Patient Confidentiality Principles

SJT Textbook: Patient Confidentiality Principles

Patient Confidentiality Principles

This guide breaks down the core Patient Confidentiality Principles required for the MSRA SJT. In the Professional Dilemmas paper, you will face complex scenarios where you must balance the duty of privacy against the duty of care.

🎥 Video Lesson (YouTube)

🎧 Podcast Lesson (Spotify / Apple / Amazon)

🎯 THE CORE PRINCIPLE

Patient confidentiality is the professional and legal duty to protect identifiable information and disclose it only with the patient’s consent, or where there is a clear justification in law or in the public interest. Safe practice balances privacy with the need to share information for direct care, safeguarding and prevention of serious harm.

GMC confidentiality guidance, the eight confidentiality principles and the Caldicott Principles all emphasise using information only when necessary, sharing the minimum necessary, restricting access to those with a genuine need-to-know, and being open with patients about how their information is used. Health data is also classed as special category data under UK GDPR/DPA, so any processing must have a valid lawful basis and additional Article 9 condition.

In MSRA SJT questions, high-scoring options protect confidentiality without obstructing safe care. They clarify purpose, verify identity, share only relevant information via approved secure systems, and either obtain consent or rely on a clear legal/public-interest basis that is recorded. Low-scoring options either overshare (for example sending an entire record “to be safe”), refuse necessary sharing for direct care, or use insecure channels such as personal messaging apps.

Understanding Patient Confidentiality Principles often requires weighing privacy against safety. In the exam, visualize this as a set of scales: does the risk of harm outweigh the right to privacy?

⚡ HIGH-YIELD ACTIONS (What Scores Points)

1. Clarify the purpose of the request and whether it is for direct care, legal obligation or public interest.
2. Share only the minimum necessary information needed to achieve that purpose.
3. Verify the identity and role of the person requesting information and use approved, secure channels.
4. Seek and respect patient consent where appropriate, explaining how information will be used and any limits to confidentiality.
5. Recognise when disclosure without consent is justified (for example serious risk of harm, safeguarding, statutory duty or court order) and limit disclosure to what is necessary.
6. Distinguish between relatives’ wishes and the patient’s best interests; prioritise the patient’s rights and safety.
7. Avoid using personal devices or informal platforms (for example personal email or messaging apps) for identifiable data.
8. Make a contemporaneous record of what was shared, with whom, why, under which legal/ethical basis, and any discussions with the patient.

To score highly in ranking questions, you must apply Patient Confidentiality Principles systematically. It is not just about saying “no”; it is about sharing safely.

Trap options either refuse justified sharing for direct care, overshare far beyond what is needed, promise absolute secrecy where serious harm may occur, or use insecure, informal systems. High-scoring options sit in the middle ground: they protect privacy while enabling safe, lawful care.

💬 MODEL PHRASES (Use These in SJT Logic)

* “I cannot promise to keep this entirely secret if there is a serious risk of harm, but I will share the minimum necessary and explain what I am doing.”
* “Before discussing any details, I need to confirm your role and contact details and then use the secure clinical inbox rather than personal email.”
* “For this police request, I must check the legal basis and will only disclose information that is necessary and proportionate, then record the decision.”
* “Even though your relative has concerns, I need to focus on what is in your best interests and share only what is needed for your direct care.”

Minimum necessary • Identity verified • Need-to-know only • Secure system • Honest about limits • Appropriate legal basis • Record everything • Exceptions understood.

Use MIN-SHARE to check each confidentiality decision quickly in the exam.

📋 QUICK FAQ

Do I need explicit consent to share information for direct care?
Not usually. Sharing relevant information for direct care is generally justified without explicit consent, provided you are transparent, share the minimum necessary and use secure systems. However, you should still respect any reasonable patient objections and discuss them.

What is the difference between the common law duty of confidentiality and UK GDPR/DPA?
The common law duty governs whether confidential information may be disclosed outside the care team. UK GDPR/DPA govern how personal data (including health data) is processed, stored and accessed. In practice you must satisfy both: a lawful basis and condition for processing, and a justified reason for disclosure.

When can I disclose information without the patient’s consent?
You may disclose without consent where it is required by law (for example court order or certain statutory notifications) or justified in the public interest, such as preventing serious harm, serious crime or safeguarding. Limit disclosure to what is necessary and document your reasoning and attempts to involve or inform the patient.

What if relatives object to information being shared for direct care?
You should listen to their concerns but explain that relevant information often needs to be shared among the care team to keep the patient safe. Prioritise the patient’s rights and best interests; share the minimum necessary for care and record the discussion.

