The December 1997 Caldicott Report identified weaknesses in the way parts of NHS handled confidential patient data. The report identified 6 principles and made sixteen recommendations, one of which was the appointment of Caldicott guardians, members of staff with a responsibility to ensure patient data is kept secure. It is now a requirement for every NHS organisation to have a Caldicott guardian. The Guardians are responsible for ensuring that their organisation adheres to the Caldicott Principles.

Since 1997, there have been further studies and reports led by the National Data Guardian, including ‘To share or not to share’ (2013) and ‘Review of data consent & opt-outs’ (2017). The first brought in the 7th Caldicott principle (see below) and the duty to share set out in the Health & Social Care (Safety & Quality) Act 2015 (section 3) and the second was instrumental in the development of the Data Security & Protection Toolkit .

Further review and publication in December 2020 has updated and increased the Caldicott Principles to eight:

Principle 1: Justify the purpose(s) for using confidential information
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.

Principle 2: Use confidential information only when it is necessary
Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.

Principle 3: Use the minimum necessary confidential information
Where use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.

Principle 4: Access to confidential information should be on a strict need-to-know basis
Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.

Principle 5: Everyone with access to confidential information should be aware of their responsibilities
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.

Principle 6: Comply with the law
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.

Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Principle 8: Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.

More information is available at:

A Manual for Caldicott Guardians – 2017

National Data Guardian’s Office

The UK Caldicott Guardian Council webpage

Data Security and Protection Toolkit

Back to Top



Medical confidentiality is at the bedrock of the Doctor-Patient relationship, and it is enshrined in a number of codes, guidelines and laws.

The GMC has produced updated Guidance on Confidentiality with individual leaflets covering how care guidance applies in a range of situations doctors often encounter or find hard to deal with.

The legal and ethical principles of confidentiality and disclosure

The legal and ethical principles of confidentiality and disclosure should only be breached if one of the following criteria is met:

  • The patient has given consent.
  • The disclosure is of overall benefit to a patient who lacks capacity to make the decision.
  • The disclosure is required by law.
  • The disclosure can be justified in the public interest.
Data Sharing Checklist
  1. Is there a legal obligation to share this data without consent and if so, have I limited it to the minimum data possible to serve the purpose?
  2. Would my patients be aware how their data may be processed?
  3. Would my patients know who is processing their data?
  4. Would my patients know why their data is being processed?
  5. Have I made a reasonable attempt to inform my patients of the ways in which their data will be held and processed?
  6. Have I provided the name of the practice’s Data Protection Officer who can provide more information if they wish to know more?
  7. Have I given them an opportunity to raise any objections?
  8. Have I explained their right to access and correct the data?
  9. Are all individuals who have access to identifiable medical data bound by a strict professional and contractual duty of confidentiality?
  10. If non-professionals have access to medical data, are they bound by a strict contractual duty of confidentiality?
  11. Has the data been anonymised, or anonymised and aggregated, wherever possible?
  12. Is disclosure likely to cause serious harm to the patient’s health or well-being?
  13. Am I breaching a third-party confidence (excluding a medical professional caring for the patient)?
  14. Have I sought consent wherever possible?
  15. Has the patient expressed an objection to sharing this data?   (Any objection must be respected even after death.)
  16. If consent is not possible, is it essential to share patient-identifiable data in the best interests of the patient’s health and wellbeing?
  17. If consent is not possible, is it overwhelmingly in the public interest to share patient-identifiable data?
  18. If consent is not possible have, I informed or do I intend to inform the patient as soon as possible if I have disclosed identifiable data?
  19. Have I restricted the data I intend to disclose to the minimum that would serve the intended purpose?
  20. Is the data to be disclosed for a clearly identified and limited purpose?
  21. Is the data to be disclosed to a clearly identified individual(s)
  22. Are all members of staff who handle this data aware of the need to ensure that data sharing is always checked before disclosure?
  23. Would I object to my own most personal medical data being shared in this way?
  24. Would I be prepared to defend this disclosure in a court of law or before the GMC?

Back to Top


Confidentiality after Death

Access to the Health Records of Deceased Patients

Note: Although the UK GDPR does not apply to data concerning deceased persons, the ethical obligation to respect a patient’s confidentiality continues beyond death.

The Access to Health Records Act 1990 (AHRA) provides a small group of people with a statutory right to apply for access to the health records of a deceased person. These representatives are ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’. A personal representative is the executor or administrator of the deceased person’s estate.

The personal representative is the only person who has a right of access to the record and need give no reason for applying for access. However, they should provide evidence of their identity.

There are occasions when individuals, who do not have a statutory right, may also request access.  In such cases, the general rules that apply to the disclosure of confidential patient information should be considered to determine whether a disclosure is appropriate and lawful.  Requests should be considered on a case-by-case basis.  A legal right of access under the Act is only allowable where those who do not have a statutory right can establish a claim arising from the patient’s death. The decision as to whether a claim exists sits with the record holder. Where this is not clear, legal advice should be sought.

Record holders must be assured of the identity of applicants and, where an application is being made on the basis of a claim arising from the deceased’s death, applicants must provide evidence to support their claim.

