Article Text


Confidentiality and the duties of care
  1. J O’Brien1,
  2. C Chantler2
  1. 1Standards Section, General Medical Council, London, UK
  2. 2Standards Committee, General Medical Council, London, UK
  1. Correspondence to:
 J O’Brien, GMC, 178 Great Portland, London W1W 5JE, UK;


Doctors have an ethical and legal duty to respect patient confidentiality. We consider the basis for this duty, looking particularly at the meaning and value of autonomy in health care. Enabling patients to decide how information about them is disclosed is an important element in autonomy and helps patients engage as active partners in their care.

Good quality data is, however, essential for research, education, public health monitoring, and for many other activities essential to provision of health care. We discuss whether it is necessary to choose between individual rights and the wider public interest and conclude that this should only rarely be necessary. The paper makes some recommendations on practical steps which could help ensure that good quality information is available for work which benefits society and the public health, while still enabling patients’ autonomy to be respected.

Statistics from

Doctors’ duty to respect confidentiality has been with us for a long time—the Hippocratic Oath was probably written in the 5th Century BC—but it seems to be causing us more trouble than ever before. The General Medical Council (GMC), in its struggle to publish new guidance1 was challenged with legal action by patients’ groups on the grounds that its new guidance was too permissive about the use of data, and by general practitioners (GPs) and other doctors for undermining patients’ trust in the confidentiality of medical records. But the final guidance, which requires doctors to seek consent “where practicable”, and to inform patients about the use of their data, was greeted with anger by researchers, epidemiologists, and doctors working in public health, who fear it will damage research and epidemiology. The advice that patients must always be informed about disclosures to cancer registries was particularly reviled as “political correctness . . .. Shaped by an unrepresentative and vociferous minority”.2

Confidentiality is rarely challenged in itself. It is accepted by most doctors and patients as one of the main planks of a relationship of trust between doctors and patients. But close examination of what confidentiality is for, why it is necessary, and what it means in practice, reveals some deep and fundamental divisions in understanding and expectations.


On the one hand the law appears to give patients rights to privacy and confidentiality. The Human Rights Act 1998 includes article 8—the right to respect for “private life”—although this may be overridden for “the protection of the public health”.3 The Data Protection Act 1998, also accords individuals rights, in terms of access to their data, their right to know how it will be used, and control, in some circumstances, over its dissemination.4 The full effects of the Human Rights Act and the Data Protection Act are not yet clear. All information obtained by doctors about patients is confidential in common law, and the common law recognises individuals’ rights to autonomy in relation to disclosure of data, to a lesser degree, but in the same way as it accords the right to individual autonomy in relation to treatment.

Nonetheless, the law provides no absolute protection for medical information. The common law, evolving as it does through continual re-examination of the competing interests of the individual and of society, cannot present a unitary or coherent policy.


Society as a whole is moving towards a “rights based” approach to citizenship. This is reflected in many aspects of our way of life, including our increasing desire to participate in decisions which affect us directly, and increasingly to express our desire for control through making complaints. We are no longer willing to put ourselves—as individuals or families—in second place to the needs of society. More encouragingly, we are not prepared to condone the suffering of, or discrimination against, minorities for the benefit of the majority.

In our society we give a high value to the rights of the individual and consequently to autonomy. As Doyal5 and others6 have said, respect for the autonomy of patients is a form of recognition of the attributes that give humans their moral uniqueness. Humans, unlike animals, formulate aims and beliefs, reason about them, make choices on their basis, and attempt to plan for the future. This means that respect for autonomy—for the attributes which define humanity—goes hand in hand with human dignity.

Autonomy encompasses not just the right to self determination about our bodies and how they are treated, but also to information about ourselves, our lifestyles, and our health. The right to control who knows the things about us which we regard as private is integral to our sense of self and sense of identity. The Medical Research Council (MRC) begins its guidance on confidentiality with a clear expression of this:

. . . Keeping control over facts about one’s self can have an important role in a person’s sense of security, freedom of action, and self respect.7

So the law, and society, seem to be moving towards a view of autonomy, and privacy as a corollary of that, as a right. As a right it establishes one of the governing principles in interactions between doctors and patients.


