Sharing Information with Consent

SJT Textbook: Sharing Information with Consent

Sharing Information with Consent MSRA

This guide covers the crucial topic of Sharing Information with Consent MSRA scenarios. In the Professional Dilemmas paper, candidates must accurately distinguish between “Direct Care” (where consent is often implied) and “Third Party” requests (where explicit consent is mandatory).

🎥 Video Lesson (YouTube)

🎧 Podcast Lesson (Spotify / Apple / Amazon)

🎯 THE CORE PRINCIPLE

“Sharing information with consent” means disclosing identifiable information where a person with capacity gives valid permission for a specific, understood purpose. In UK healthcare, you usually do not rely on GDPR “consent” for direct care: sharing within the multidisciplinary team is justified on a need-to-know basis to provide safe care. By contrast, non-care or third-party uses (relatives, employers, media, many teaching or research scenarios) normally require explicit, informed consent or a clear alternative legal/ethical basis.

Consent is only valid if it is voluntary, informed, specific and documented, and it can be withdrawn. You must also consider capacity: adults are presumed to have capacity unless there is evidence otherwise; if they lack capacity, you share in their best interests under the Mental Capacity Act. For children and young people, you apply Gillick competence and parental responsibility rules, and take particular care with confidentiality around sensitive issues.

In MSRA SJT questions, high-scoring answers distinguish between direct-care sharing and third-party requests, aim for the minimum necessary disclosure, insist on secure, auditable channels, and show a clear note of the rationale. The exam repeatedly tests whether you avoid both unsafe secrecy that harms care and casual oversharing that breaches confidentiality.

In Sharing Information with Consent MSRA questions, the first step is always to categorise the request. Is it for the medical team (implied consent usually applies) or an outsider (requires explicit consent)?

⚡ HIGH-YIELD ACTIONS (What Scores Points)

1. Clarify why information is being requested (direct care, relative update, employer, research, media).
2. Confirm the patient’s capacity and check for any signs of pressure or coercion.
3. Obtain explicit, informed consent before third-party or non-care disclosures.
4. Define the scope of consent: what can be shared, with whom, and by which route.
5. Share only the minimum necessary information for that purpose.
6. Verify identity and use approved, secure channels rather than personal devices or apps.
7. Record the discussion, decision, scope of consent, and any conditions or refusals.
8. Respect the patient’s right to withdraw consent and update the record if they do.
9. When capacity is lacking, share in line with best interests, safeguarding or other lawful bases and document your reasoning.

These traps either misunderstand the legal basis for sharing, give blanket access to third parties, or promote insecure, unauditable channels. In the exam, look for options that match purpose, capacity and valid consent, and that restrict disclosure to the minimum necessary via secure systems with a clear note.

Be alert for these Sharing Information with Consent MSRA red flags. A common trap is assuming a relative has an automatic right to information—they do not.

💬 MODEL PHRASES (Use These in SJT Logic)

* “You’re free to change your mind about this at any time; if you do, we’ll stop sharing and update your record.”
* “For your care today, we share information within the clinical team on a need-to-know basis; for anyone else, I will only share details with your explicit permission.”
* “Because this involves your employment, I’d like to discuss exactly what you’re comfortable for us to send to your employer and record that clearly.”

Ask permission • Scope clearly • Keep to minimum • Make secure • IN the notes

📋 QUICK FAQ

Do I need GDPR “consent” to share within the care team?
No. Direct care sharing within the team is generally justified on a need-to-know basis. You should minimise what you share, use approved systems, and be open with patients about how their information is used.

What makes consent valid for sharing information?
It must be voluntary, informed, specific to the purpose, and recorded, with the ability to withdraw. If you are relying on GDPR consent for special category data, it must be explicit.

What if the patient lacks capacity?
Follow the Mental Capacity Act: decide what to share in the person’s best interests, involve those close to them as appropriate, and record your reasoning and what you disclosed.

Can I share information with a relative without the patient present?
If the patient has capacity, you normally need their permission to share identifiable details. Without consent, you may offer general, non-identifiable information or share more only if a clear exception applies (e.g. serious risk, safeguarding).

