Ashworth Hospital vs. MGN Ltd. 2002;

Attorney General v Mullholland; Attorney General v Foster. 1963;

Department of Health. Confidentiality: NHS Code of Practice. 2003. https// (accessed 11 March 2024)

Griffith R, Tengnah C. Law and Professional Issues in Nursing, 5th edn. London: Sage Publications; 2020

Nursing and Midwifery Council. The Code: Professional standards of practice and behaviour for nurses, midwives, and nursing associates. 2018. https// (accessed 11 March 2024)

Prince Albert v Strange. 1849;

Suspended: nurse who looked up medical records out of curiosity. 2024. https// (accessed 11 March 2024)

The law and professional considerations of confidentiality

02 April 2024
Volume 29 · Issue 4


In this month's Policy column, Iwan Dowie explores the laws of confidentiality, which forms part of the legal obligation of every community nurse.

Confidentiality of personal information has been an important pillar of UK law for a significant time. One of the first legal examples which emphasised the importance of confidentiality was the case of Prince Albert v Strange [1849]. This case involved the sending of templates of various private drawings of the Royal Family to a printer firm, where one of the employees made unauthorised copies and sold them to the defendant Mr Strange. Mr Strange intended to display these copies in a public gallery; however, Prince Albert sought an injunction to prevent these drawings being exhibited. The court agreed to the injunction, recognising Prince Albert's property rights, but also his right to privacy and confidentiality.

In matters of health, confidentiality remains an essential requirement in helping foster trust between patients and health and social care professionals, and patients expect information regarding their health to be kept secret (Griffiths and Tengnah, 2020). Under the Department of Health's (2003) ‘Confidentiality: NHS Code of Practice’, healthcare practitioners are reminded that a duty of confidence occurs when one person provides information to another in circumstances where it is reasonable to expect that this information will be held in confidence. Confidentiality is therefore a legal obligation for the community nurse. It also is a fundamental requirement within professional codes of conduct (The Nursing and Midwifery Council, 2018), and any unnecessary disclosure can place the practitioners' licence to practise at risk. In all contracts of employment there will also be a requirement to keep patient information confidential; therefore, establishing a legal contract between the employer and the employee, with often severe penalties available for an unnecessary breach, including in serious cases, dismissal of the employee.

Out of all healthcare professionals, the community nurse is in a particularly unique position of not only having access to patient details via medical and nursing records, but they also have access to people's homes and will have more insight into often complex family dynamics than a hospital-based practitioner. This can also present a real challenge for the community nurse as they tend to live close or within the community where their case load is based. Therefore, it is possible, even inadvertently, to breach confidentiality or share information inappropriately with non-relevant persons. For example, a community nurse is asked by a patient if Mrs Smith is ok as they haven't seen her at the post office for a long time. It would be tempting to say she is fine or that she's currently in hospital; however, responding will be a breach of both professional and legal requirements for keeping confidentiality. Patients have a legal right for their medical records and other information to be kept confidential, even from friends and family. Article 8 of the Human Rights Act 1998 (Right to Privacy and Dignity) and The Data Protection Act (2018), both protect the right for confidentiality. The common law also places an onus upon healthcare practitioners to uphold the duty of confidence, as outlined in the case of W v Edgell [1990]: ‘it is the doctor's duty to observe the rule of professional secrecy by refraining to disclose… information about a patient which he has learned directly or indirectly in his professional capacity’. In this case, W was a psychiatric inpatient and was interviewed by Dr Edgell. Dr Edgell submitted a medical report to the hospital director and the Home Office recommending W to stay in a secure hospital. However, W claimed that Dr Edgell owed him a duty of confidence and that the report should not have been disclosed without his consent. The court, while dismissing W's claim, did state that under most circumstances the patient must feel free to have discussions with their doctor or healthcare professional, with an understanding that this information is kept confidential. However, the court also allowed practitioners in cases which relate to public protection, for a disclosure to be made if a patient was to pose a serious risk of harm to the public or to themselves, but this should only happen after careful consideration of the risks. For example, a community nurse is visiting a patient in her home, and the son is in the same room smoking an illegal drug. There may be an increased risk of harm to the patient, in that the effect of the drug could make the son aggressive or violent or affect his mental capacity to provide sufficient care. However, the patient apologises to you and asks you not to say anything. You may feel that after assessing the situation that the risk involved is low, and a disclosure in this case is not necessary. However, you may feel a disclosure is necessary as the risk has significantly increased. While there is no right or wrong answer in this situation, the important factor is that you have carefully considered the facts, and that you would be able to defend the decision you have made. Even in cases where you think you are acting in the public interest in disclosing information to others (for example, the patient has been convicted of a serious crime), unless there is a serious risk to the public, as a community nurse it is not your position to disclose. In the case of Ashworth Hospital vs. MGN Ltd [2002] the Mirror newspaper published information provided to them by an employee of the Ashworth Hospital detailing the treatment of Ian Brady who was convicted of abducting and killing children during the 1960s (The Moors Murders). The hospital took the paper to court with a demand that the employee's details were disclosed. The court held that the employee could be named, as patient confidentiality is an essential duty of any person working in a healthcare setting, which, in this case had been clearly breached.

