The Common Law
Common Law is also referred to as ‘judge-made’ or case law.
The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client.
It is irrelevant for example how old the patient/client is, or what the state of his/her mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented
- where disclosure is necessary to safeguard the individual, or others, or is in the public interest
- where there is a legal duty to do so, for example a court order
Therefore, under the common law, a health or social care provider wishing to disclose a patient’s/client’s personal information to anyone outside the team providing care should first seek the consent of that patient/client.
Where this is not possible, an organisation may be able to rely on disclosure being in the overriding safeguarding interest of the individual or others or in the public interest.
However, whether a disclosure is in the public interest is not a decision to be taken lightly.
Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed.
Any decision to disclose should be fully documented.
Disclosures required by court order should be referred to the organisation’s legal advisors as promptly as possible, so that any necessary representations may be made to the court, for example to limit the information requested.
If a disclosure is made which is not permitted under common law the patient/client could possibly bring a legal action not only against the organisation but also against the individual responsible for the breach.
Records management considerations
All persons involved in the records management function should be aware of their responsibility for maintaining confidentiality of records.
Employees should only have access to those parts of the record required to carry out their role.
Requests for records access by other staff members should be logged and periodically audited.
Particular care should be taken during the transportation of health and social care records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.
The Confidentiality Code of Practice is a result of a major public consultation that included patients, clients, carers and citizens, the DoH, other health and social care providers, professional bodies and regulators.
The Code offers detailed guidance on:
- protecting confidential information
- informing service users about uses of their personal information
- offering service users appropriate choices about the uses of their personal information
- the circumstances in which confidential information may be used or disclosed
Disclosure after a patient’s death
There are no clear legal obligations of confidentiality that apply to the deceased.
Nevertheless the DoH, Department of Health and the General Medical Council agree there is an ethical obligation requiring that confidentiality obligations continue to apply after death.
The Common Law Duty of Confidentiality arguably applies to deceased patients’ records, as per the Information Tribunal Appeal Number: EA/2006/0010 of 17 Sep 2007 between Pauline Bluck, the Information Commissioner and Epsom & St Helier University NHS Trust and Lewis v Secretary of State for Health  EWHC 2196.