Dr Maria Dyban visits some important aspects of GMC 2017 confidentiality guidance and highlights resources available to help with both familiar and challenging situations

dyban maria

Read this article to learn more about:

  • questions to ask to explore the legal basis for a disclosure
  • how patient information may be used
  • where to find support for particular situations
  • doctors’ responsibilities in managing and protecting information.

Revised General Medical Council (GMC) confidentiality guidance came into effect on 25 April 2017,1 replacing the 2009 guidance. The core principles (see Box 1) remain the same and are aligned with the Caldicott principles of health and social care.2 The new guideline gives emphasis to particular clinical situations and is more user-friendly. The latest version is available online as well as a brief summary What’s changed, which provides an overview of updates to the previous guideline.3

Box 1: The main principles of this guidance1

The advice in this guidance is underpinned by the following eight principles:

  1. Use the minimum necessary personal information. Use anonymised information if it is practicable to do so and if it will serve the purpose. 
  2. Manage and protect information. Make sure any personal information you hold or control is effectively protected at all times against improper access, disclosure or loss.
  3. Be aware of your responsibilities. Develop and maintain an understanding of information governance that is appropriate to your role.
  4. Comply with the law. Be satisfied that you are handling personal information lawfully.
  5. Share relevant information for direct care in line with the principles in this guidance unless the patient has objected.
  6. Ask for explicit consent to disclose identifiable information about patients for purposes other than their care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest.
  7. Tell patients about disclosures of personal information you make that they would not reasonably expect, or check they have received information about such disclosures, unless that is not practicable or would undermine the purpose of the disclosure. Keep a record of your decisions to disclose, or not to disclose, information.
  8. Support patients to access their information. Respect, and help patients exercise, their legal rights to be informed about how their information will be used and to have access to, or copies of, their health records.

General Medical Council (GMC). Confidentiality: good practice in handling patient information. Manchester: GMC, 2017. Paragraph 8. Available at: www.gmc‑uk.org/Confidentiality_good_practice_in_handling_patient_information___English_0417.pdf_70080105.pdf

The updated guideline focuses on the reasons for disclosure, the practical application of the principles, and aims to cover a variety of clinical scenarios. It was informed by enquiries from practitioners and patients, as well as consultations with the British Medical Association, medical defence organisations, professional bodies, and Royal Colleges, among others.4

Much of the detail of the new guideline is arranged in four sections, which represent the legal bases for the principles and circumstances of disclosures:1,3

  • using and disclosing information for direct patient care
  • disclosures for the protection of patients and others
  • using and disclosing patient information for secondary purposes
  • managing and protecting information.

The last section has been greatly expanded compared with the 2009 guideline and imposes professional obligations relating to clinical governance and data protection.

In addition to the core document, explanatory guidance was created to cover specific situations where decisions can be particularly difficult.5 There are also case studies, vignettes, and short scenarios that can also be explored to aid practical application of the core and the explanatory guidance.6

The legal annex has been expanded and refers to relevant sections of the legislation, regulations, and common law.1,7,8

The new decision-making flowchart (see Figure 1)9 was created to guide doctors through the right sequence of questions and provides the legal basis for the disclosure. The new guidance can also be accessed via the My GMP app10 online and offline.

GMC flowchart designed to help healthcare professionals decide whether personal information needs to be disclosed and, if so, what the justification is for doing so

Figure 1: Confidentiality flowchart

Adapted from: GMC. Confidentiality: good practice in handling patient information (2017)

Reproduced with permission.

Framework and core guidance

The new guidance maintains the framework for disclosure of patients’ information (see Box 2 for extracts).

Box 2: When you can disclose personal information1

Confidentiality is an important ethical and legal duty but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies:

  • the patient consents, whether implicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes (see paragraphs 13–15*)
  • the disclosure is of overall benefit to a patient who lacks the capacity to consent (see paragraphs 41–49*)
  • the disclosure is required by law (see paragraphs 17–19*), or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality (see paragraphs 20–21*)
  • the disclosure can be justified in the public interest (see paragraphs 22–23*).

