CONFIDENTIALITY POLICY

GUIDANCE NOTES AND BACKGROUND INFORMATION

This policy should be read in conjunction with the Managing Medical Records Policy and the Privacy Policy (GDPR).

A duty of confidentiality arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence.
This duty of confidence is derived from:

  • Common law (court decisions)

  • Statute law (legislation passed by Parliament)

LEGISLATION

All staff must be aware of the following legislation and understand their responsibilities relating to confidentiality:

THE GENERAL DATA PROTECTION REGULATION (GDPR) 2018

Governs the processing of information that identifies living individuals, including the holding, recording, use, and disclosure of personal data across all media.

THE MENTAL CAPACITY ACT 2005

Provides a legal framework to empower and protect individuals who may lack capacity to make certain decisions for themselves.

THE FREEDOM OF INFORMATION ACT 2000 & THE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002

Grants public access to information not covered by GDPR, such as non-personal records.

THE COMPUTER MISUSE ACT 1990

Protects data and systems against unauthorised access or alteration.

DISCLOSURE

Disclosure refers to the giving of information. Disclosure is lawful and ethical only when the individual has provided informed consent, unless required by law or justified in the public interest.

Consent to disclosure may be:

  • Explicit

  • Implied

  • Required by law, or

  • Justified in the public interest

DISCLOSURE WITH CONSENT

Patients have the right to access and receive copies of their own medical records.

  • Explicit consent is obtained when the patient agrees to disclosure after being informed of what, why, and with whom information will be shared.

  • Implied consent applies when it is assumed that the patient understands their data may be shared within the clinical team.

All discussions regarding consent must be recorded.

DISCLOSURE WITHOUT CONSENT

Disclosure without consent may occur only in exceptional cases, where it is necessary to:

  • Prevent serious harm or abuse

  • Support detection or investigation of a serious crime

  • Protect public safety

Decisions to disclose must be proportionate, justified, and documented in full.

DISCLOSURE TO THIRD PARTIES

Information may only be shared with third parties involved in a patient’s care.
Patients must be made aware of how and why information may be disclosed and given the opportunity to object.

Identifiable data must never be used for purposes other than direct healthcare without explicit consent or a valid legal basis.

CONFIDENTIALITY AFTER DEATH

The duty of confidentiality continues after a patient’s death under the Police and Criminal Evidence Act (1984).

INFORMATION DISCLOSURE TO THE POLICE

Police officers have no automatic right to access patient medical records.
They may only do so under a warrant issued by a judge under the Police and Criminal Evidence Act (1984).

Disclosure to law enforcement without consent may occur only to prevent serious harm or risk of death and must be discussed with professional colleagues or regulators before action is taken.

All such disclosures must be proportionate, justified, recorded, and wherever possible, discussed with the patient.

SPECIAL CONSIDERATIONS WHEN DISCLOSURE IS BEING CONSIDERED

In rare cases, it may not be appropriate to inform a patient of the decision to disclose information (for example, due to risk of violence).
A supplementary record may be created to restrict access to sensitive data if disclosure could cause serious harm.

All team members must be aware of the existence of supplementary records without breaching confidentiality.

ACTING AS A WITNESS IN A COURT CASE

If summoned as a witness, healthcare professionals are legally required to provide evidence.
Refusal to do so may result in contempt of court proceedings.

RISK OR BREACH OF CONFIDENTIALITY

Any member of staff who becomes aware of a potential or actual breach of confidentiality must:

  • Report it immediately to a senior manager or Dr Kania.

  • Document the incident and corrective actions.

A breach may arise from individual behaviour or systemic failure.
Confidentiality is a fundamental professional obligation protected under Article 8 of the European Convention on Human Rights (right to respect for private and family life).

KEY PRINCIPLES

  • All patient information will only be used for its intended purpose.

  • Staff must ensure patients understand how and why their data is shared.

  • Information must be disclosed only where legally required or to prevent harm.

  • All staff handling personal data must be aware of GDPR obligations and ICO registration requirements.

REFERENCES AND FURTHER READING

  • General Medical Council (GMC): Confidentiality Guidance

  • Nursing & Midwifery Council (NMC): The Code (2018)

  • General Dental Council (GDC): Standards for Dental Professionals (2013)

  • The General Data Protection Regulation (2018)

  • European Convention on Human Rights (2000)

  • The Computer Misuse Act (1990)

  • The Freedom of Information Act (2000)

  • The Mental Capacity Act (2005)

CONFIDENTIALITY POLICY STATEMENT

Dr Kania is committed to providing a confidential and secure service to all patients and clients.
No information shared with Dr Kania will be disclosed to any third party without the explicit consent of the individual, except where required by law or to prevent harm.

This policy applies to all personal, sensitive, or identifiable information obtained through the course of professional practice.

PURPOSE

To ensure all staff, clinicians, and contractors understand their responsibilities regarding the handling, storage, and disclosure of confidential information in compliance with GDPR 2018.

PRINCIPLES

  • All patient and staff data (digital and paper) must be securely stored and protected from unauthorised access, disclosure, or loss.

  • Access is restricted to authorised individuals only.

  • Any data shared externally (e.g., for audit or regulatory purposes) must be anonymised.

PROTECTING CONFIDENTIALITY IN DISCUSSIONS

Staff must not:

  • Discuss patient matters outside clinical settings.

  • Discuss cases in public or where conversations may be overheard.

  • Discuss one patient with another without explicit consent.

All consultations must take place in private spaces where confidentiality can be assured.

PROTECTING CONFIDENTIALITY USING THE TELEPHONE

  • Do not share identifiable information (names, addresses, numbers) in public areas.

  • Do not play voicemail messages aloud where others may overhear.

  • Do not leave confidential messages on answering machines without the patient’s express consent.

PROTECTING CONFIDENTIALITY USING COMPUTERS & THE INTERNET

  • Computer screens must not be visible to unauthorised individuals.

  • All systems must be password-protected and access-limited.

  • Patient data shared via email must be encrypted.

  • Confidential records must be stored securely and backed up to encrypted cloud systems.

PROTECTING CONFIDENTIALITY USING SOCIAL MEDIA OR MOBILE DEVICES

  • Avoid discussing or sharing confidential details via text or messaging apps.

  • Treat any digital communication as part of the medical record.

  • Never store patient data on personal devices.

  • All devices must be password-protected, encrypted, and securely stored.

  • Explicit written consent must be obtained before sharing any clinical images or case details on social media.

RECORDS

  • All paper records are kept in locked cabinets.

  • All digital records are securely stored in compliance with GDPR 2018.

  • Information retained for audits or appraisals must be anonymised.

BREACHES OF CONFIDENTIALITY

Confidential or sensitive information may only be disclosed without consent if withholding it would place an individual or the public at risk of harm or violate legal obligations.
Any such disclosure must be justified, proportionate, and reported immediately to Dr Kania.

LEGISLATIVE FRAMEWORK

This policy complies with:

  • GDPR 2018 and the Data Protection Act

  • Freedom of Information Act 2000

  • Mental Capacity Act 2005

  • European Convention on Human Rights (Article 8)

ENSURING THE EFFECTIVENESS OF THE POLICY

  • All staff receive this policy during induction and regular updates.

  • The policy is reviewed annually by Dr Kania.

  • Compliance is monitored through periodic audits and staff training.

NON-ADHERENCE

Any breach of this policy will be investigated and may result in disciplinary action, in accordance with internal procedures.

DR KANIA
Belgravia | Knightsbridge | London
📧 contact@drewkania.co.uk
📞 +44 (0)7935 133 150

LAST UPDATED: October 2025