A number of public bodies have authority to require the disclosure of health information, and these include the Courts (i.e., Coroners Court), legally constituted Public Inquiries and various Regulators and Commissions. In these cases, the common law obligation to confidentiality is overridden.

Applying for Access

Requests should be made in writing, contain enough information to enable the correct records to be identified and give details of the applicant’s right to access the records.  It is helpful if specific dates or parts of the record are requested. The release of a complete health record will need a stronger justification than an excerpt from a record.

Once the data controller has the relevant information and fee, the request should be complied with within 40 days or within 21 days where the record has been added to in the last 40 days.

Disclosure in the Absence of a Statutory Basis

Such disclosures should be:

  • in the public interest.
  • proportionate
  • judged on a case-by-case basis.

The public good must outweigh the obligation of confidentiality to the deceased individual and any other individuals referred to in a record. The data controller must consider any preference expressed by the deceased before their death to confidentiality and any potential for distress or harm to any living individual. The views of surviving family and the length of time after death should also be considered (the obligation of confidentiality is likely to diminish over time). Requests should demonstrate a strong legitimate purpose and, generally, a strong public interest justification as well as a legitimate relationship with the deceased.

It is good practice, when considering a request, to consult the Practice’s Caldicott Guardian/Governance lead and, if there is any doubt or complexity, to seek legal/MDO advice.


Legislative changes to the Data Protection Act 2018 have also amended the Access to Health Records Act 1990, which now states that access to the records of deceased patients and any copies, must be provided free of charge.


If the deceased indicated during their lifetime that they did not wish information to be disclosed/remain confidential, then it should remain so unless there is an overriding public interest in disclosing.

If the record holder considers that disclosure would cause serious harm to the physical or mental health of any other person, access may be denied.

Similarly, if disclosure would identify a third party who has not consented to the release of information, access may be denied.

Reference: Department of Health: ‘Guidance for Access to Health Record Requests’, BMA: ‘Access to Health Records’

Back to Top


Confidentiality Departure Statement

Please see below for a general idea of the wording that could be used by practices when staff leave. We are not experts in this field and would recommend you seek specialist HR advice.

Dear [NAME]

You are leaving the practice on [DATE]

We remind you of your continuing duty of confidence towards patients of the practice. Even though you will no longer be a member of the practice, you are bound by the duty of confidentiality in relation to any information you may have discovered about patients.
We ask that you continue to strictly observe the duty of confidentiality. By signing and returning this letter you are confirming that you understand that you continue to be bound by duty and understand the importance of patient confidentiality.

Please confirm the above by signing and returning to us the enclosed copy of this letter.

I confirm the above


Signed:………………………………………………………………    Date:………………………….

Back to Top


Confidentiality: Recycling


We have recently been asked for advice on the data protection implications of using a commercial company for recycling confidential wastepaper. The company undertakes to bag up all paper securely, before taking it to their central recycling plant where all employees have been checked using the Disclosure and Barring Service and work under a contractual obligation of confidentiality.


The 6th principle of the UK Data Protection Act 2018 requires ‘…that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data’ to prevent accidental or unauthorised access to, or destruction, loss, use or disclosure of, personal data.

‘Appropriate security measures’ are not defined in the Act.   However, since data concerning health is classified as ‘special category’ (sensitive) data, a very high level of data security is required.

We have been advised that it would be preferable for practice staff to shred all paper before it is sealed up and removed by the company and that the paper should be destroyed or recycled as soon as possible after removal from the practice to minimise risk.  Both the company acting in the role of a Processor and the Practice, a Controller, have a legal responsibility for data security under the Data Protection Act 2018.

You should only use a highly reputable company and preferably one which guarantees compliance with ISO 9001 and ISO 17799 and the British Standard Code of Practice for the secure destruction of confidential material.  The contract with the company should specify appropriate clauses in line with the Information Commissioner’s Office.

It is of course essential to ensure that you only destroy those documents which you are not obliged by law, business, or common sense to retain!

Further information is available from: Records Management Code of Practice for Health & Social Care 2016

Back to Top


Data Sharing: General Principles

General Principles

Before sharing personal information, you should ask yourself these relevant questions:

  • What information do you wish to share?
  • What is your purpose in sharing this information?
  • Do you have reasonable expectations to share?
  • Can you achieve your purpose without sharing the information?
  • Are you confident that you are sharing no more and no less information than is necessary?
  • Do you have the legal power to share the information?
  • Do you have the technical competence to share information safely and securely?
  • What safeguards will counter the risks that will necessarily arise as a result of sharing?
  • By what means and on what basis did you or will you acquire the information?