When disclosing information about a patient you must:

  • use anonymised information if it is practicable to do so and if it will serve the purpose
  • be satisfied the patient:
    • has ready access to information explaining how their information will be used for their direct care or local clinical audit, and that they have the right to object
    • has not objected
  • get the patient’s explicit consent if identifiable information is to be disclosed for purposes other than their direct care or local clinical audit, unless the disclosure is required by law or can be justified in the public interest
  • keep disclosures to the minimum necessary for the purpose
  • follow all relevant legal requirements, including the common law and data protection law.

* Paragraph numbers refer to the source guidance

General Medical Council (GMC). Confidentiality: good practice in handling patient information. Manchester: GMC, 2017. Paragraphs 9 and 10. Available at: www.gmc‑uk.org/Confidentiality_good_practice_in_handling_patient_information___English_0417.pdf_70080105.pdf

The core guidance is based on three purposes for information disclosure, as follows.

Disclosure for direct patient care

The guidance maintains the fact that doctors must seek explicit consent for disclosure of information other than for direct care or audit, unless it is required by law or justified in the public interest.

The new guidance gives clear criteria for when doctors can rely on implied rather than explicit consent (paragraphs 27­–29).1

There is a new requirement at paragraph 31 to explain to the patient the potential consequences of refusing to allow information about them to be shared with other professionals for providing them with direct care. It includes exploring the reasons for the refusal as well as considering compromise. Practitioners must, however, abide by the patient’s wishes, unless disclosure would be justified in the public interest.1

There is also a new statement that advises doctors to acknowledge the roles and views of those close to the patient who provide support and care. The guideline states at paragraphs 39–40 that confidentiality is not a reason to refuse to listen to views of people who are close to the patient. It also advises doctors (at paragraph 35) to ascertain the wishes of patients early on to avoid disclosures that patients may object to.1

If a patient lacks capacity to consent, the confidential information can be disclosed if making the disclosure is of overall benefit to the patient. The clinician must be satisfied that the decision is made in the patient’s best interests and consider following the steps in paragraphs 44–47 of the guidance.1

Disclosure to protect the patient and others

The guidance clarifies the factors to be taken into account when disclosing information to protect the public, as well as giving examples of when the patient can pose a risk to others. It also gives legal requirements for disclosure where an adult is at risk of harm or poses a risk to others (e.g. to prevent terrorism). There is also a responsibility (paragraph 55) to contact the appropriate authority when an adult who lacks capacity is at risk of serious harm.1

The guidance maintains the competent adult’s rights to autonomy and the right to make an unwise decision, even if it puts them (but no one else) at risk of serious harm or death. However, the information can be disclosed in exceptional circumstances where the disclosure could prevent murder, manslaughter, or serious assault, even when no one other than the patient is at risk.1,3 The guidance advises practitioners to take independent legal advice if practicable before making a disclosure without consent in such circumstances.1

Disclosure for secondary purposes

Identifiable information must be anonymised for purposes of research, commissioning, or for purposes of healthcare management where there are processes for disclosure of such information, but the consent was not sought or was denied (paragraphs 103–105).1

Candour, openness, clinical audit, and disclosure for administrative purposes

The guidance has new sections on the duty of candour (including when something has gone wrong), openness, and learning from near misses and adverse incidents (paragraphs 100–102).1

There are also new sections on clinical audit (paragraphs 96–98) and on disclosure for financial or administrative purposes (paragraph 99).1

Managing and protecting information

There is a new requirement for doctors and the staff they manage to have knowledge of information governance related to their role and to follow the data protection policies and procedures in their organisation. Doctors who are data controllers must comply with the Data Protection Act 1998, and doctors who are responsible for recruitment and management of staff must be suitably trained and comply with confidentiality and data protection (paragraphs 122–126).1

The guidance clarifies the disclosure requirements after a patient’s death, setting out circumstances in which disclosure is mandatory and those in which disclosure or non-disclosure is reliant on professional judgment (paragraphs 134–138).1

Explanatory guidance

The explanatory guidance advises how the principles can be applied in particular situations that doctors frequently encounter or find difficult and includes advice about disclosures relating to:

  • serious communicable diseases11
  • education and training12
  • fitness to drive and reporting concerns to the Driver and Vehicle Licensing Agency (DVLA) in England, Scotland, and Wales and the Driver and Vehicle Agency (DVA) in Northern Ireland13 (NB the same principles apply to drivers and pilots of other kinds of regulated transport, e.g. rail, water, and air1)
  • reporting gunshot and knife wounds14
  • responding to criticism in the media.15