For some doctors, particularly GPs and other clinicians, a rights based approach is paramount, perhaps because of their daily contact with, and responsibility for, the care of individual patients. Many other doctors, particularly those who work principally in public health, epidemiology, and other research, have a broadly utilitarian approach to confidentiality. From this perspective, confidentiality is regarded primarily as a means to an end. It protects the health of the population, and of the individuals within it, by allowing them to come forward for medical care and treatment without fear of embarrassment or of other harm. This is exemplified in the 1988 judgment by Mr Justice Rose8 who ruled that information about doctors with HIV could not be published in national newspapers, since this breach of confidence would undermine the trust of the population in the confidentiality of medical care and inhibit the freedom with which individuals would seek medical advice and counselling. He concluded that “In the long run, the preservation of confidentiality is the only way to secure the public health”.

Doctors have seen confidentiality as providing benefits for the individuals who seek care, as well as for the “public health”. But from this perspective confidentiality is still seen as a means of conferring health benefits—not as a right, or a benefit, in itself.

To suggest that confidentiality is of value only for these practical reasons is a seductive argument. It allows judgments about disclosures to be made on the basis of the benefits of protecting the public health, or further research, weighed against the measurable harm to an individual or to society. This judgment usually starts from the premise that no harm is done to an individual by a disclosure, say for research or to a registry, since the patient may never know the disclosure is made. In the case of patients finding out, any minor psychological harm of disclosure is seen to be outweighed by significant benefits which may accrue to others, from advances in understanding diseases and their treatment. Furthermore, from this pragmatic perspective, it is often argued that seeking consent to disclosures will in itself bring harm. For example, it will:

  • Use up precious resources, particularly of time;

  • Damage data quality when people withhold consent, or doctors fail to seek it, and

  • Upset patients, who may not want to think about peripheral issues such as research when considering their own future with a serious disease.

And finally, it is argued that confidentiality is not an important issue to patients.

These are the two polarised views, utilitarianism against rights, pragmatism against principle. But the view that we have to choose between effective research and respect for confidentiality is dangerously reductive—and in any case, there is more common ground than at first appears. The most ardent “rights” proponent would not argue that autonomy and confidentiality must always take precedence over the public interest; nor would they wish to deny the practical benefits in improving the public and individuals’ health which confidentiality brings. The greatest pragmatist would not argue for making the rights of the individual entirely subservient to the needs of the community. None of us would see it as acceptable to make all health records publicly available; and we all agree that the rights of the individual end where they conflict with the rights of, or cause harm to, others.


Before going further, it might be helpful to consider the public and patient perspectives. This is an under-researched area and the evidence is currently inconclusive. The Wellcome Trust in its research into collecting samples and data for use in the BioBank, reports that:

medical records were seen by many people as too personal to be handed over for use by unknown researchers . . .. In general terms, they felt uneasy about records being made available for research purposes and they had specific worries about employers and insurers getting hold of information and misusing it . . .. These worries were often allayed by explanations of why information would be helpful to researchers, and by reassurances of safeguards against unauthorised access.9

A MORI poll by the GMC undertaken in 1998 found that “serious or persistent” breaches of confidentiality were the offences which most members of the public thought should lead to disciplinary action being taken by the GMC—ahead of failing to keep up to date or letting their personal beliefs prejudice the care of their patients (see table 1).

Table 1

For each one I read out could you tell me whether if a doctor repeatedly fails to perform this duty, they should definitely be struck off, possibly be struck off, or definitely not be struck off? By “struck off” I mean being removed from the medical register

More research, particularly by Sheffield University School of Health and Related Research (ScHARR) is underway through their project: “What do the public think about the use of their health information?”. An interim report issued in September 2001 shows that while most people are happy for to provide access to records for health care and related purposes, a significant minority (11.6%) would be “very unhappy” to allow access to researchers, National Health Service (NHS) managers, GP receptionists, social workers, and others.10 Other, smalller studies—for example, the Northumberland Community Health Council research into public views on sharing personal medical and social care information, indicated a majority (68%) thought that they should be able to decide who accessed information in their records.11 Although more work needs to be undertaken in this area, a greater understanding of public views is emerging, particularly of the concerns widely held about those to whom information is disclosed, the sensitivity of the data, and the preference for controlling access to health records.


