Confidentiality Policy


This policy is in line with current legislation at the time of writing and is subject to periodic review.

In the event of any incident linked to this policy; findings of an audit that identifies a gap or a need for a review or a change of legislation impacting on this policy, the policy will be updated and will supersede this policy.

Unless there are changes to regulations that affect this policy then this policy will be reviewed on an annual basis.


The purpose of this policy is to provide guidance for staff and assurance to patients that Hall Green Health is committed to continually providing high quality healthcare for all patients and supporting the staff who provide this care. The aim of the policy is to provide staff with a framework of understanding of the concepts involved when we consider the issues of confidentiality in dealing with people and including the specific issues with teenagers.

All patients regardless of age, gender, ethnic background, culture, cognitive function, or sexual orientation have the right to have their privacy and dignity respected.


This policy applies to all employees of Hall Green Health, contractors, seconded staff, placements, and agency staff.

Roles, rights, and responsibilities

All staff

All healthcare professionals are placed at the heart of the patient consultation and, therefore, electronic and paper records.

They need to know how to maintain and store these records, digital and paper records, securely, so that they are contemporaneous, accurate, and confidential.

They also need to understand when it is appropriate to share information from the practice and with whom.

All staff must:

  • Sign a confidentiality agreement on commencing employment at Hall Green Health, to confirm they have read, understood and agreed to abide by the practice’s confidentiality protocol see Annex A – Confidentiality Agreement.
  • Always endeavour to maintain patient confidentiality.
  • Handle patient information received from another provider sensitively and confidentially.
  • Store and dispose of confidential information in accordance with the General Data Protection Regulation 2018 and the Department of Health’s Records Management Code of Practice (Part 2).
  • Not access confidential information about a patient unless it is necessary as part of their work.
  • Not remove confidential information from the premises unless it is necessary to do so to provide treatment to a patient, the appropriate technical safeguards are in place and there is agreement from the Information Governance lead (Operational Manager) or Caldicott Guardian.
  • Contact the information governance lead or Caldicott Guardian if there are barriers to maintaining confidentiality.
  • Report any loss, inappropriate storage or incorrect disclosure of confidential information to the Information Governance lead or Caldicott Guardian.
  • If applicable, document, copy, store and transfer information in the ways agreed with other providers.
  • Comply with the law and guidance/codes of conduct laid down by their respective regulatory and professional bodies.

All staff must not:

  • Discuss confidential information with colleagues without patient consent (unless it is part of the provision of care).
  • Discuss confidential information in a location or manner that allows it to be overheard or on internet forums or social networking sites.
  • Post defamatory or derogatory comments on internet forums or social networking sites relating to a patient, the practice or staff members. Doing so could result in disciplinary action and legal action.
  • Allow confidential information to be visible in public places.
  • Share passwords.
  • Access their own or family members records unless express consent is held.

If a staff member is in doubt of the above, they should seek assistance from their line manager.

It is usual for a breach of confidentiality to result in disciplinary action, which could result in summary dismissal.

Information Governance Lead

To update the policy, ensure that it is aligned with national guidelines, distribute appropriately, and ensure that staff are trained at induction and at regular intervals so that they are aware of the principles of confidentiality in dealing people and especially with teenagers and the content of the practice policy.

Partners and Managers

Hall Green Health will:

  • Ensure that confidential information can be stored securely on the premises and that there are processes in place to guarantee confidentiality.
  • Make sure that all individuals to whom this protocol is relevant to have confirmed that they have read and understood this protocol (via iLearn TeamNet module)
  • Review and update this protocol on a regular basis.

Principles of this policy

This policy adheres to local and national guidance and policy including the NHS Essence of Care 2010 and the Department of Health Confidentiality NHS Code of Practice.

Storing and maintaining primary healthcare records

  • We are aware that all GP premises have to securely store written and digital patient records.
  • Digital records are protected by our software provider, but we also ensure that we make appropriate safeguards when accessing computer systems, such as smartcard security, username, and password protection.
  • Paper records are only accessible to appropriate staff and locked securely when not in use.

Sharing patient details

The GMC (General Medical Council) have set out the principles of what is appropriate when patient details should, should not, and can be shared. We therefore adhere to the following principles:

  • Use the minimum necessary personal information. Will use anonymised information if it is practicable to do so and if it will serve the purpose.
  • Manage and protect information. Make sure any personal information we hold, or control is effectively protected at all times against improper access, disclosure, or loss.
  • Aware of our responsibilities. We will develop and maintain an understanding of information governance that is appropriate to our role.
  • Comply with the law. We will be satisfied that we are handling personal information lawfully.
  • Share relevant information for direct care in line with the principles in this guidance unless the patient has objected.
  • Ask for explicit consent to disclose identifiable information about patients for purposes other than their care or local clinical audit unless the disclosure is required by law or can be justified in the public interest.
  • Tell patients about disclosures of personal information you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure. We will keep a record of our decisions to disclose, or not to disclose, information.
  • Support patients to access their information. Respect, and help patients exercise, their legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.