For practical information and application of the guidance on disclosure of gunshot wounds read the reflections of Dr Adrian Boyle, Consultant Emergency Physician and Caldicott Guardian at Addenbrookes Hospital in Cambridge.16


The revised 2017 guideline is easy to use and covers specific situations that practitioners frequently encounter; it should also help with particularly complicated decisions. The new decision-making flowchart should guide doctors through the steps, sequence of questions, and relevant legislation. Clinicians must act within the law and if still uncertain whether to disclose information they should consult the Caldicott guardian, their defence organisation, or seek independent legal advice.


  1. General Medical Council. Confidentiality: good practice in handling patient information. GMC, 2017. Available at: www.gmc‑uk.org/Confidentiality_good_practice_in_handling_patient_information___English_0417.pdf_70080105.pdf (accessed 11 October 2017).
  2. Caldicott F, the Independent Information Government Oversight Panel. Information: to share or not to share? The information governance review. Department of Health, 2013. Available at: www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/2900774_InfoGovernance_accv2.pdf (accessed 11 October 2017).
  3. General Medical Council. What’s changed in the confidentiality guidance? GMC, 2017. Available at: www.gmc-uk.org/What_s_changed_in_the_confidentiality_guidance_FINAL.pdf_69098866.pdf (accessed 11 October 2017).
  4. General Medical Council. The review of the GMC’s confidentiality guidance. GMC, 2017. Available at: www.gmc-uk.org/Development_of_the_confidentiality_guidance_FINAL.pdf_69099168.pdf (accessed 11 October 2017).
  5. General Medical Council. Confidentiality: good practice in handling patient information (2017). Read the guidance. Explanatory guidance. GMC, 2017. www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp (accessed 11 October 2017).
  6. General Medical Council. Confidentiality: good practice in handling patient information (2017). Learning materials. GMC, 2017. www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp (accessed 11 October 2017).
  7. General Medical Council. Confidentiality: good practice in handling patient information (2017). Legal annex. Available at: www.gmc-uk.org/guidance/ethical_guidance/30626.asp (accessed 11 October 2017).
  8. General Medical Council. Confidentiality: good practice in handling patient information (2017). Key legislation factsheet. Available at: www.gmc-uk.org/guidance/ethical_guidance/30694.asp (accessed 11 October 2017).
  9. General Medical Council. Confidentiality: good practice in handling patient information (2017). Confidentiality flowchart. GMC, 2017. Available at: www.gmc-uk.org/Confidentiality_flowchart_standalone.pdf_70139444.pdf (accessed 11 October 2017).
  10. General Medical Council. My GMP app.www.gmc-uk.org/guidance/MyGMP.asp (accessed 11 October 2017).
  11. General Medical Council. Confidentiality: disclosing information about serious communicable diseases. GMC, 2017. Available at: www.gmc-uk.org/guidance/ethical_guidance/30672.asp (accessed 11 October 2017).
  12. General Medical Council. Confidentiality: disclosing information for education and training purposes. GMC, 2017. Available at: www.gmc-uk.org/guidance/ethical_guidance/30660.asp (accessed 11 October 2017).
  13. General Medical Council. Confidentiality: patients’ fitness to drive and reporting concerns to the DVLA or DVA. GMC, 2017. Available at: www.gmc-uk.org/guidance/ethical_guidance/30652.asp (accessed 11 October 2017).
  14. General Medical Council. Confidentiality: reporting gunshot and knife wounds. GMC, 2017. Available at: www.gmc-uk.org/guidance/ethical_guidance/30677.asp (accessed 11 October 2017).
  15. General Medical Council. Confidentiality: responding to criticism in the media. GMC, 2017. Available at: www.gmc-uk.org/guidance/ethical_guidance/30682.asp (accessed 11 October 2017).
  16. General Medical Council blog. Revised gunshot and knife wounds guidance: my view from A&E. GMC, 2017. Available at: gmcuk.wordpress.com/2017/07/19/new-gunshot-and-knife-wounds-guidance-my-view-from-ae/ (accessed 11 October 2017).