Patient confidentiality

Under the Data Protection Act 1998, you have a right to know who holds personal information about you. This person or organisation is called the Data Controller. In the NHS, the data controller is usually your local NHS board and your GP surgery.

What is my personal health information?

It is information that identifies you. It includes things like your name, address, date of birth, and postcode. It can be linked to, for example:

  • information about any care and treatment you have received
  • information about your health and lifestyle, and
  • results of tests you have had

How and where is my personal health information kept?

It is kept in records. Records can be written on paper, held on computer or both. Records are stored securely in different parts of the NHS.

  • You have a record at your GP surgery.
  • If your GP refers you to a hospital, the hospital will keep a record there.
  • Records can also be held in other places, for example, at your dental surgery or at a clinic you have been to.

The NHS is storing more and more of your personal health information on computer. Eventually all your records may be held on computer. This will make it easier for NHS staff to share information about you so that you get the treatment you need, wherever you are.

Your electronic (computer) record will be stored securely. Only staff who are involved in your care will be able to look at your record. And it will be possible to check who has looked at your electronic record.

How does the NHS keep my personal health information confidential?

  • All NHS staff have a legal duty to keep information about you confidential.
  • The NHS stores your personal health information securely.
  • Only relevant information is shared inside the NHS or with outside organisations.
  • The NHS will not give information about you to organisations such as benefits agencies, employers or the media without your permission.

How is my personal health information used?

NHS staff use your information to give you the care and treatment you need. They will share relevant information with other NHS staff involved in your care. This makes caring for you safer, easier and faster.

For example, information is shared if:

  • your GP refers you to a hospital
  • you are moved from one hospital to another
  • you need support at home, such as a visit from a district nurse

How else does the NHS use information about my health?

The NHS uses relevant information about your health to help improve NHS services and the health of the public. The NHS may use it, for example:

  • to find out how many people have a particular illness or disease
  • to look at how safe and effective a treatment is, for example, flu vaccinations
  • to check that the NHS is providing a good service
  • for research

When using information about you, your name, address and other information that identifies you is removed wherever possible. Sometimes the NHS uses information that does identify you. If they do this, they will usually explain how and why your information will be used. If they want to use information that identifies you for teaching or research, they must ask your permission first.

If you don’t want the NHS to use your information to help improve public health and NHS services, you can object.

When can my personal health information be shared outside the NHS?

Your personal health information may be given to other people who need to know relevant information about your health – for example a carer, a home help, or a social worker. Usually, it will only be given to them if:

  • you have agreed, and
  • they need it to be able to give you care and treatment

Usually the NHS will not share your personal health information with people such as a relative, carer or friend without your permission. However, there are exceptions:

  • If you are a child, and your doctor doesn’t think you can make decisions about your health care, someone with parental responsibility for you may be allowed to see your records and discuss your care. Our leaflet ‘Confidentiality – your rights’ has more information on this.
  • If you are an adult who cannot make decisions for yourself, or cannot tell others your decisions, the law allows someone to see your records and discuss your care, if:
    • you have given them a power of attorney, or
    • a court has given them a welfare guardianship or a welfare intervention order.

In these cases, the person allowed to see your health information:

  • will only be able to see information that is necessary for them to make particular decisions for you about your health care, and
  • will not receive information that staff feel would be harmful to your health or the health of others.

Sometimes the law allows the NHS to share your personal health information without your permission, for example, to investigate a serious crime or to protect a child.