What about employers, insurers or the media?
You usually need explicit, informed consent that clearly covers what is to be disclosed and to whom. Without it, you should not release identifiable information unless there is a specific legal obligation or overriding public-interest justification, which must be documented.

To score highly in Sharing Information with Consent MSRA ranking questions, you must demonstrate that you respect patient autonomy while ensuring the practical flow of information.

📚 GMC ANCHOR POINTS

• Protect and respect patient confidentiality while enabling safe care (GMC Confidentiality).
• Share information appropriately for direct care on a need-to-know basis, using the minimum necessary (GMC Confidentiality – direct care).
• Be open and honest with patients about how their information is used and their choices (Caldicott “no surprises” principle, reflected in GMC guidance).
• Keep clear, accurate, contemporaneous records of decisions, disclosures and justifications (GMC Good medical practice 2024 – records).
• Apply capacity and best-interests principles when patients cannot decide for themselves (GMC guidance and Mental Capacity Act framework).

💡 MINI PRACTICE SCENARIO

A competent inpatient asks you to update their partner about today’s scan result and likely discharge date. The partner is not present, and the ward is busy.

Best action: Confirm the patient’s capacity, agree exactly what can be shared and how, record explicit consent in the notes, then share the minimum necessary information with the partner via a verified, secure route.
Why: This respects confidentiality, uses valid consent, limits disclosure to what is needed, uses an appropriate channel, and leaves a clear record.

🎯 KEY TAKEAWAYS

✓ Direct care sharing within the team usually relies on need-to-know, not GDPR consent.
✓ Third-party or non-care disclosures usually require explicit, specific, informed consent.
✓ Always clarify purpose, capacity and voluntariness before disclosing.
✓ Share only the minimum necessary via secure, approved channels.
✓ Document consent (or lawful basis), what was shared, with whom, and why.

🔗 RELATED TOPICS

* → Patient Confidentiality Principles
* → Exceptions to Confidentiality (Safeguarding, Public Interest, Statutory Duties)
* → Data Protection (UK GDPR) in Healthcare
* → Social Media and Digital Professionalism

📖 FULL PRACTICE QUESTIONS

Example SJT — Best of 3 (8 options; choose three)

A 42-year-old inpatient with inflammatory bowel disease is recovering well after a flare. She has full decision-making capacity. She says: “Please can you let my partner know how I’m doing and what the plan is? They’re really anxious.” Later that afternoon, the partner phones the ward for an update. You have access to the clinical record and a secure hospital email system.

Options:
A. Give the partner a full, detailed run-through of the entire medical record to reassure them.
B. Decline to share any information and tell the partner that “GDPR doesn’t allow us to say anything.”
C. Confirm in person with the patient exactly what information can be shared and by which route, record explicit consent, then share the agreed points via a secure method.
D. Ask the partner to email from a verifiable address, then send a brief summary limited to today’s findings and plan, matching the patient’s documented consent.
E. Text a summary of the notes to the partner using your personal mobile phone so they get the information quickly.
F. Offer general advice about IBD flares without mentioning anything specific about the patient, and suggest the partner discusses details directly with the patient later.
G. Ask the patient’s permission to put a note on the record about who can be updated in future and in what level of detail.
H. Invite the partner to attend the next ward round without checking with the patient first so they can hear everything directly from the team.

Example SJT — Rank 5 (best → worst)

An HR manager emails the practice asking for “all mental-health details” about an employee who has been off sick. The employee is currently an inpatient on a psychiatric ward, has capacity, and has not given permission for information to be shared. HR says they “need everything” to manage sickness and capability procedures.

Options:
A. Reply that you will need the patient’s explicit, informed consent before disclosing anything; once they are well enough, discuss what they are happy for you to share, limit disclosure to what is necessary for the stated purpose, use secure channels, and document the decision.
B. Send a brief summary stating the diagnosis only, without discussing it with the patient, as this is less detailed than the full record.
C. Telephone the HR manager and discuss the patient’s mental health history informally so there is no written record.
D. Defer any response until the patient returns to work and then decide whether to send information, without informing HR of your reasoning.
E. Post a photo of the patient’s notes in a ward WhatsApp group to ask colleagues what they would disclose.