Section 2: The common law of confidentiality and consent

Common law confidentiality is not codified in an Act of Parliament but built up from case law through individual judgments. The key principle is that information confided should not be used or disclosed further, except as originally understood by the confider, or with their subsequent permission. Although judgements have established that confidentiality can be breached ‘in the public interest’, these have centred on case-by-case consideration of exceptional circumstances. Common law confidentiality can also be overridden or set aside by legislation.

Available guidance on the common law includes the Department of Health (DH) 2003 publication Confidentiality: NHS Code of Practice. However, whilst this remains largely applicable, the guidance has dated and will be superseded in due course by guidance developed under the banner of the Health and Social Care Information Centre (HSCIC)’s 2013 Confidentiality Code of Practice.

Supplementary guidance on the common law, developed by the HSCIC, is provided below after an explanation of consent.

Consent is the approval or agreement for something to happen after consideration. For consent to be legally valid, the individual must be informed, must have the capacity to make the decision in question and must give consent voluntarily. This means individuals should know and understand how their information is to be used and shared (there should be ‘no surprises’) and they should understand the implications of their decision, particularly where refusing to allow information to be shared is likely to affect the care they receive. This applies to both explicit and implied consent.

The Mental Capacity Act 2005 Code of Practice should be consulted with regards to decisions about capacity and competence. 

Explicit consent is unmistakeable. It can be given in writing or verbally, or conveyed through another form of communication such as signing. A patient may have capacity to give consent, but may not be able to write or speak. Explicit consent is required when sharing information with staff who are not part of the team caring for the individual. It may also be required for a use other than that for which the information was originally collected, or when sharing is not related to an individual’s direct health and social care.

Implied consent is applicable only within the context of direct care of individuals. It refers to instances where the consent of the individual patient can be implied without having to make any positive action, such as giving their verbal agreement for a specific aspect of sharing information to proceed. Examples of the use of implied consent include doctors and nurses sharing personal confidential data during handovers without asking for the patient’s consent. Alternatively, a physiotherapist may access the record of a patient who has already accepted a referral before a face-to-face consultation on the basis of implied consent. 

A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. It is generally accepted that information provided by patients or service users to a health or social care service is provided in confidence and must be treated as such so long as it remains capable of identifying the individual it relates to. This is an important point, as once information is effectively anonymised it is no longer confidential.

When an individual has died, information relating to that individual remains confidential under the common law (see for example Bluck v The Information Commissioner and Epsom and St Helier University NHS Trust, 2007, Lewis v Redfern Nicholas Lewis (Claimant) v Secretary of State for Health (Defendant) & Michael Redfern QC (Interested Party) [2008] EWHC 2196 (QB), Plon (Societe) v France (Application no 58148/00). Judgment of the Second Chamber of the Strasbourg Court (May 18 2004)).

An ethical obligation to the relatives of the deceased exists and health records of the deceased are public records and governed by the provisions of the Public Records Act 1958. This permits the use and disclosure of the information within them in only limited circumstances. The Access to Health Records Act 1990 permits access to the records of a deceased person by those with a claim arising out of that individual’s death. This right of access is negated however if the individual concerned requested that a note denying access be included within the record prior to death (this might be part of a formal advance directive). There is no equivalent statutory provision in relation to social care records. Local authorities generally provide access to social care records through the Freedom of Information Act. However, the guidance issued by the ICO on s.41 of the Freedom of Information Act means relatives could pursue a case for breach of confidence ICO: Practical guidance: Information about the deceased).

When an individual provides consent for sharing information about them for a particular purpose (either for direct care or for other purposes), this consent provides a legal basis for that information sharing. Explicit consent provides a legal defence to potential claims for breach of confidence and breach of privacy; it also ensures that the conditions for processing sensitive personal information in schedules 2 and 3 of the Data Protection Act 1998 are met. Consent may either explicit or, in certain circumstances, implied. Even when consent has been given, this does not mean that information which is unnecessary or irrelevant must be shared.

The individual is usually able to give consent for any information sharing needed to safely provide that care. Very few individuals ever express concern about information sharing where they see it as necessary to provide their care (for ‘direct care’). Consent for the necessary sharing of information to support care delivery can be inferred from the fact that an individual agrees to receive that care, however, only relevant information should be shared.

