Skip to main content

Shared Insights: Confidentiality and medical records

26 January 2021

These insights were shared at our fortnightly online forum for NHS professionals on 26 January 2021. To find out more please visit our Shared Insights hub.

Download the note

Charlotte Harpin, Partner at Browne Jacobson spoke about the key legal principles that apply when processing requests for access to confidential information and gave some practical tips on how to deal with issues that might arise when Trusts are dealing with complex information requests.

Marilyn Whittle, Head of Legal and Governance at Sheffield Children’s NHS Foundation Trust, joined to tell us some of the in-house complexities of dealing with confidentiality and disclosure of information to third parties such as the police.

Charlotte and her team have produced a checklist for healthcare providers to use as a framework for making decisions about sharing confidential information. 

The Shared Insights were:

  • Confidentiality is a common law obligation and so is not defined in legislation. If you are entrusted with confidential information, you must keep it confidential unless the person to whom the information relates has provided consent to disclose it or there is a legal obligation to disclose (e.g. a Court order) or it is in the public interest to do so. The public interest test is fact specific and involves a balancing exercise.
  • The Data Protection Act 2018 (DPA) provides a legislative framework for processing requests for health records but only covers living patients. The Access to Health Records Act 1990 (AHRA) covers requests for patients who are deceased. Remember that confidentiality survives death, so you can still breach confidentiality even when a patient is deceased.
  • There is quite a lot of guidance around confidentiality in the health sector, e.g. the Caldicott Principles which are interwoven with the DPA although there are some subtle differences. The take home point is that all health information is confidential information so support staff and clinicians need to be really aware of this and understand how to use it.
  • Although confidentiality focuses on the restriction of sharing information, it should not be a barrier to sharing information where there is a valid reason to do so. Generally speaking, if there is a good basis for sharing information, you should be able to do so, but it needs to be done in a safe way and with a valid rationale.
  • To support staff who are dealing with requests for information, we have produced the attached Checklist. You may need to tailor the Checklist to the specific systems used within your Trust but it sets out as a starting point principles and issues that should be considered when processing requests for confidential information. Browne Jacobson can help you with to produce a more detailed checklist to sit alongside your Trust Policies and procedures, which is more tailored to your organisation. Please get in touch if you would like us to do that.
  • There are three top practical tips to keep in mind:
    • Training – this is a complex area of law and ongoing training for staff is important. Browne Jacobson can help with this, either by advising on your existing training packages for staff or delivering training remotely or in person.
    • Asking for help – do not be afraid to ask for help or a second opinion as there is a degree of judgment involved in deciding what to disclose when documents are requested. It is also ok to ask the person making a request for disclosure of confidential information for further information about what they actually require. There are lots of instances where there might be a specific legal framework to guide you when dealing with requests. For instance, although police requests will often be made under the DPA 2018, there are also other specific pieces of legislation that may be used in certain circumstances and which you may not be familiar with. The onus should be on the requesting body to make the basis for the request clear.
    • Ensure that the decision is documented – write down what you have disclosed and the rationale for why you have disclosed it. If asked (for example by the ICO) it helps if you can say what has been disclosed and why.

Marilyn Whittle explained that Sheffield Children’s NHS Foundation Trust commonly deal with requests under three main areas:

  1. Requests for information about a child in the context of a family dispute - for example requests from parents over the phone such as Dad asking for letters that have only gone to Mum where the child’s parents are not together. These cases can be complex, but the starting point is that unless there is a clear court-based decision about removing or restricting parental responsibility, both parents have equal parental responsibility and are entitled to information on their child. The Trust has provided training to medical secretaries on this issue and reminded them that where there is a dispute between the parents, requests should be sent to the Subject Access Request department to be processed in accordance with the Trust policy.

    Remember that even where both parents have parental responsibility there may be circumstances where the mother is in a place of safety and her address must not be disclosed to the father. Normally we would copy the letter to the father but with the mother’s address and phone numbers blanked out. It is important to think about IT systems and alerts to flag this to the secretary typing the letter as if the address is inadvertently disclosed this could have had a catastrophic outcome.

  2. Police requests - commonly in the Emergency Department and ICU e.g. requests for all the records and statements and items forming the chain of evidence. Don’t underestimate how intimidating it can be for staff when police are demanding information. We often see requests which are broad and/or vague. It is fine to ask for clarification of a request in writing. Again, the Trust has done lots of training with clinical staff on how to deal with police requests.