Can I use personal messaging apps or photos of notes in urgent situations?
In general, no. Personal devices and informal messaging apps are insecure and not appropriate for identifiable clinical information. Use approved clinical systems; if there is genuine immediate risk and no alternative, you must still minimise information and regularise the situation as soon as possible, documenting what you did and why.

📚 GMC ANCHOR POINTS

• Maintain patient confidentiality and respect patients’ right to privacy while enabling safe, effective care (GMC confidentiality guidance).
• Share relevant information appropriately within the team for direct care, on a need-to-know basis and in line with Caldicott Principles (GMC confidentiality; Good medical practice 2024).
• Disclose information without consent only where required by law or justified in the public interest, limiting disclosure to what is necessary and documenting decisions (GMC confidentiality).
• Keep clear, accurate, contemporaneous records of what information was shared, with whom, and the reasons for doing so (Good medical practice 2024, records and continuity).

💡 MINI PRACTICE SCENARIO

A ward pharmacist asks for a patient’s allergy history and recent antibiotic prescriptions to check for drug interactions. The patient’s relative insists that you do not share “any details at all” with the pharmacist.

Best action: Explain that sharing relevant information with the pharmacist is necessary for safe care, share only the minimum necessary information via secure systems, and document what you shared and why.

Why: Direct care justifies limited, relevant sharing despite a relative’s objection; this protects the patient from harm and aligns with GMC and Caldicott minimum-necessary principles.

🎯 KEY TAKEAWAYS

✓ Confidentiality protects privacy but does not prevent justified sharing for safe care.
✓ Direct care usually allows sharing the minimum necessary information within the team without explicit consent.
✓ Disclosures without consent must have a clear legal or public-interest basis and be proportionate.
✓ Secure, approved systems and identity checks are essential to prevent breaches.
✓ Every significant decision to disclose or withhold information should be documented with reasons.

Here is your summary checklist for mastering Patient Confidentiality Principles in the MSRA:

🔗 RELATED TOPICS

* → Data Protection (UK GDPR and DPA 2018) in Healthcare
* → Exceptions to Confidentiality and Safeguarding
* → Duty of Candour
* → Social Media and Digital Professionalism
* → Responding to Patient Complaints

📖 FULL PRACTICE QUESTIONS

Example SJT — Best of 3 (8 options; choose three)

Scenario

You are the medical SHO on a ward. A clinical pharmacist requests details of a patient’s allergies and recent antibiotic prescriptions to check for a potentially serious drug interaction before dispensing medication. The patient is confused and unable to give reliable history. The patient’s relative says, “Do not tell them anything about her. It is private.” The pharmacist sends a request via the secure electronic prescribing system and is available on the ward to discuss.

Options:
A. Decline to share any information because the relative has refused permission, and advise the pharmacist to proceed without it.
B. Share the minimum necessary relevant information (allergies and recent antibiotics) with the pharmacist via the secure system and document what you shared and why.
C. Email a scanned copy of the entire notes, including old clinic letters, to the pharmacist’s personal email so nothing is missed.
D. Take a photo of the drug chart and send it via a staff messaging app to speed things up.
E. Ask the relative to sign a written consent form before sharing anything and delay prescribing until this is obtained.
F. Explain the duty to ensure safe prescribing, reassure the relative you will share only what is necessary, and then proceed to share relevant information securely.
G. Leave the request for the day team to sort out and make no changes to the current prescription.
H. Ask the pharmacist to rely only on what is already in the GP summary, even if it is incomplete, to avoid sharing more information.

Example SJT — Rank 5 (best → worst)

Scenario

A police officer phones the ward about a patient who was assaulted in public. The officer gives a name and collar number and asks you to “email everything you have on this patient” to an address they provide. The on-call nurse suggests sending the full scanned record to be “as helpful as possible”. There is no immediate suggestion of an ongoing serious threat, but the officer says the information would support their investigation.

Options:
A. Verify the officer’s identity and request written documentation or policy reference for the legal basis of the request; disclose only information that is necessary and proportionate, and document what you shared, with whom, why and under which justification.
B. Refuse to disclose any information at all, stating that “GDPR means we cannot ever share patient information with the police”.
C. Email the entire record, including old mental health and sexual health notes, to the address provided to avoid missing anything important.
D. Share detailed information verbally over the phone without further verification because “it sounds urgent”.
E. Take photos of key pages of the notes and post them into a staff messaging app asking colleagues what they think should be sent.

Options:
A. Careful verification, minimum necessary disclosure and full documentation.
B. Blanket refusal on the basis of data protection.
C. Full record disclosure without proportionality.
D. Verbal disclosure without proper verification or proportionality.
E. Informal sharing via insecure messaging app.