Exceptional circumstances might override the duty to maintain confidentiality. These include situations when there is a serious public health risk or risk of harm to other individuals, or when information is required by the police for crime and taxation purposes. Deciding whether to disclose information about a patient to prevent crime or injury can be difficult. However, exemption in the Data Protection Act 2018 that allows personal information to be given out for these purposes [1,2]. This exemption does not cover disclosure of all personal information in all circumstances. It only allows the release of personal information for the stated purposes and, in the cases of crime, only if not releasing it would be likely to prejudice (i.e. significantly harm) any attempt by the police to prevent crime or catch a suspect.
Consider each request for information according to the seriousness of the crime, the risks that involve the public and the reasons for the request before disclosing patient information.
Ask for any request to be made in writing and signed by someone of sufficient authority, unless there is an immediate risk of harm to an individual’s life or to public health and safety, in which case a verbal request can be made and followed up in writing.
Ensure that someone of a senior level within the practice makes the decision to release information as the data controller must be prepared to defend, their decision, if challenged.
NB: A data controller is under no obligation to disclose personal information to a third party unless there is a statutory obligation or a court order.
Disclose only information that is necessary for the stated purposes, and ensure that the requester is who they say they are (e.g. check warrant cards).
Only disclose information to the police if not providing the information would be likely to prejudice (i.e. significantly harm) any attempt by the police to prevent crime or catch a suspect; examples include:
- to aid identification of a body (however, the police must have a body and not simply be seeking information for a possible identification in the future)
- if a driver has committed an offence under the Road Traffic Act (1998)
- to provide information that relates to the Terrorism Prevention and Investigation Measures Act (2011)
- if a patient is evading NHS charges and thus committing fraud (if you are involved in providing evidence in such a case you would not be breaching confidentiality if directed by the authorities to release the information).
In routine tax enquiries from HM Revenue and Customs you might be asked to provide appointment books or patient records; in the absence of a court order, anonymise these books and records.
Record, in a disclosure register, details of the information disclosed in response to a request.
Refer to guidance from the (UK) Information Commissioner’s Office for brief details of what to consider in the event of a request [3].
If you are in doubt about whether to disclose information to a third party, seek advice from defence organisation before you act.
NB: It might be necessary to ask the police to produce a court order before information is disclosed.