We know more about how people respond to being given more autonomy and better information in relation to treatment. Generally, it seems, people respond well to further information about health care. Benefits can arise from relatively simple information—the number of people failing to attend for outpatient appointments dramatically decreased when more information was provided about the purpose of the appointment. In one study the non-attendance rate overall fell from 15% to 4.6% and to 1.4% for those people who also received a phone call.12 Many more studies have concluded that better communication improved outcomes for patients.13,14

People also want to feel involved, not just in their care, but also in decisions about research and in helping others. The BioBank study shows people feel they should be asked to consent where they are being asked to act altruistically.9 The Independent Review Group on Retention of Organs at Post Mortem in Scotland reported that parents often expressed the wish to be asked about the use of a child’s organs for research or teaching after death, not because they wanted to say “no”, but because they wanted the opportunity to say yes—to feel that they had contributed to the care of future generations of children.15

Communication with patients about what is to happen to them, how information about them will be used, or even what will be done with samples taken from them, seems to be of universal benefit in the provision of care. Its value lies in fostering relationships of trust between doctors and those they care for. It enables patients to exercise their autonomy, to feel that they are not cogs in the machine.

But even if we are convinced that respect for autonomy is right in principle, and beneficial in practice, there are still serious practical problems to overcome. How can patients be given the information, or doctors find time to talk to patients and record—and yet worse —act on their decisions?


First, of course, we can find new ways of informing people about the use of their data. The Department of Health is planning a public information campaign, and this can be backed up by all health care providers including information in leaflets and posters. All health care professionals can also take available opportunities to discuss the issues with patients. The more aware the public is about the use of the data, the easier it will be to explain specific proposals, when that is necessary.

This will be an important step in developing a valid form of “implied consent”—that is where patients have been told about the proposed use of data, and about their right to object. The GMC’s guidance on confidentiality already accepts that this may be sufficient for some processes, such as the anonymisation of data, or for spot checking records for financial audit. Where there were more secure means of ensuring that patients had received information, and where refusals could be respected, implied consent could be used more extensively for the release of data for administration, planning, and audit.

The use of anonymised, or “pseudonymised” data itself provides another part of the solution. Record linking and matching, and ensuring data is accurate, may mean that each individual has to have a unique number or code; but there is no need for this to be a name, a postcode, an unencrypted NHS number, or any other data from which the patient’s identity can be easily recognised. Anonymisation and “pseudonymisation” techniques can go a long way towards protecting privacy and preventing the casual identification of individuals by those legitimately using the records. Holding records electronically increases the ease with which we can anonymise data and we must take every opportunity of doing so, where anonymised or “pseudonymised” data will serve the purpose.

Of course, anonymising data does not resolve the problem of autonomy altogether. Some people would argue that patients have a right to withhold consent to the use of their data for any purpose they disagreed with. And certainly, we would agree that anonymised data must be used responsibly and carefully. It is perhaps akin to a donation or gift—the recipient owes a moral duty to the donor to see that it is used well, even if the donor no longer has direct rights over its use. For this reason, we should use anonymised data only where we are confident about public support—for example, for the running of the health service, or with appropriate checks and balances, such as where research is approved by ethics committees.

But some valuable research relies on records which include information from which individuals can be identified. This may be because a single piece of information, such as post code, or combinations of data—unusual occupation, disease, age, or other details—will together make data identifiable. Sometimes the cost or effort of anonymising data is unacceptable.

Historical records pose particular problems, and will continue to do so for a as long as they remain useful in research. In most cases, the number and age of records will make it impractical or impossible to seek or obtain consent. Where this is the case, it may be that the interests of society, in using the records for research, will outweigh the rights of the individual. But before using records we must consider carefully the value they will bring, whether there are other means of achieving the objectives without breaching confidence, and whether, and if so how, the records can be replaced.