When confidential information is to be used for purposes other than direct care it will usually be shared in a form whereby the individual cannot be identified. If individuals cannot be identified from the information, then consent is not needed.

However, there may be circumstances where it is not practicable to use de-identified information or to get consent and in these cases confidential information may be shared but only if there is a legal basis for the information sharing. Note that if an individual objects to sharing, it may be that the confidential information cannot be shared.

There are two principal ways that sharing identifiable confidential information may be allowed without consent of the individual

The holder of the confidential information may have a statutory obligation to share or disclose the confidential information or the one seeking to obtain the information may have a statutory basis to demand it. For example, health protection legislation includes a requirement to notify cases of infections or contamination which could present a significant risk to human health. The courts may issue orders that can be challenged but must generally be complied with. A range of bodies have legal authority to obtain confidential information in support of their duties and functions e.g. the Care Quality Commission.

The HSCIC has statutory authority under the Health and Social Care Act (HSCA) 2012 enabling it to collect information from health and social care organisations. In some circumstances the HSCIC can require organisations to provide information, and in other circumstances it may make non-mandatory requests.

Some legislation falls short of creating a duty to share confidential information or a power to collect it though it may make it possible for organisations to share confidential information. This may be in a form that provides a legal gateway to share confidential information where this might otherwise be prevented, or it may simply set the common law obligation of confidentiality aside. Such confidential information sharing must be necessary and proportionate to the purpose.

This legislation provides the Secretary of State for Health with the authority to make regulations that set aside legal obligations of confidentiality (though not other legal requirements). Support can be granted for a specific range of activities, for example anonymising information, accessing records to contact people for the purposes of gaining consent for research, geographical analysis, linkage, validation and clinical audit. Further guidance on s.251 and the application process to the Confidentiality Advisory Group (CAG) is available from the Health Research Authority (HRA). Generally, support is permissive i.e. it allows data sharing for the particular purpose, but does not mandate it. Where the Secretary of State is asked to exercise his discretion to approve the release of information he seeks advice from the independent CAG which is hosted by the HRA and makes decisions with respect to research. The Secretary of State will continue to make decisions in relation to all other purposes. In addition, organisations seeking information that might identify individuals for research purposes must have approval from either a local Research Ethics Committee or a multi-centre Research Ethics Committee as appropriate. Guidance on the research governance framework for health and social care is available from the Department of Health. Existing regulations support work related to cancer and to public health risks and surveillance, and provide the Secretary of State with the discretion to support bodies wishing to access identifiable confidential information for other medical purposes, including medical research.

Public interest: This applies when the holder of the information believes that the public good that would be served by sharing the information outweighs both the obligation of confidentiality owed to the individual and the public good of protecting trust in a confidential service. This is a difficult test to satisfy and the circumstances of each individual to whom the information relates need to be considered on a case by case basis. This means that the public interest can rarely provide a legal basis for sharing large volumes of information. Whilst serious crimes such as murder and rape would normally justify sharing with appropriate bodies e.g. the police, there are grey areas where professional experience and judgement are needed and where the circumstances might warrant the sharing of limited information proportionate to the seriousness of the issue.

When deciding whether to share confidential information, the following should be considered

• whether and how individuals should be informed about the information sharing: Individuals must be told, in general terms, which information will be shared with whom, for what purposes and how long it will be held. There are some rare exemptions to this

• whether it is necessary to use identifiable information for the specific purpose. The quantity and type of information used must be proportionate to the purpose being addressed and the information should be de-identified as far as is practicable

• whether there is any other legal bar to the confidential information sharing

Many bodies are able to share information, without any particular restriction. However, bodies that have been created under statute are only able to do what they were set up to do, limiting what they might share and with whom they might share it. The law in this area is evolving and becoming less restrictive and statutory bodies will need to obtain legal advice on what they are permitted to do. In some cases Parliament has provided legal authority to organisations to support important work that might need access to information that might identify individuals. This legal authority may enable an organisation to collect information to discharge its functions and the authority may require compliance or might simply remove legal barriers that prevent confidential information from being shared. Legal authority may be given to organisations to act on behalf of others or it may enable one organisation to approve information collection by other organisations. Guidance on the various types of statutory authority and which bodies may do what is available from the Department of Health (NHS Information Governance Guidance on Legal and Professional Obligations).