Skip to main content
Department of Health Department of Health An Roinn Sláinte Männystrie O Pouste

Main navigation

  • Home
  • Topics
  • Publications
  • Consultations
  • Contact

Translation help

Translate this page

Select a language

  • Arabic — عربي
  • Chinese (Simplified) — 中文简体
  • Chinese (Traditional) — 中文繁體
  • Dutch — Nederlands
  • Filipino — Filipino
  • French — Français
  • German — Deutsch
  • Hungarian — Magyar
  • Irish — Gaeilge
  • Italian — Italiano
  • Latvian — Latviešu
  • Lithuanian — Lietuvių kalba
  • Polish — Polski
  • Portuguese — Português
  • Romanian — Română
  • Russian — Русский
  • Slovak — Slovenčina
  • Spanish — Español
  • Ukrainian — Українська
  • The Common Law Duty of Confidentiality

    Topics:
    • Good management, good records, 
    • Legal and professional obligations

    Common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges.

    The Common Law

    Common Law is also referred to as ‘judge-made’ or case law.

    The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

    The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

    In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client.

    It is irrelevant for example how old the patient/client is, or what the state of his/her mental health is; the duty still applies.

    Three circumstances making disclosure of confidential information lawful are:

    • where the individual to whom the information relates has consented
    • where disclosure is necessary to safeguard the individual, or others, or is in the public interest
    • where there is a legal duty to do so, for example a court order

    Therefore, under the common law, a health or social care provider wishing to disclose a patient’s/client’s personal information to anyone outside the team providing care should first seek the consent of that patient/client.

    Where this is not possible, an organisation may be able to rely on disclosure being in the overriding safeguarding interest of the individual or others or in the public interest.

    However, whether a disclosure is in the public interest is not a decision to be taken lightly.

    Solid justification is required before individual rights are set aside and specialist or legal advice should be sought before the information is disclosed.

    Any decision to disclose should be fully documented.

    Disclosures required by court order should be referred to the organisation’s legal advisors as promptly as possible, so that any necessary representations may be made to the court, for example to limit the information requested.

    If a disclosure is made which is not permitted under common law the patient/client could possibly bring a legal action not only against the organisation but also against the individual responsible for the breach.

    Records management considerations

    All persons involved in the records management function should be aware of their responsibility for maintaining confidentiality of records.

    Employees should only have access to those parts of the record required to carry out their role.

    Requests for records access by other staff members should be logged and periodically audited.

    Particular care should be taken during the transportation of health and social care records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.

    The Code of Practice on protecting the confidentiality of service user information is available on our website.

    The Confidentiality Code of Practice is a result of a major public consultation that included patients, clients, carers and citizens, the Department of Health, other health and social care providers, professional bodies and regulators.

    The Code offers detailed guidance on:

    • protecting confidential information
    • informing service users about uses of their personal information
    • offering service users appropriate choices about the uses of their personal information
    • the circumstances in which confidential information may be used or disclosed

    Disclosure after a patient’s death

    There are no clear legal obligations of confidentiality that apply to the deceased.

    Nevertheless the Department of Health and the General Medical Council agree there is an ethical obligation requiring that confidentiality obligations continue to apply after death.

    The Common Law Duty of Confidentiality arguably applies to deceased patients’ records, as per the Information Tribunal Appeal Number: EA/2006/0010 of 17 Sep 2007, availble via informationrights.gov.uk, between Pauline Bluck, the Information Commissioner and Epsom & St Helier University NHS Trust and Lewis v Secretary of State for Health [2008] EWHC 2196.

    • The Department of Health guidance is available on webarchive.nationalarchives.gov.uk

    Related content

    • Administrative law
    • Blood Safety and Quality Regulations 2005 (as amended)
    • Completed Equality Screenings
    • Human Fertilisation and Embryology Act 2008
    • Police Act 1997
    • Public Health Act (Northern Ireland) 1967
    • The Access to Health Records (Northern Ireland) Order 1993
    • The Access to Personal Files and Medical Reports (Northern Ireland) Order 1991
    • The Adoption Agencies Regulations (Northern Ireland) 1989
    • The Census (Confidentiality) (Northern Ireland) Order 1991
    • The Civil Evidence (Northern Ireland) Order 1997
    • The Computer Misuse Act 1990
    • The Congenital Disabilities (Civil Liability) Act 1976
    • The Consumer Protection (Northern Ireland) Order 1987
    • The Control of Substances Hazardous to Health Regulations (Northern Ireland) (COSHH) 2003
    • The Copyright, Designs and Patents Act 1988
    • The Electronic Communications Act 2000
    • The Environmental Information Regulations 2004
    • The Foster Placement (Children) Regulations (Northern Ireland) 1996
    • The Freedom of Information Act (FOIA) 2000
    • The Gender Recognition (Disclosure of Information) (England, Wales and Northern Ireland) (No. 2) Order 2005
    • The Gender Recognition Act 2004
    • The Health and Personal Social Services (General Medical Services Contracts), Regulations (Northern Ireland) 2004
    • The Health and Personal Social Services, General Dental Services (Amendment) Regulations (Northern Ireland) 2008
    • The Health and Safety at Work (Northern Ireland) Order 1978
    • The High-activity Sealed Radioactive Sources and Orphan Sources Regulations 2005
    • The Human Rights Act 1998
    • The Limitation (Northern Ireland) Order 1989
    • The Privacy and Electronic Communications (EC Directive) Regulations 2003
    • The Public Interest Disclosure (Northern Ireland) Order 1998
    • The Public Records Act (Northern Ireland) 1923
    • The Sexual Offences (Amendment) Act 1992
    Share this page Share on Facebook (external link opens in a new window / tab) Share on X (external link opens in a new window / tab) Share by email (external link opens in a new window / tab)

    Department footer links

    • Crown copyright
    • Terms and Conditions
    • Privacy
    • Cookies
    • Accessibility
    • The Northern Ireland Executive
    • The Executive Office
    • Department of Agriculture, Environment and Rural Affairs
    • Department for Communities
    • Department for Education
    • Department for the Economy
    • Department of Finance
    • Department for Infrastructure
    • Department for Health
    • Department of Justice
    • nidirect.gov.uk — the official government website for Northern Ireland citizens