It is clear from the GMC’s recently published guidance on research16 that they see no objection to the use of historical records as part of properly organised research, with the agreement of a research ethics committee. This does not, however, surmount the legal problems. The views of research ethics committees are not binding on courts, although they are likely to be given considerable weight by any court considering an action for breach of confidence.

Problems nonetheless persist. Some researchers may feel that making fine judgments about the common law involves too great a risk of being sued for breach of confidence. Some epidemiology and other projects do not fall within the remit of local research ethics committees. In other cases it is simply not possible to obtain consent—for example, in the case of patients with mental incapacity. It is for circumstances of this kind that regulations under section 60 of the Health and Social Care Act 2001 have been introduced.17

Section 60 of the Health and Social Care Act 2001 provides a power to ensure that patient identifiable information needed for research and management of the NHS, including financial and clinical audit, can be used without the consent of patients. The power can only be used to support medical purposes that are in the interests of patients or the wider public, where consent is not a practicable alternative, and where anonymised information will not suffice. It is intended largely as a transitional measure whilst consent or anonymisation procedures are developed, and this is reinforced by the need to review each use of the power annually.

A new group, The Patient Information Advisory Group’s (PIAG), has been set up to advise the secretary of state on regulations which should be made. The advice must be published, and the resulting regulations must be laid under affirmative process, that is, debated in parliament by each house.

Because data is currently used without consent in many hundreds of projects, it has been agreed that “class support” regulations should be developed, since it will clearly not be practicable to deal with every research or epidemiology study individually. The first regulations, which cover the work of cancer registries and of the Public Health Laboratory Service (PHLS), came into effect in June 2002.18

Our new guidance, Research: The Role and Responsibilities of Doctors, is designed to assist medically qualified researchers in maintaining high standards.16 But the GMC’s remit relates to the conduct of individuals; we have no wider powers to take action to promote high standards or to respond to fraud or misconduct which is not directly attributable to a registered medical practitioner. There is therefore an urgent need for a central agency for research integrity to be set up. One of us (CC) has already argued19 for a small national body to be established for this purpose. All organisations undertaking medical research would be required to report regularly all complaints received and the action taken. The national office could then audit this information, in other words act as the agency for quality assurance in this area. It could also act as a resource for advice on good practice and how to deal with specific complaints where necessary.


Confidentiality of data will no doubt remain a difficult issue. But the problems arising from records collected in the past should not deflect us from better practice in the future. Another part of the problem may be resolved by moving away from a legalistic view of consent. The Independent Review Group’s report on Retention of Organs at Post Mortem has proposed that the legal concept of consent be removed from seeking agreement by parents to the retention and use of organs after death, of a child.15 This is because parents’ right to consent is accorded to enable them to make decisions in the best interests of their children, a consideration which is meaningless after the death of a child.

The Bristol inquiry made complementary, but different recommendations20 in relation to consent to treatment. The report recommends that:

The process of consent should apply not only to surgical procedures but to all clinical procedures and examinations which involve any form of touching. This must not mean more forms: it means more communication.

Again, the focus must be on giving information, providing choice, and respecting patients’ autonomy—not on completing the paperwork.

Perhaps, like the Independent Review Group in Scotland, we should also consider whether “consent” with its silent overtones of “fully informed” or “valid”, and the spectre of forms and paperwork is really appropriate in the context of obtaining permission to use information for research, audit, administration, and for many other worthwhile purposes. We cannot meaningfully give consent to the use of our data in future research projects which have not yet been identified; nor can we necessarily envisage the administrative hoops through which information about ourselves may be put.

Moving away from “consent” should not in any way be taken to imply a lesser need to give patients information and choices, and to respect their rights to privacy and autonomy. But, by moving to a term such as “authorise”, we can more freely seek agreement to use of data which is based on the appropriate principles of protecting privacy and autonomy—rather than by trying to use the model of consent to treatment, which at root serves to protect doctors against charges of assault or maim.