Proportionality is critical in any decision, therefore, an objective judgement as to whether the benefits outweigh the risks, using a test of reasonableness or common sense must be applied.  This involves a considered, and high-quality decision based on the circumstances of the case, including the consequence of not sharing the information. Decisions must flow from the principles of relevance, necessity, and the need to avoid an excessive approach.  You should therefore consider:

  • What benefits are sought from the proposed sharing?
  • What harm will be curbed or prevented?
  • How are the purposes articulated?
  • What personal information is relevant?
  • With whom will it be shared?
  • What information is it necessary to share?
  • Can less information be shared or retained for shorter periods?
  • What will be the likely effect on individuals and society?
  • Is sharing personal information necessary for the provision of a service?
  • Is more information shared than the service requires?
  • Is the individual aware of the nature and extent of the sharing?
  • What mechanisms are needed to alert citizens to services they are neither receiving nor seeking, but from which they might benefit?
  • Always follow the Caldicott principles.

Organisations should regard the Information Commissioner’s Office as the central source of clear, authoritative, and widely focused guidance on information sharing and should tailor that guidance as far as possible to their own particular needs. You can access more data sharing guidance here.

People and Training

All staff handling personal information must be made fully aware of its value, and of the increased risks that arise when it is shared outside the organisation.

“sometimes it will be necessary and desirable to empower professionals on the front line to make individual decisions about what information to share, and in what way.  As long as the framework is clear, and the process and result are not unreasonable, no one should attempt to usurp that professional’s right to make the judgment. The law cannot, and should not, overrule the proper exercise of professional judgement.  Rather it should support this by providing a legal framework that respects reasonable judgements based on the circumstances of the case.”   Data Sharing Review July 2008

Misfiled Results/Letters

We all know that occasionally things get misfiled in patients’ notes, particularly letters, reports and results that have to be scanned in. This creates a problem, particularly if the patient’s records subsequently become the subject of a request for release, e.g. to a new practice, to the patient, to a solicitor, or to an insurance company.

If you respond to a request for records under the Data Protection Act, but accidently send them with a misfiled letter relating to another patient, you are in breach of the Data Protection Act by virtue of releasing confidential health information about the patient whose letter has been misfiled.

We would therefor urge all practices, to draw up and implement a protocol for checking that misfiled items are not included when a patient’s record is sent away from the practice.

Sharing Information with Colleagues

The GMC is clear about your obligations in terms of your obligations in contributing to the safe transfer of patients between the hospital and community and social care.

This means that both hospitals and GPs when transferring care have a requirement to share full and detailed information – hospitals on discharge need to inform the patients GP what medication the patient was discharged on what was stopped and what was started and why and also if any changes were made to the dose of medications

The GMC reaffirms the duty of a GP to make sure that changes to the patient’s medicines (following hospital treatment, for example) are reviewed and quickly incorporated into the patient’s record.

LMC Comment: Hospital discharge summaries are improving in most hospitals but some still have some way to go to meet this requirement.

Practices should ensure that following discharge, the medication for each patient is reviewed.

Research evidence suggests that anything between 30 – 70% of patients discharged from hospital have medication errors or unintentional changes to their medicines when their care is transferred.

Back to Top


Freedom of Information Act 2000

The Freedom of Information Act applies to all NHS bodies, including hospitals, as well as to doctors, dentists, pharmacists, and opticians. It specifically includes any person providing general medical or personal medical services under the National Health Service Act. The Freedom of Information Act 2000 and the Data Protection Act are intended to operate in tandem. Requests for access to personal information will be dealt with under the provisions of the Data Protection Act, while requests for access to other sorts of information will be dealt with under the Freedom of Information Act.

All disclosures are protected by:

  • Freedom of Information Act exemptions.
  • Data Protection Act, which protects personal data from any third-party disclosure without consent.
  • Human Rights Act, which requires respect for the privacy of individuals.
  • Common Law Duty of Confidentiality.

A doctor’s disclosures are also subject to the duties of a GMC registered doctor to:

  • make the care of patients their first concern.
  • respect and protect confidential information.
  • respect patient’s dignity and privacy.
  • work with colleagues in the way that best serves patients’ interest.
  • be prepared to justify their actions to patients and colleagues.
Freedom of Information Model Publication Scheme

Most GPs in the UK, with contracts to provide services to the NHS, fall under the Freedom of Information Act 2000 and since 1st January 2009 have been required to operate a publication scheme under this Act and all such Schemes, must be approved by the Information Commissioner.  The Information Commissioner has provided a model scheme, which you should adopt.   Any publication scheme created before 1 January 2009 is now out of date, and you should replace it with the ICO model scheme.

The Freedom of Information Act applies to all recorded information and is fully retrospective. The following are all covered by the Act:

  • paper files.
  • computer files
  • internal e-mails

You may also find the BMA FAQs on FOI useful:

If you receive a FOI request

If you receive a written or e-mailed access request for information, you must generally comply within 20 working days (commencing the day after you receive the request), in the preferred format of the applicant, where practicable. There are, however, a number of absolute or qualified exemptions (see Part II of the Freedom of Information Act*). You need not respond if:

  • the information is already available in your publication scheme or elsewhere; but you should direct the requestor to this information.
  • you intend to publish the information before receiving the access request, provided there is a strong public interest in NOT disclosing before it is published. If however there is no significant public interest reason to withhold, then it must be disclosed, even prior to the intended publication
  • the request is vexatious.

