Updated GMC Guidance on Confidentiality 2017 – what you need to know

The updated GMC Guidance Confidentiality: Good Practice in Handling Patient Information (“the Guidance”) came into effect on 25 April 2017. The Guidance builds upon the core principles set out in the GMC’s Good Medical Practice. It is aimed at providing a framework for considering when to disclose a patient’s personal information and sets out the responsibilities of all doctors for managing and protecting that information.

Trust is an essential part of the doctor-patient relationship and confidentiality is essential to this. Patients must feel able to report full details of their symptoms and those of their dependents. If this trust is undermined, it could have a significant detrimental impact on their health. Therefore, confidentiality is essential to patient safety. An unlawful breach of confidentiality can have severe consequences, including restrictions upon a doctor’s ability to practise and the imposition, by the Information Commissioner’s Office (ICO), of up to £500,000.

However, notwithstanding this, there are some circumstances where a doctor is under a legal or ethical obligation to disclose confidential patient information to a third party.

Why the change?

Confidentiality is recognised to be an increasingly relevant and complex issue. The latest figures from the ICO reveal that between 1 July 2016 and 1 October 2016, the NHS reported 239 “data security incidents”. And as a consequence of the 2016 GMC review of its confidentiality guidance, and the feedback received from this, the updated Guidance was produced.

What is new?

The GMC has published a helpful document entitled What’s Changed in the Confidentiality Guidance, which highlights the key changes to the Guidance and the new obligations now imposed upon doctors.

In summary, the key changes are as follows:

• The Guidance is more “user friendly” and includes a decision-making flowchart which provides doctors with a framework, from which to work in order to assist in determining what information may be disclosable;

• It places a stronger emphasis on the importance of sharing information appropriately for patient care;

• It provides more detail on the circumstances in which doctors can rely on implied consent to share patient information for direct care;

• It acknowledges the significance of the role that those close to the patient can play in supporting the patient through their treatment and recovery, and it encourages the sharing of information with those close to the to the patient, subject to patient consent;

• It extends the existing professional obligation to tell an appropriate authority when a patient who lacks capacity may be experiencing, or is at risk of, abuse or neglect, to include all forms of serious harm;

• It acknowledges there may be very exceptional circumstances where disclosure may be justified without consent to prevent a serious crime, even when no one other than the patient is at risk (although patients who have capacity are still entitled to make decisions for themselves – even if that decision leaves them at risk of death or serious harm);

• It expands the list of examples of circumstances in which a patient might pose a risk of serious harm to others;

• It explores how the duty of confidentiality works alongside the duty of candour;

• It explicitly obliges doctors to have knowledge of “information guidance” which is appropriate to their role. Doctors who are data controllers are obliged to understand and meet their responsibilities under the Data Protection Act 1998 and everyone is expected to follow data protection policies and procedures, regardless of whether they themselves are data controllers;

• It contains an overt expression of a doctor’s duties to protect and promote the health of patients and the public, as well as to respect patient confidentiality;

• It provides a new requirement to explain to a patient the possible consequences of them not consenting to disclosure of their confidential information – which may assist in changing the patient’s mind to disclose their information. However, if their decision remains unchanged, there is a duty to abide by the patient’s wishes so long as that patient has capacity.

• It requires identifiable patient information to be anonymised for audit purposes wherever possible – and in particular where the audit is not carried out by a person involved in the direct care of that patient.


This is a complex area and practitioners will need to ensure they are familiar with the updated Guidance. In circumstances where a doctor believes that he or she may have a duty to disclose confidential information, they should consider seeking advice from a Caldicott or data guardian, their defence body or professional association, or obtain independent legal advice.