SJT Textbook: Confidentiality — Good Practice in Handling Patient Information
GMC confidentiality MSRA SJT principles govern how doctors protect patient information while sharing lawfully for safe care.
Open the free MSRA SJT Professional Dilemmas Textbook → https://www.passthemsra.com/courses/msra-sjt-textbook/
🎥 Video Lesson (YouTube)
🎧 Podcast Lesson (Spotify / Apple / Amazon)
🎯 THE CORE PRINCIPLE
Confidentiality is fundamental to trust, but it is not absolute. The GMC requires doctors to protect patient information while sharing appropriately for safe, effective care. The MSRA SJT repeatedly tests your ability to balance confidentiality with lawful and ethical information sharing.
High-scoring answers show you understand when information *must* be shared (e.g. safeguarding, risk of serious harm, legal requirements) and when explicit consent is required (e.g. disclosures beyond direct care). Low-scoring responses either overshare unnecessarily or refuse to share information even when safety or law demands it.
Safe practice requires using the minimum necessary identifiable information, sharing responsibly, following GDPR and Data Protection Act principles, informing patients where appropriate, and documenting decisions clearly.
GMC Confidentiality MSRA SJT – Core Principles for Safe Information Sharing
🧩 KEY PRINCIPLES (MSRA SJT Interpretation)
1. Confidentiality is essential — but not absolute
Core idea: You must protect patient information, but you may (and sometimes must) disclose it to protect patients, fulfil legal requirements, or support safe care. Exam cues:
* Understand implied consent for direct care
* Know when explicit consent is required
* Recognise when safety overrides confidentiality High-yield rule:
* Confidentiality stops where serious risk or legal obligation begins.
In the GMC confidentiality MSRA SJT framework, safety and lawful disclosure always override absolute secrecy.
2. Use the minimum necessary information
Core idea: Always share the smallest amount of identifiable information required. What the SJT tests:
* Redacting unnecessary details
* Avoiding casual or excessive sharing
* Sharing on a need-to-know basis only Red flags:
* Oversharing
* Unsecured communication
* Gossiping about patient information
3. Manage and protect information effectively
Core idea: You are personally responsible for secure handling of patient data. Exam cues:
* Lock screens, secure emails, appropriate storage
* Avoid discussing cases in public places
* Follow information governance (IG) policies Red flags:
* Leaving notes/e-screens open
* Discussing cases in lifts/cafés
* Sending identifiable info to wrong recipients
4. Comply with the law (GDPR, DPA 2018, common law)
Core idea: You must fulfil legal duties regarding data processing, access, and disclosure. What the SJT tests:
* Knowing consent, legal obligation, and public interest bases
* Supporting patient access requests
* Recording decisions proportionately High-yield:
* Explicit consent for non-direct-care purposes
* Legal basis overrides consent refusal in some cases (e.g. court orders, notifiable diseases)
5. Share relevant information for direct care
Core idea: Safe care requires appropriate information sharing. Exam cues:
* Implied consent usually acceptable for direct care
* Respect documented objections
* Ensure accuracy and timeliness High-yield rule:
* If needed for direct care → share appropriately. Red flags:
* Withholding essential information from MDT
* Using confidentiality as an excuse to block legitimate sharing
6. Obtain explicit consent for disclosures beyond direct care
Core idea: For research, insurance, media, or non-care purposes, you generally need explicit consent. Exam cues:
* Consent must be informed and specific
* Respect refusal unless law requires disclosure Red flags:
* Disclosing without consent for convenience
* Assuming consent for secondary uses
7. Inform patients about unexpected disclosures
Core idea: Patients should know if information has been shared unexpectedly. Exam cues:
* Duty of candour principles overlap
* Exceptions: risk of serious harm, legal restrictions High-yield:
* Inform, explain, and reassure
8. Support patient access to their information
Core idea: Patients have rights under GDPR and the Data Protection Act. Exam cues:
* Responding to subject access requests appropriately
* Avoiding unnecessary obstruction
* Supporting clarity and transparency
⚡ HIGH-YIELD ACTIONS (What Scores Points)
1. Share only what is necessary for safe care.
2. Use implied consent appropriately for direct care.
3. Obtain explicit consent for secondary uses.
4. Escalate if serious risk requires disclosure.
5. Follow legal obligations (e.g. court orders, safeguarding).
6. Document consent discussions and disclosure decisions clearly.
7. Secure devices, records, and communications.
8. Support patients seeking access to their records.
9. Inform patients when information is disclosed unexpectedly unless unsafe.
10. Redact unnecessary identifiers.
* Sending identifiable data via insecure channels
* Disclosing without lawful basis or consent
* Withholding essential information needed for direct care
* Ignoring safeguarding or risk-based disclosure duties
* Failing to comply with legal requirements
* Accessing records without justification
Traps generally involve *overprotecting* confidentiality when safety requires disclosure, or *oversharing* when restraint is needed.