There is a particular expectation that public authorities will account for how they spend public funds. There can be no argument about the fact that a practice’s NHS funding represents public money, as does the expenditure on drugs prescribed by the clinicians in the practice. Only if a practice can make a cogent case that it’s commercial interests (or another party’s) would be harmed by disclosing details of the public money it is responsible for spending, would it be justified in not disclosing that information.

It should be noted that the level of disclosure agreed for the publication scheme would not allow an individual GP’s personal income to be calculated. When completing the model scheme, practices may prefer to use the phrase “total practice funding”, rather than “total practice income”. Clearly the more information that appears in the publication scheme, the fewer requests for specific pieces of information to which the practice may have to respond.

It is not necessary for practices to disclose information personal to their staff, for example, their private income or pension contributions; such information is exempt under the Data Protection Act. Personal information about someone other than the applicant is referred to as third party data.

Whilst exemptions about commercial interests and personal data are the most frequently applied, there are other exemptions that could apply.  Details of exemptions can be found at:

Please note that the default response to an FOI request is to disclose the requested information, not to seek an exemption.  Exemptions should only be applied where there is clear basis to do so and only to the information that the exemption relates to.  If a request wanted to know some information about practice policies and expenditure, then if some items of expenditure were exempted due to commercial interest issues, the rest of the requested information must be disclosed.

If you are looking to apply an exemption and that exemption is subject to the public interest test (see ICO guidance) then you can pause the ‘clock’ until you have reached a decision.

If you apply an exemption that the requestor disputes, they can ask the ICO for a ‘decision notice’ where determination of whether an exemption applies will be taken.

Fees for access requests

Most access requests are expected to be free, but you definitely may not charge for:

  • time taken to locate, retrieve, collate or extract information, unless the estimated cost of doing so would exceed the ‘appropriate limit’ of £450 for GP practices (based on a rate of £25 per hour);
  • time taken to write a covering letter to inform the applicant that the information is being provided.

You may charge a ‘reasonable’ fee that is not capped to cover the costs of:

  • informing the applicant that you hold the requested information.
  • summarising the information.
  • putting information into the preferred and requested format.
  • translating information into a foreign language, unless this is impracticable or translation, for example into Braille, is required free of charge under the Disability Discrimination Act.
  • photocopying or printing (it is suggested that this would not exceed 10p per sheet);
  • postage or other forms of communication.

You should inform the applicant of the fee before incurring the costs.

You will find more detailed information about the Publication Scheme on the Information Commisioners Office website.

Back to Top


General Practice Data for Planning & Research (GPDPR)

The data held in the GP medical records of patients is used every day to support health and care planning and research in England, helping to find better treatments and improve patient outcomes for everyone. NHS Digital has developed a new way to collect this data, called the General Practice Data for Planning and Research data collection.

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.

NHS Digital previously collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

The new system (GPDPR) was due to start collections on 1st July 2021, however, to allow for an in-depth public information campaign to give the public a chance to make an informed decision about whether they want their data collected as part of the new GP data extraction programme.

  • The plan to retire Type 1 opt-outs will be deferred and will not be implemented without consultation with the RCGP, the BMA and the National Data Guardian.
Patient & Practice Information including Opting-out

NHS Digital has a number of resources for practices and patients on the dedicated webpage for GPDPR, including a short video to explain how the data from GP Practices is used in the NHS and also details about Opt-out.

The following webpage may be a useful link on your website for patients to access Opt out of sharing your health records – NHS (

Patients can use Type 1 Opt Form which practices are then asked to code onto the patient record. The codes for use are as follows: –

Opt-out – Dissent code 9Nu0 (827241000000103) |Dissent from secondary use of general practitioner patient identifiable data (finding)|)

Opt-in – Dissent withdrawal code 9Nu1 (827261000000102) |Dissent withdrawn for secondary use of general practitioner patient identifiable data (finding)|)]

National Data Opt–Out (NDO) – (sometimes referred to as Type 2 opt-out)

This is for searches that are NOT for individual healthcare – such as research, future planning and other audits for external agencies, which do not provide patient care.

NHS Digital website has further information and resources at –

There is a useful flow chart at useful to consider if you are compliant.

Practices have to be compliant with the NDO by 31st July 2022 – and must declare they are compliant on the DSP Toolkit, submission due by 30th June 2002. (DPO advice is that you can declare compliance if you have a plan in place for compliance by 31st July)

Practices should have the required information available for patients both in practice and on websites and must ensure staff understand what this is about and how to direct patients to the NDO website to register their opt-out (or supply email, postal address or telephone number).

EMIS and TPP have updated clinical searches and reports with the relevant software to allow application of the of the opt-out and exclude registered patients (or are in the process of rolling this out to all practices – if you do not have one of these clinical systems, we suggest you check arrangements with your supplier).

It is your responsibility to check your existing audits to see if they need to be edited and the NDO applied.  If you have a data sharing agreement to provide data to the ICB for future planning, you may need to contact them to ensure that this is updated to take into account the NDO.

N.B. COPI regulations are in place until 30th June 2022 and as such override the opt outs for information being collected by NHS England reports on COVID.