We would be able to devise systems enabling people to agree—if they wish—to the use of their data for broad purposes, such as teaching or audit, without identifying in detail what this will involve. Similarly, it may be reasonable to discuss with patients the storage and use of data for research where the specific project has not yet been identified. It might also alleviate, if not resolve, problems about validity—how long agreement of this kind might last. Under this model we might ask people to specify whether they wanted to reconfirm their agreement after a specified period, or never.


These are some of the ways of resolving the apparently intractable opposition of those who regard privacy and autonomy as rights, and those who see them as pragmatic means to an end. Respect for autonomy, and communicating with patients are valuable in themselves, and in their effect on standards of care. This paper proposes some means of achieving these objectives. Other solutions and means of engaging people in decisions about how their data may be used can surely be found.


Alistair Kent said we need to look for good solutions, not perfect ones, in this difficult area. Was there another way forward? One possibility might be to give people the ability to opt out of having their records shared. This might be enough to protect doctors and make everyone happy. John Harris said one person’s autonomy ends where another person’s autonomy begins. The question should be asked: does your autonomy cause harm to others? Is that not the key to this debate on sharing patient records? What if individuals want to opt out and that harms the common good? It was felt by Cyril Chantler that individuals should have the right to opt out.

Martin Bobrow pointed out that patient confidentiality is broken all the time from the point of view of x rays, notes etc being passed around through medical secretaries, receptionists, and so on. No one seemed to be getting excited about that, so why apply different rules for research? Cyril Chantler said it was different. He pointed out that all we are talking about is asking the patient if they mind information being shared outside the clinical team. He also suggested that the sooner the medical profession can provide patients with access to all the notes kept on record about them, the better for building trust. Martin Bobrow said that asking for consent has cost implications, not least because to get informed consent takes time. Doctors are already straining under their workloads. Cyril Chantler felt that by spending a little time at the outset explaining things to the patient and getting informed consent, including for the use of data in research, you might save yourself a lot of time later on.

Onora O’Neill wondered how could we go in for non-documented consent in the face of an increasingly litigious culture? The answer is to build in good practice. For example, discuss things with, or in the presence of, another member of the clinical team. This may also enhance the conversation. You might also dictate letters of referral in front of the patient and then send them a copy of that letter later on.

On the subject of patients opting out of medical research and record sharing, it was suggested that we would need more information about the population that is opting out. It was suggested that the vast majority would not opt out, but the principle was agreed.

A representative from the patients’ association, Patients Voice, said how inspiring they had found the discussion. It was refreshing to hear doctors calling for more and better communication, building trust, and decreasing public fear. So often all the association heard about was fear and misgiving. Cyril Chantler pointed out that that there has been a marked change in medical education and that enormous effort was now put into teaching communication skills. Progress is being made, particularly amongst younger doctors. The responsibility for good communication, as part of patient care, is that of every single doctor and nurse.

Julian Peto returned to the use of medical data for research and complained that the law is distorting the whole process—for example, in cancer registration. The Data Protection Act and the new application of common law were destructive. The involvement of lawyers has been catastrophic. He called for a public debate on what is desirable in patient confidentiality.

Further discussion concluded that the Data Protection Act is being distorted and that there is a fear of lawyers, which is making doctors uncomfortable. The effect is to destroy valuable medical research in this country. The GMC was asked if new guidelines should be produced on data use. A final comment was made that although, in theory, things should not have changed since the introduction of the Data Protection Act 1998, in practice they have.

Margaret Brazier pointed out that laws affecting doctors have developed in a haphazard manner and not for the benefit of doctors. We are now suffering because of that. We need to expose young doctors to the law from the start, and we are facing an increasingly litigious culture in the NHS. Is it too late to go back?


This paper includes the personal views of the authors as well as the policies of the GMC.


View Abstract

Request permissions

If you wish to reuse any or all of this article please use the link below which will take you to the Copyright Clearance Center’s RightsLink service. You will be able to get a quick price and instant permission to reuse the content in many different ways.