision and rationale thoroughly
4
Disclosure after death
- Duty of confidentiality continues after death but is not absolute
- Access to Health Records Act 1990: personal representative or person with claim arising from death may request records
- Consider: patient's known wishes, purpose of disclosure, benefit/harm
5
Sharing within the healthcare team
- Implied consent for direct care: information can be shared within the healthcare team on a "need to know" basis
- Patient can object to sharing — must respect this unless overriding public interest
- Record who has been given access and why
Complications
- Inappropriate disclosure: Breach of confidentiality → patient complaint, GMC investigation, ICO enforcement, civil litigation, criminal prosecution (under DPA 2018)
- Failure to disclose when justified: If a patient harms someone and disclosure could have prevented it, the doctor may face legal and professional consequences
- Erosion of trust: Confidentiality breaches undermine public trust in the medical profession
- Data breaches: Loss of unencrypted devices, misdirected communications, cyber-attacks
UKMLA Exam Tips
- 1Default position: DO NOT disclose without consent. Then ask: is there a statutory duty, court order, or public interest justification?
- 2Police requests: you are NOT obliged to provide clinical information to police without consent or a court order — EXCEPT driver identity under Road Traffic Act
- 3Notifiable diseases = statutory duty — no consent needed. This is a common exam scenario
- 4Patient tells you they plan to harm someone specific: this is a public interest disclosure — you CAN break confidentiality. Document and disclose to appropriate authority
- 5Relative phones asking about a patient: do NOT disclose anything without patient's explicit consent (even confirming they are in hospital)
- 6After death: duty continues but a personal representative can access records. Consider patient's known wishes
- 7DVLA: try to persuade the patient first. If they refuse to stop driving when unfit → inform DVLA, inform patient you are doing so, and document
practicetest your knowledge on confidentiality and data protectionApply what you've learnt with UKMLA-style questions from the iatroX Q-Bank — ethics & law and beyond.
open q-bank