Back to Top


PCN: Data Sharing Agreement

NHS England has published a data sharing and data processing template for PCNs, jointly agreed with the GPC England, which are available on the NHS England GP contract page – click here.

While the use of these templates is not mandatory, and PCNs remain free to enter into different forms of data sharing and data processing agreements, their aim is to help PCNs develop their data sharing and processing activities when delivering services under the network contract directed enhanced service. BMA guidance on this will be available shortly.

If the template is used, it must be developed further between the members of the Primary Care Network. Guidance notes are included at the end the template.

For any further queries, please contact

Back to Top


Personal Data Rights (access, correction, objection & more)

Data Protection legislation (UK GDPR & other related items) gives individuals the following rights:

  • A right of access to a copy of the data held about them by a data controller.
  • A right to have errors corrected.
  • A right to have data erased (in limited circumstances)
  • A right to restrict processing of their data.
  • A right to portability of their data
  • A right to object to how their data is used.
  • A right not to be subject to decisions made by solely automated processing of their data.

Practices must ensure they have appropriate policy and processes to respond to requests from patients in a timely and complete manner.  All requests must be fully responded to within one month of receipt.  There is the possibility of extending this timescale if you define a request as complex.  There is no absolute definition of a complex request, but if you receive a request where the individual is asking for several rights to be supported at one time (such as a request for access accompanied with a request to correct data and object to other data being shared), then it may present significant complexities that cannot be dealt with appropriately within one month.  On that basis a further two months can be taken.  The individual must be informed of this within the first month and the basis on which it is deemed complex.

Access to Records

Any individual can request access to their records.  In addition, requests can come from:

  • Solicitors acting on the individual’s instruction.
  • Individuals with lasting powers of attorney for health & welfare
  • Parents on behalf of children (where the child is not of an age or capability to consent to parental access and where the parent has documented parental responsibility)

In processing a request, you must:

  • Verify the identity of the requestor.
  • Confirm the data subject is happy for information to be released to a party acting on their behalf.
  • Provide access to a copy of the record free of charge (if they require a second copy then an administration fee can be charged).
  • Check the record for any information that could cause harm or distress to anyone (patient or third party)
  • Check the record for any information about third parties (not the data subject or anyone acting in a professional capacity) that is confidential. Any such data should either be removed or only released with the consent of the third party.

The ICO have provided guidance and frequently asked questions here:

Note – there is some confusion over manifestly unfounded or excessive requests.  A data subject does not have to give a reason to request access to their data, so their request cannot be unfounded.  An individual with a large record cannot be deemed an excessive request. However, an individual making many repeated requests or requests every week could be unfounded or excessive. The option to refuse or charge where a request is manifestly unfounded or excessive should be used with caution and only where request(s) are causing significant unnecessary work for the organisation.

When should information not be disclosed

Information should not be disclosed if:

  • it is likely to cause serious physical or mental harm to the patient or another person.
  • it relates to a third party who has not given consent for disclosure (where that third party is not a health professional who has cared for the patient).
  • it is requested by a third party and the patient had asked that the information be kept confidential.
  • the records are subject to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal advisor. This may arise in the case of an independent medical report written for the purpose of litigation.
  • it is restricted by order of the courts.
  • it relates to the keeping or using of gametes or embryos or pertains to an individual being born as a result of in vitro fertilisation;
  • in the case of children’s records, disclosure is prohibited by law, e.g., adoption records.

The data controller should redact or block out any information that they consider could be harmful and should be prepared to justify the decision to do so. The data controller may advise patients of the grounds on which information has been withheld but is not obliged to do so. There is still an obligation to disclose the remainder of the records.

While the responsibility for the decision, as to whether or not to disclose information, rests with the data controller, advice about serious harm must be taken by the data controller from the appropriate health professional. If the data controller is not the appropriate health professional, then the appropriate health professional needs to be consulted before the records are disclosed. This is usually the health professional currently or most recently responsible for the clinical care of the patient in respect of the matters which are the subject of the request. If there is more than one, it should be the person most suitable to advise. If there is none, advice should be sought from another health professional who has suitable qualifications and experience. Circumstances in which information may be withheld on the grounds of serious harm are extremely rare, and this exemption does not justify withholding comments in the records because patients may find them upsetting. Where there is any doubt as to whether disclosure would cause serious harm, the BMA recommends that the appropriate health professional discusses the matter anonymously with an experienced colleague, the Caldicott guardian, or defence body.

Solicitor Requests

A solicitor is engaged by a patient and so is deemed as acting on their behalf and so can with the authority of the patient may a subject access request. This authority should be evidenced to you to confirm that it is appropriate to release the record to the solicitor. As with a normal subject access request, this cannot be charged for.

Insurance Companies

Insurance companies must request information via the correct route by requesting a medical report under the Access to Medical Reports Act (1988).  They must not require the patient to make a subject access request.  Any contract they have with the patient for insurance that as a term or condition requires the patient to provide a copy of their health record is under data protection law deemed null and void for that contractual term or condition.

The BMA has stated that, where practices agree with the insurance company to provide a GP report, the legal position is that electronic consent is acceptable.