We are aware of the explicit and implicit consent principles.

However, exceptions to the rules of explicit and implicit patient consent do exist and include:

  1. Where a patient lacks capacity to consent, but the disclosure of information is in their best interests.
  2. Where information has been requested as part of legal proceedings by court order or to prevent or detect crime, such as by coronial request.
  3. Where the disclosure is in the public interest, such as prevention of a serious crime.
  4. Where the information relates to public safety or public health, for example in the case of notifiable communicable diseases.
  5. Where we have reason to believe that seeking consent would put ourselves or others at serious risk of harm.

Advice relating to these disclosures will be sought from our local Caldicott Guardian, Data Protection Officer, or legal indemnity provider, depending on the situation.

Confidentiality and teenagers

We have the same duties of confidentiality when using, sharing, or disclosing information about children and young people as about adults. We will therefore:

  • Disclose information that identifies the patient only if this is necessary to achieve the purpose of the disclosure.
  • Inform the patient about the possible uses of their information, including how it could be used to provide their care and for clinical audit.
  • Ask for the patient’s consent before disclosing information that could identify them, if the information is needed for any other purpose, other than in the exceptional circumstances.
  • Keep disclosures to the minimum necessary.

Sharing information with the consent of a child or young person

Sharing information with the right people can help to protect children and young people from harm and ensure that they get the help they need.

Sharing information without consent

If a child or young person does not agree to disclosure, we are aware that there are still circumstances in which you should disclose information these include:

  • When there is an overriding public interest in the disclosure.
  • When you judge that the disclosure is in the best interests of a child or young person who does not have the maturity or understanding to make a decision about disclosure.
  • When disclosure is required by law.

Public interest

A disclosure is in the public interest if the benefits that are likely to arise from the release of information outweigh both the child or young person’s interest in keeping the information confidential and society’s interest in maintaining trust between doctors and patients.

We will make this judgement case by case, by weighing up the various interests involved and taking advice from the Caldicott Guardian.

When considering whether disclosure is justified:

  • Tell the child or young person what you propose to disclose and why, unless that would undermine the purpose of the disclosure or place the child or young person at increased risk of harm.
  • Ask for consent to the disclosure, if you judge the young person to be competent to make the decision, unless it is not practical or appropriate to do so.

If a child or young person refuses consent, or if it is not practical or appropriate to ask for consent, we will consider the benefits and possible harms that may arise from disclosure. We will disclose information if this is necessary to protect the child or young person, or someone else, from risk of death or serious harm. For example, if:

  • A child or young person is at risk of neglect or sexual, physical, or emotional abuse.
  • The information would help in the prevention, detection, or prosecution of serious crime.
  • A child or young person is involved in behaviour that might put them or others at risk of serious harm, such as serious addiction or self-harm.

If we judge that disclosure is justified, we will disclose the information promptly to an appropriate person or authority and record our discussions and reasons. If we judge that disclosure is not justified, we will record our reasons for not disclosing.

Disclosures when a child lacks the capacity to consent

When a child who lacks the capacity to consent shares information with us on the understanding that their parents are not informed, we will try on these occasions to persuade the child to involve a parent in such circumstances.

If they refuse and we consider it is necessary in the child’s best interests for the information to be shared (for example, to enable a parent to make an important decision, or to provide proper care for the child), we will disclose information to parents or appropriate authorities. We will record our discussions and reasons for sharing the information.

Disclosures required by law

We will of course disclose information as required by law. For example, disclosure of information when directed to do so by a court.


Employees will be made aware of this policy via TeamNet.

Patients will be made aware of this policy using patient leaflets and on the practice website.


All staff will be given training on confidentiality in dealing with teenagers at induction and at regular intervals thereafter.

Any training requirements will be identified within an individual’s Personal Development Reviews. Training is available in the Training module within TeamNet.

Equality and diversity impact assessment

In developing this policy, an equalities impact assessment has been undertaken. An adverse impact is unlikely, and on the contrary the policy has the clear potential to have a positive impact by reducing and removing barriers and inequalities that currently exist.

If, at any time, this policy is considered to be discriminatory in any way, the author of the policy should be contacted immediately to discuss these concerns.

Monitoring and reporting

Monitoring and reporting in relation to this policy are the responsibility of the practice manager.

The following sources will be used to provide evidence of any issues raised:

  • PALS.
  • Complaints.
  • Significant and learning events.

Any incidents relating to confidentiality in dealing with people and teenagers will be monitored via incident reporting.


Internal Links

External Links

Annex A – Confidentiality Agreement

Page last reviewed: 29 December 2023