    Marilyn explained that the Trust has advised staff to provide statements in writing and keep a copy or, if a verbal statement is given to police, to go to a quiet room afterwards and write down what they can remember sharing so there is a record of what they have said and what confidential information was shared with the police.

    The Trust has also worked with the local police to raise awareness that clinicians can’t just hand over items in the middle of a resuscitation, but staff can ensure they keep those items and provide them after the event once the issues around confidentiality have been considered.

    The police now make their requests through the Legal Department rather than approaching staff direct. The Trust asks the police to explain why they need items urgently or whether requests can be prioritised as routine. If for example they need the information to charge someone the Trust will deal with it as quickly as possible.

  3. Requests in the context of Safeguarding Concerns - Marilyn’s team get a lot of calls from staff about what they can share with social workers and schools. Sometimes they need the whole of the record, but sometimes they might just need one section. Social workers often don’t know exactly what information they require. Marilyn explained that in this situation she seeks advice from the Trust’s Caldicott Guardian but if she isn’t sure she will seek advice from Browne Jacobson.

    Speak to the parties that frequently request confidential information, such as the police, and work with them to set up a process with nominated contacts at the Trust for any requests. Building relationships and having a mutual understanding is key.

Third Party Information

  • Redaction of confidential information relating to third parties can be necessary to meet confidentiality requirements when responding to an information request, as well as to ensure that the applicable legislative framework (e.g. the DPA) is adhered to.
  • This is a balancing act as to whether it is fair to disclose that third party information or not.
  • If the person you release the notes to questions the redactions, you can then review the position again. Make sure you are documenting what you have done and the rationale for it. A couple of lines is sufficient. If a complaint is subsequently made to the ICO you can show that decision making process.

Disclosure to family where the patient does not have mental capacity

  • As much as possible it is about understanding a patient’s wishes and their care and who is going to have access to their information before they become deceased or incapacitated. Obviously, that is not always possible.
  • Remember that capacity is decision specific. The fact someone lacks capacity in one area doesn’t mean they lack capacity in relation to accessing their information. You should try to support the patient to make the decision for themselves and if they are assessed not to have capacity to do so then make sure this is documented in the medical records.
  • Do not simply rely on the “next of kin” named in the medical records! This has no legal status and can suggest one person has legal control over matters like access to information, to the exclusion of others who have also have a legitimate interest.
  • If the patient does not have capacity, is there someone who has the legal right to make that decision on their behalf – e.g. under a power of attorney. Even then you might want to seek advice – there can be different powers of attorney and you need to make sure it covers what is being requested.
  • If not, you will need to make a best interest’s decision. Think outside the next of kin label where you are looking at that type of situation – be aware about who else might need to be involved in decision making.

Where disclosure will cause harm to the patient

  • The starting point is that notwithstanding someone having a mental health condition they are entitled to their information.
  • There are exceptions that enable you to withhold information where there is a clinical view that disclosure will cause harm. If you think that the disclosure has the potential to cause harm, you need to get a clinical view of someone involved in treating that individual.
  • Take a proportionate view. Trusts should be facilitating disclosure where possible. Think about how to enable access in practical terms - perhaps enable access with a clinician present, to help the patient understand those records. If you have concerns, I would recommend you seek legal advice as it can be complex and needs to be dealt with on a case by case basis.

One issue that has arisen because of COVID-19 is that Trusts have a lot of people coming onto site who aren’t employees or permanent workers, e.g. to administer vaccines or work as volunteers or on ICU. You can’t assume they have the same understanding / awareness about internal processes. IG is one of those areas we need to think about with temporary workers, in particular consider:

  • what people are coming in to do
  • what they have access to and whether that is appropriate
  • whether they are aware of IG issues
  • whether they know how to report breaches
  • provision of appropriate and proportionate IG training for those coming in on a temporary basis.

Browne Jacobson are available to support Trusts with Information Governance and confidentiality. Please see to the attached information on how we can help.

Shared Insights

Our monthly forum connecting health and care leaders and professionals to discuss challenges and share solutions.

Find out more



Damian Whitlam


+44 (0)330 045 2332

View profile Connect on LinkedIn
Can we help you? Contact Damian

Nicola Evans


+44 (0)330 045 2962

View Profile Connect on Linkedin
Can we help you? Contact Nicola

You may be interested in...