Patients wishing to view their notes

If a patient wishes to see part of their own record and is content not to receive a copy, then this can be allowed. A patient is not exercising their subject access rights in this situation. However, you must ensure that any information that would be exempted if they asked for a copy is not available to them to view. If upon seeing their record, if they require a printout, then this becomes a subject access request. However, if they only want a few pages, then it should be simpler and less time consuming to provide.

Providing Online Access

The GDPR supports and drives organisations towards providing online access to records by data subjects, however you cannot insist that a patient’s request is responded to by enabling online access. In many cases online access is not the full record held by the practice.

Requests for Access to Records on Deceased Patients

Right to Correction:

Individuals have a right to correction of information without undue delay (and within one month unless deemed complex) where data is found to be inaccurate or incomplete.

Where an error is purely factual and the patient’s view of the facts deemed to be correct, then it should be amended. Electronic systems generally allow for this and keep a record of the previous inaccuracy. Paper records should be corrected so that the erroneous information is marked so that it is clearly erroneous, but the history of the error retained. The correct information must be added.

If there is debate between the patient and the practice about the facts, or a difference of opinion then the record must be annotated to indicate this and the conflicting viewpoints. The test is that the record should be marked in such a way that a clinician who does not know the patient can see the conflict both from the patient and practice perspective and make appropriate decisions based on the full debated picture.

Right to Erasure (aka – right to be forgotten)

If a patient wants data to be removed from their record, then they must request this, and the practice must respond within one month (unless the circumstances are deemed as complex). A request for erasure must be complied with if: (NB this list is not exhaustive, but does not contain basis that are not applicable in a health and care setting):

  • The personal data in question are no longer necessary for the purposes for which it was collected.
  • The processing of the data was based on consent and that consent is withdrawn and the individual wishes the data to be erased.
  • The data subject objects to the processing, requests erasure and there are no overriding grounds to continue processing.
  • The personal data has been unlawfully processed.

A request for erasure can be refused if:

  • The practice is legally obliged to process the data or is carrying out a task in the public interest, or the exercise of their official authority.
  • The practice is establishing, exercising or defending a legal claim.

General interpretation is data will not be erased from a health record used for the provision of care, unless the data is no longer necessary to keep. The patient’s view should be added to the record, so that this can be considered in future uses of the data.

Restricting the use of Data

A patient can request that the uses of their data are restricted. This can be whilst accuracy or lawfulness of use is being confirmed or where the patient has objected and the legitimate grounds to use the data are being established or contested.

If use of data is to be restricted, then it shall not be processed any further without consent or for the establishment, exercise or defence of a legal claim.

When accuracy, lawfulness or objections have been determined, then where relevant restriction can be lifted.

Portability of Data

This is unlikely to apply in a general practice setting, as the basis for application is where the data is processed electronically and with either consent or contract with the data subject. Whilst practices can transfer data via GP 2 GP system transfers, this is not on the basis of the right of portability.

Right to Object

Where a patient objects to the use of their data then the practice shall no longer process the data, unless it can show compelling legitimate grounds to continue, which override the interests, rights and freedoms of the patient, or is for the establishment, exercise or defence of legal claims.

In reality this is likely to be where a patient objects to the collection or sharing of data.  If data needs to be collected to provide effective care, then there is likely to be a legitimate override. If an individual doesn’t want data shared for providing care with a partner agency, this also is likely to be legitimate override. The individual has the option to refuse care and if that is the case, data does not need to be shared.

Where use of data is less direct care related, then objections are more likely to be sustained and this is the basis for items such as the opt out of shared record systems or secondary uses of data (insert link to National Data Guardian opt out).

Right not to be subject to decisions made by solely automated means

This right applies where data is processed solely by computers to make a decision that has either a legal or significant impact on the individual. If that is the case, the patient should be informed about the decision making and be able to request the decision is made by a different route. This is likely to be more prevalent in health and care services in the near future. Key questions to ask about any decision-making process are:

Is the processing solely automated, or are their interventions/checks by a person?

Does the processing result in a decision that has a legal or significant impact on the individual?

If the answers to both are yes, then the processing is likely to be an automated decision. The individual should be made aware of this prior to the decision being made and be able to challenge the decision made.

Back to Top


Police Requests

NHSE have published guidance regarding disclosure of information by health and care organisations to the police.

Requests for Disclosure of Data for Secondary Purposes

Examples of secondary uses include commissioning, risk stratification and audit purposes. The guidance document below issued by the BMA outlines the considerations you must make before allowing release of information and how best to release that information.

For more information go to:

Back to Top


Sending Patient Confidential Data via email

Hints & Tips. . .

Emails sent to secure email domains.

  • Always consider first if email is the best way to send the information. email is automatically encrypted in transit, therefore any email sent from one email account to another (e.g. to is secure.
  • The user sending the email must first confirm the recipients correct email address, for example verbally over the telephone or through the mail directory.