💬 MODEL PHRASES (Use These in SJT Logic)
* “I will use implied consent appropriately for direct care.”
* “I will obtain explicit consent for non-care disclosures.”
* “I will escalate concerns if there is a risk of serious harm.”
* “I will follow GDPR and organisational policies.”
* “I will document the rationale for disclosure clearly.”
C – Consent (explicit for non-care)
A – Appropriate sharing for care (implied)
L – Lawful basis (GDPR, DPA, common law)
M – Minimum necessary
S – Safety overrides confidentiality
A – Access rights for patients
F – Flowchart (use the GMC framework)
E – Explain unexpected disclosures
📋 QUICK FAQ
Is confidentiality absolute?
No — it is essential but not absolute. Safety and legal obligations may override it. When is implied consent acceptable?
When sharing relevant information for direct patient care within the healthcare team. Do I need explicit consent for all disclosures?
Yes for non-care purposes, unless required by law or justified by public interest. Can I disclose information to protect others?
Yes — when there is a risk of serious harm and disclosure is justified. What is the safest exam assumption about information sharing?
Share minimally, securely, and appropriately — and document your reasoning.
📚 GMC ANCHOR POINTS
* Confidentiality (GMC: Confidentiality guidance)
* Minimum necessary disclosure
* Implied consent for direct care
* Explicit consent for secondary uses
* Legal obligations for disclosure
* Protection of patients and others
* Secure handling and information governance
* Patient access to information
💡 MINI PRACTICE SCENARIO
A nurse asks you to email a full discharge summary to her personal email because the ward printer is broken. She needs the information to update the patient’s care plan. Best action: Decline to use a personal email and instead find a secure method (NHS mail, clinical system access, or printed copy via alternative printer). Why: Confidentiality requires secure handling and minimum necessary disclosure. Convenience must never override security.
🎯 KEY TAKEAWAYS
✓ Confidentiality is vital but not absolute.
✓ Implied consent applies only to direct care.
✓ Explicit consent is required for non-care disclosures.
✓ Share the minimum necessary information securely.
✓ Serious risk and legal duties override confidentiality.
✓ Document disclosure decisions clearly.
✓ Support patient access to their records.
✓ Avoid public or insecure discussions about patients.
Mastery of GMC confidentiality MSRA SJT principles is essential for consistently high-scoring professionalism answers.
🔗 RELATED TOPICS
* → Confidentiality: Disclosing information without consent
* → Data protection (GDPR/DPA)
* → Safeguarding and public interest disclosure
* → Communication and shared decision-making
* → Professional use of social media
* → Duty of candour
📖 FULL PRACTICE QUESTIONS
Example SJT — Best of 3 (8 options; choose three)
A patient’s relative phones the ward requesting detailed information about the patient’s new cancer diagnosis. The patient has not given permission to share information with family members.
Options:
A. Decline to share details and explain confidentiality
B. Encourage the relative to speak directly with the patient
C. Check whether the patient has recorded preferences or consent
D. Provide limited information to reassure the relative
E. Share details to reduce the relative’s distress
F. Suggest the patient discusses this during the next visit
G. Document the request and your response
H. Ask a colleague to share the information instead
Correct three: A, C, G
• A: Upholds confidentiality and respects patient rights.
• C: Checks for recorded consent/preferences.
• G: Ensures clear documentation.
Why others are weaker/wrong:
• B/F: Helpful but incomplete solutions.
• D/E: Breach confidentiality.
• H: Avoids responsibility and remains unsafe.
Example SJT — Rank 5 (best → worst)
A patient with limited capacity is suspected of being at risk from a family member. The safeguarding team requests relevant details urgently.
Options:
A. Share necessary information promptly under safeguarding/public interest
B. Delay sharing until the family member is informed
C. Share everything in the notes for completeness
D. Refuse to share as there is no consent
E. Provide anonymised information only
Ideal order: A (1) > E (2) > C (3) > D (4) > B (5)
• A: Legally and ethically justified to protect from harm.
• E: Safe if specific identifiers are unnecessary.
• C: Too much information but better than blocking safety.
• D: Incorrect — safety overrides consent.
• B: Unsafe delay.