The reasons for the policy:

  • All information held at the practice about patients is confidential, whether held electronically or in hard copy
  • Other information about the practice (for example its financial matters) is confidential
  • Staff will by necessity have access to such confidential information from time to time


The policy applies to all employees and partners, and also applies to other people who work at the practice e.g. self-employed staff, temporary staff and contractors (all collectively referred to as ‘staff’ below).

This does not include situations which are covered under existing safeguarding legislation, under which there may be a duty to disclose information in certain circumstances.

These are:

  • If we are concerned about the safety of a child (someone under the age of 18, this may be the client)
  • If we are concerned about the safety of a vulnerable adult (A person aged 18+ whose physical or mental condition makes them particularly vulnerable)
  • The patient is acting, or likely to act, in a way that could cause serious harm to him or herself, or put others at risk of harm
  • There is the possibility of serious risk to a particular person or persons, or to the public in general
  • Information relating to an act of terrorism or money laundering is disclosed

In these cases the patient must be stopped if possible before the disclosure and warned that the practice’s confidentiality policy ceases in these circumstances, and that if disclosure is made then the practice will be bound to report the matter to the appropriate authorities.


  • Staff must not under any circumstances disclose patient information to anyone outside the practice, except to other health professionals on a need to know basis, or where the patient has provided written consent or in situations that are covered by legislation (covered above).
  • All information about patients is confidential: from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the practice.
  • Staff must not under any circumstances disclose other confidential information about the practice to anyone outside the practice unless with the express consent of the practice manager or the individual acting as the practice manager in the practice manager’s absence.
  • Staff should limit any discussion about confidential information only to those who need to know within the practice.
  • The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
  • Staff must be aware of and conform to the requirements of the caldicott recommendations.
  • All patients can expect that their personal information will not be disclosed without their permission (except in circumstances covered by legislation, listed above).
  • Electronic transfer of any confidential information, once approved by the practice Manager, must be transmitted via the NHSnet. Staff must take particular care that confidential information is not transmitted in error by email or over the internet.
  • Staff must not take data from the practice’s computer systems (e.g. on a memory stick or removable drive) off the premises unless authorised to do so by the practice manager.
  • Staff who suspect a breach of confidentiality must inform the practice manager immediately.
  • Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.
  • Staff remain bound by the requirement to keep information confidential even if they are no longer employed at the practice.

Responsibilities of Practice Staff

All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a patient is passed to anyone or any agency without the express permission of that patient, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.

All health professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.

Additionally, Northenden Group Practice, as Employers:

  • Are responsible for ensuring that everybody employed by the practice understands the need for, and maintains, confidentiality
  • Have overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality
  • Have vicarious liability for the actions of those working in the practice – including health professionals and non-clinical staff (i.e. those not employed directly by the practice but who work in the surgery)

Standards of confidentiality apply to all health professionals, administrative and ancillary staff- including receptionists, secretaries, practice manager, cleaners and maintenance staff who are bound by contracts of employment to maintain confidentiality.

They must not reveal, to anybody outside the practice, personal information they learn in the course of their work, or due to their presence in the surgery, without the patient’s consent. Nor will they discuss with colleagues any aspect of a patient’s attendance at the surgery in a way that might allow identification of the patient unless to do so is necessary for the patient’s care.

If Disclosure is Necessary

If a patient or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional can take advice from colleagues within the practice, of from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the patient or another person. If a decision is taken to disclose, the patient should always be informed before disclosure is made, unless to do so could be dangerous.

If at all possible, any such decisions should be shared with another member of the practice team.

Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the patient.