Sending sensitive information to non-secure email addresses (including patients)

Encryption is an additional security tool which means users can communicate securely to any type of email account. NHS Digital detail how this option can be used, however, its important to note that they say:-

Before using the service:

  • check local organisation policies and processes on sharing personal confidential data and sensitive information first which will take precedence over this guidance
  • ensure you are familiar with the NHSmail Encryption guidance and process 

For guidance on how to identify which email addresses are known to be secure and which need additional protection go to the NHS Digital guidance at

Patient Consent

Patient consent is also an area to consider.

The practice is the Data Controller, so you are ultimately responsible for deciding whether it is appropriate to release information or not. You should also check that any consent form is current, and that the patient fully understands what is being released.

The following link provides a useful toolkit that has been developed by the BMA to help practices around confidentiality; . The tool kit can’t give definitive answers for every situation but it identifies the key factors you need to take into account when you make decisions around confidentiality.

General things to consider when emailing Patient Information.
  1. Always check that the email address(es) of the recipient(s) appear correctly in the To, Cc and Bcc boxes prior to sending.  Staff should be mindful that automatic recognition of names can cause problems, encouraging replication of former errors when sending to repeated recipients.
  2. If sending to multiple recipients use a distribution list ensuring security permissions and access controls are regularly checked.  The members of the distribution list can be checked through the Properties button when you select it.  Always ensure that the distribution lists contain only those individuals who are authorised to receive the information.
  3. You should not put PCD in an email title eg ‘referral for Mrs Smith’.
  4. Do not send emails containing PCD to home computer or personal email accounts.  These should be checked if using the ‘Reply’ function.”

Please note the LMC email is not on a secure network, patient identifiable information should not be shared.

Back to Top


Staff and Confidentiality

The LMC is occasionally contacted by practices that have received complaints relating to a member of staff breaching patient confidentiality.  In some of these cases they relate to staff who are no longer employed by the practice.

We would recommend that you:

  1. Check that you all have a clause in your contracts of employment that relate to confidentiality.
  2. Each member of staff should sign a confidentiality agreement. This should include all temporary staff, cleaners and other workers (including volunteers), if unaccompanied by a practice staff member.
  3. At your next staff training event, talk about patient confidentiality and remind all staff members of their responsibilities, not only whilst they work for you but also when they cease to work for the practice.
  4. Ensure that all your staff receive appropriate levels of training on information governance, including updates.

Serious breaches of confidentiality can result in the termination of a contract of employment. Individual members of staff who misuse data may be committing an offence under Data Protection legislation and subject to prosecution by the Information Commissioner’s Office. Any staff who seriously breach confidentiality should be reported to the ICO as a data breach (as required by UK GDPR) and they will determine if they pursue a prosecution.

It is worth remembering that there are no sanctions that can be imposed once a member of staff has left the practice.

If a patient wishes to take action, then it would be the practice and partnership who would be held responsible.

Back to Top


Text/SMS Messaging

Text/SMS Messaging Patients

Text or SMS messaging allows practices to contact large numbers of patients within a small-time frame. It has been shown to significantly cut Do Not Attend (DNA) rates when used to inform patients of their appointments but can have other uses including asking patients to book appointments, to take medication or inform them of their results.

However, advice from both the MDU and MPS is that you must not assume that because you hold a patient’s mobile telephone number as part of their clinical record that you can just use it to send texts to them. Data Protection legislation requires you to inform individuals how you use their data, and it is key that to use a mobile number to send texts, that you inform patients of this.

To be able to use mobile numbers to send texts, then you must ensure patients are aware of this and if they have any concerns, they can raise them. You should use posters, waiting room screens, leaflets, and the practice website to get the message across to patients.

Both medical defence organisations recommend obtaining express consent from patients and to clearly record their preferences for communication in the notes. This is perfectly acceptable but may be considered unnecessary if you are openly publicising your approach to patients.

It is also important to keep records up to date as many people change their numbers frequently and are known to share their old mobiles widely. Patients should be advised on the importance of advising the surgery of any changes to their contact details.

We would recommend that specific messages are used on waiting room screens, noticeboards, and reception desks to remind patients to keep you up to date with these details and promote that you will use texts for administration purposes unless they ask you not to.

Further advice concludes that text messaging is a professional communication and be included as part of the patient’s clinical record. This will probably include the date and time of the transmission, the content of the message and any details included in a reply. However, it is not thought to be an appropriate way of dealing with clinical queries.

Text messaging can be a valuable tool for communicating with patients but needs to be used cautiously and as part of a wider patient communication strategy.

11-15 year olds

Handling mobile contact numbers particularly when dealing with children between the ages of 11-15 can be problematic.

The LMC view is that children aged 11-15 should not be sent text reminders for appointments etc, in order to avoid the possibility of a parent using their own mobile number as a contact for the young person.

Where Gillick Compentency has been assessed, discuss this with the young person and they may agree to let you have their own personal mobile number, but you would need to check that it is indeed personal only to them. You should in this circumstance record this information.

The GMC has guidance on this on their website about confidentiality in 0-18yrs of age available at: 

NHS SMS Messaging

As you will be aware, the Department of Health has decided that NHS mail is too costly and have decided to terminate it. The GPC has objected to this as it is seen as a retrograde step and, as a result, NHS mail faxing ceased at the end of March 2015, and SMS messaging ceased in September 2015. However ICBs were asked to put in place arrangements for SMS messaging in Primary Care post September 2015.

