The practice complies with data protection and access to medical records legislation.

Identifiable information about you will be shared with others in the following circumstances:

  • To provide further medical treatment for you e.g. from district nurses and hospital services.
  • To help you get other services e.g. from the social work department. This requires your consent.
  • When we have a duty to others e.g. in child protection cases anonymised patient information will also be used at local and national level to help the Health Board and Government plan services e.g. for diabetic care.

If you do not wish anonymous information about you to be used in such a way, please let us know.

Reception and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as the medical staff.

Freedom of Information

The ICO has published a new Model Publication Scheme that all public authorities are required to adopt.

CCTV and Telephone Calls

Please be aware that the practice premises have 24 hour CCTV monitoring in place and all telephone calls are recorded.

1. Policy

The purpose of this policy is to explain and enforce the obligations of confidentiality and non-disclosure among the employers and employees of the practice. This applies to information processed by the practice that is accessed by a member of staff.

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in respect to the individual protected characteristics of those to whom it applies.

2. Scope

During the course of carrying out the work of the practice, employees will gain and have access to information classed as objective knowledge which relates to the affairs of the practice. This may include information relating to partners, employees, patients, contractors, business associates, suppliers, market information, contractual arrangements, dealings, transactions, policies, procedures, decisions, technology and systems.

All employees must, from the date of the commencement of their employment with the practice and after the termination of their employment with the practice, observe strict confidentiality and non-disclosure in respect of any information held by the practice, except when required or authorised to disclose such information by the practice or by law.

The reputation of the practice and the continuing ability of the practice to work effectively in the position of trust and responsibility it holds (which is also reflected in the trust and responsibility held by those persons engaged by the practice to work on its behalf) rely on confidential information being held as confidential, not improperly disclosed and only used for the purpose for which such information was gathered. Any breach of confidentiality could have major negative consequences for the practice and the practice will therefore take action against any employee who commits a breach of confidentiality.

Nothing in this policy prevents an employee or other individual making a protected disclosure under the Public Interest Disclosure Act 1998 in respect of any malpractice or unlawful conduct.

3. Definition of Terms

3.1 Confidential Information

“Confidential information” means any information processed by the practice or supplied (whether supplied in writing, orally or otherwise) by the practice or gathered by an individual in relation to the performance of his/her duties which is marked as “confidential”.

3.2 Protected Disclosure

The disclosure of unlawful conduct, malpractice or wrongdoings within the practice, commonly known as “whistle-blowing”. Protected disclosures are normally made through the practice’s whistle-blowing procedure or to an external party.

4. Confidentiality

All employees must, from the date of the commencement of employment or other form of engagement, and thereafter, observe strict confidentiality in respect of any information held by the practice, and by each individual working on behalf of the practice. This includes dealings, transactions, procedures, policies, decisions, systems and other matters of a confidential nature concerning the practice and its affairs.

Other than in the proper course of their duties, employee must not, either during or at any time after the termination of their employment, exploit or disclose confidential information. Also, employees must not, through negligence, willful misconduct or inadvertence, allow the use, exploitation or disclosure of any confidential information relating to the affairs of the practice, its patients, partners, employees, contractors, business partners or suppliers. There must be no attempt to use any confidential information in a manner that may either directly or indirectly cause, or be calculated to cause, injury or loss to the practice.

4.1 Breaches of Confidentiality

Breaches of confidentiality can happen deliberately or accidentally. A deliberate breach of confidentiality by an employee could lead to instant dismissal. An accidental breach of confidentiality is a disciplinary matter. Accidental breaches of confidentiality are most likely to happen in the following circumstances:

  • A discussion about or with a patient being overheard
  • Leaving a message for a patient, which gets picked up by someone else
  • Patient information being visible to other patients or visitors to the surgery

Practice staff should therefore be mindful of patient confidentiality at all times by:

  • Taking a patient to a room or an area in a room which is out of earshot of other people if any sensitive information is being discussed
  • Ensuring that any requests for patient information from outside the practice are legitimate requests in the patient’s best interests
  • Ensuring that members of the patient’s family or friends have been authorised by the patient to receive medical information about them and if in doubt checking with the patient’s doctor before disclosing information
  • Maintaining computer security by:
    • Ensuring that computer screens showing patient identifiable information are not visible to anyone unauthorised to see them
    • Logging out of the clinical system when away from the desk
    • Not disclosing personal passwords
  • Not leaving messages on landline answer phones and only leaving messages on patients’ mobile phones if the mobile answer phone has a personal message identifying it as the patient’s phone
  • Only sending photocopies of notes for the dates to which the patient has expressly agreed in writing
  • Deleting third party confidential information from notes photocopied for outside agencies, such as insurance companies

4.2 Non-disclosure of information

It is an obligation upon all employees during employment, or engaged under other contractual arrangements, to maintain information in confidence and not, directly or indirectly, disclose it other than for the purposes it was gathered. Any such information in the possession of an individual, either in electronic format or hard copy, shall be returned to the practice before or at the point in time that employment ceases, however such cessation occurs.

Following the cessation of employment, or other contractual engagement with the practice, an individual must not, directly or indirectly, use for gain, discuss or pass on to others confidential information that can be classed as objective knowledge in that it has been gained during the course of employment. This includes information relating to partners, employees, contractors, patients, business associates, suppliers, market information, contractual arrangements, dealings, transactions, policies, procedures, decisions, technology and systems or other matters of a confidential nature concerning the practice.

4.3 If disclosure is necessary

If a patient or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional can take advice from colleagues within the practice, of from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the patient or another person. If a decision is taken to disclose, the patient should always be informed before disclosure is made, unless to do so could be dangerous. If at all possible, any such decisions should be shared with another member of the practice team.

Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the patient.

4.4 Third-party requests for information

Any employee approached by any third party, including any media source, and asked to make any comments or provide any information relating to the practice and its affairs (or the affairs of its patients, partners, employees, contractors or any business associate) must under no circumstances respond without having sought permission and guidance from the Practice Manager.

4.5 Whistle-blowing or protected disclosures

Nothing in this policy will prevent or limit an employee in making a protected disclosure under the practice’s whistle-blowing policy, in respect of any malpractice or unlawful conduct.

Legislation in the UK was enacted by the Public Interest Disclosure Act 1998 to enable employees and other persons such as agency temporary workers to disclose genuine concerns, especially those which seem to involve unlawful conduct or malpractice. The legislation also protects them from any form of victimisation arising from making such a disclosure.

The practice’s whistle-blowing policy provides a procedure for making protected disclosures.

4.6 Responsibilities of practice staff and partners

All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a patient is passed to anyone or any agency without the express permission of that patient, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.

All health professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.

Additionally, the GPs at HTMG as Employers:

  • Are responsible for ensuring that everybody employed by the practice understands the need for, and maintains, confidentiality
  • Have overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality
  • Have vicarious liability for the actions of those working in the practice – including health professionals and non-clinical staff (i.e. those not employed directly by the practice but who work in the surgery).

Standards of confidentiality apply to all Health Professionals, Administrative and Ancillary Staff- including Receptionists, Secretaries, Practice Manager, Cleaners and Maintenance Staff who are bound by contracts of employment to maintain confidentiality. They must not reveal, to anybody outside the practice, personal information they learn in the course of their work, or due to their presence in the surgery, without the patient’s consent. Nor will they discuss with colleagues any aspect of a patient’s attendance at the surgery in a way that might allow identification of the patient unless to do so is necessary for the patient’s care.

4.7 Non-disclosure agreement

All persons engaged to work for and on behalf of the practice will be required to sign the following non-disclosure agreement, which will be recorded on their personnel file.


This policy has been approved by the undersigned and will be reviewed at least annually.

Title: Practice Manager

Approval Date: January 2022