From a statutory perspective, The Data Protection Act 2018 (also referred to as the UK General Data Protection Regulations) also strengthens the law in relation to protecting personal data and tightens the way in which organisations are able to use and store data, and for how long organisations can retain the data. People also have a right to request to be forgotten, albeit limited when concerning medical matters, and any breach of data must be reported so adequate measures can be taken to protect personal information. For example, a community nurse has sent an email to patient B that was meant for patient A. It is a statutory requirement under the Data Protection Act 2018 to report this breach to your employer, and to also inform the actual and intended recipients of the breach. Therefore, patient A will need to be informed that an email containing their details was delivered to the wrong patient, while patient B must be informed to ignore and delete the email that was related to patient A. Likewise, the community nurse needs to be mindful regarding what information is posted on social media, or what to disclose with the community nurses' family and friends. While there may be a temptation to discuss a case with family members, any identifiable personal information regarding a patient will most likely breach professional and legal obligations. Furthermore, a community nurse accessing patient records, including that of family members of people not directly in your care will lead to professional and disciplinary sanctions. Recently, Stacey (2024) highlighted a case that went before a Nursing Midwifery Council Fitness to Practise Panel, of a school nurse who was suspended by the panel from the nursing register for inappropriately looking up medical records, merely out of curiosity.

It is also important to note that the court can also compel a community nurse to share information in relation to a patient, as there is no absolute right to keeping patient confidentiality. In the case of the Attorney General v Mullholland; Attorney General v Foster [1963], two journalists refused to provide their source to a government tribunal, and both were held in contempt of court, and subsequently imprisoned. The judge (Lord Denning) stated that ‘the clergy, the banker and the medical man are not entitled to refuse to divulge information if asked by the law to do so’. While the term medical man is an outdated term, the principle outlined in this case is that medical (which includes nursing) matters can be shared with the court, and to refuse will place the community nurse in contempt of court.

It is important for the community nurse to discuss confidentiality with their patients. This includes reassuring the patient that as a rule, confidentiality will be respected, and information will only be shared with the consent of the patient. Nevertheless, the community nurse must discuss with the patient when it is necessary to disclose information even if consent is not granted, such as safeguarding reasons, or a legal obligation to do so. Likewise, the community nurse must explain that information connected with the care of the patient will only be shared with other relevant health and social care professionals. If the community nurse wants to use patients for research purposes, strict ethical approval is required and reassurance made to any patient participants that their information will be kept secure, and anonymised.

To conclude, there is no absolute right to confidentiality under UK legislation, but the patient can reasonably expect for personal information held about themselves to be kept in a safe and secure environment. Disclosure of patient information by the community nurse should only be made after careful consideration and if it is necessary to prevent harm to the patient or others.