The clinical system suppliers do offer an SMS texting service details of which are below: – contact system suppliers


Vision inps: Vision + SMS Text Messaging (

TPP systm one: Offers a free messaging service via NHS net

Back to Top


The Data Security and Protection Toolkit

The Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit replaced the Information Governance toolkit in April 2018. The toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations (including practices) that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly.

To meet the standard, organisations must respond to all evidence items which are identified as mandatory and confirm the associated ‘assertions’.

When providing evidence, you do not have to insert the documents within the toolkit, however, we would suggest you store these in one place which is easily accessible, should they be required.

For more information, click here.

Data Security awareness training

This has replaced the IG training tool. It is available via e-learning for health:

Back to Top


UK GDPR Headlines

BMA Guidance

To read the BMA’s latest guidance on Subject Access Requests (including fees), Data Protection Officers, FAQs and more go to: and click on ‘further information’.

BMA UK GDPR Privacy Notices

Template GDPR (PPNs) are available on the GDPR in the BMA resources section. The hubpage also contains information on the regulation and hosts a suite of resources and blogs to help guide members. Click here to download more information:

What is the UK GDPR (UK General Data Protection Regulation)?

The UK GDPR came into effect on 31 December 2020. Its strengthens the protection of personal data. The UK has established the Data Protection Act 2018 which enshrines the provisions of the UK GDPR into the UK law.

Compliance is essential as fines under the UK GDPR are up to a maximum of 20 million Euro or 4% of turnover.

The UK GDPR strengthens the controls that organisations (data controllers) are required to have in place over the processing of personal data, including pseudonymised data.

Headline Requirements
  • Mandatory appointment of a Data Protection Officer (DPO) for all public authorities
  • A requirement to demonstrate compliance with the new law.
  • Legal requirements to notify the regulator of security breaches.
  • Removal of charges (in nearly all cases) for providing copies of records to patients or staff who request them.
  • Requirement to keep records of data processing activities.
  • Data Protection Impact Assessments required for high-risk processing (including the large-scale processing of health-related personal data)
  • Data protection issues must be addressed in all information processes.
  • Enhanced requirements to be transparent and inform individuals how their data is used.
  • Where consent is used to process data, it must be explicit (NB consent should only be used where the individual has a real of about the use of their data. there are many other conditions that should be used to justify use of data in heath and care settings).
  • Specific requirements for transparency and fair processing
  • Tighter rules where consent is the basis for processing.

The British Medical Association has published guidance at:

The information commissioner’s office, who regulate data protection law, have published a couple of check lists which may be helpful,

They also have UK GDPR specific webpages at:

Back to Top


Information Governance – Requests for Information from Dignitas

We have been made aware that Dignitas may contact a patients GP for information if that patient contacts them considering assisted suicide. How should you respond?

The Suicide Act provides that ‘a person who aids, abets, counsels or procures the suicide of another, or an attempt by another to commit suicide, shall be liable on conviction on indictment to imprisonment for a term not exceeding fourteen years’.

According to the DPP’s guidance, among the factors which would determine a prosecution are:

  • whether a person stood to benefit financially from assisting the suicide or was acting wholly out of compassion;
  • if the individual wanting to die was deemed competent enough and had a ‘clear and settled’ wish to make such a decision. Particular attention would be paid to issues such as being under 18 or having a mental illness.
  • whether the person was persuaded or pressured into committing suicide or if it was entirely their own decision.

Apparently status as a doctor is a factor in favour of the DPP prosecuting so we, as doctors, are at particular risk. Our advice is that if approached we must offer alternatives to suicide such as high quality palliative care and try to dissuade a patient from taking this course of action. You must record this clearly and the patient cannot influence what you write in the notes.

Another issue is that Dignitas may ask for a medical report. If you act on this knowing what it is for, then this could be seen as a criminal act. Therefore you should not issue a report. If the patient asks for a copy of his notes under the Data Protection Act then the request should be in writing and you should send the copy with a letter stating that you do not imply that, by providing the information, you are in agreement or aiding the patients decision to go to Dignitas.

Obviously a doctor may have a different ethical view but the advice above is given with the aim of avoiding risk of prosecution. Any doctor not taking the above line would need to fully understand the risks involved, including a custodial sentence.

The BMA have produced guidance on Responding to patient requests for assisted dying: guidance for doctors

Back to Top


Data Protection Officers

Practices can access help with Data Protection from their DPOs as provided by the Commissioners.

BSW – Via Medvivo. An online virtual DPO

Dorset – Emily Hutchins and Helen Williams

Hants/Southampton/IOW – Arden & Gem CSU.

Hants/Southampton/IOW – Caroline Sims – Independent IG Consultant currently supporting 80+ practices in HIOW –

NE Hants & Farnham – Lucy Hunt PC.dp. (GDPR) –

Back to Top


ClosePlease loginn

Last Reviewed Date