Version 1.1, 10 February 2023

This guidance is part of the Clinical safety section of the Good practice guidelines for GP electronic patient records.

Controlling or coercive behaviour is a criminal offence, as defined by The Serious Crime Act 2015.

The cross-government definition of domestic violence and abuse outlines controlling, or coercive behaviour as follows:

  • Controlling behaviour is a range of acts designed to make a person subordinate and/or dependent by isolating them from sources of support, exploiting their resources and capacities for personal gain, depriving them of the means needed for independence, resistance and escape and regulating their everyday behaviour.
  • Coercive behaviour is a continuing act or a pattern of acts of assault, threats, humiliation and intimidation or other abuse that is used to harm, punish, or frighten their victim.

Coercion and online access in general practice

Online access to general practice health services and individual patient records can provide an opportunity for perpetrators of coercive and controlling behaviour to use these tools to extend their control.  Patients could be forced into sharing personal and sensitive medical information including, but not limited to, domestic abuse, safeguarding, sexual health, and medical conditions.  Login details, prescription information and medical appointment details may also be included. 

In some instances records also contain 3rd party information.  As good practice this should always be flagged in a patient plan.

Under the terms of the GP contract regulations, practices have been required to promote and offer patients online access to their records, including coded, free-text information and letters since April 2020.  Online access to records has been increasing since 2015, and practices need to be mindful of associated risks.

Prospective record access

From November 2022 the GP contract requires patients with online accounts to be granted access to all entries in their record, i.e. to have prospective record access.  

Based on clinical judgement, if it is considered that some information could be harmful to the patient, or, in the context of coercive or controlling behaviour by a perpetrator, this information should not be shared. The information can be redacted from the patient view but must not be deleted from the record.  If system functionality to redact information is not available, the record should not be shared with the patient.

It is important to note any patient joining a practice after November 2022, even if full access was granted by a previous practice, will only be able to view their previous record by making a subject access request. Patients can copy information prior to the new registration if necessary.

Children and vulnerable adults

Anyone can be at risk of coercive and or controlling behaviour.  Some patients, however, may be at greater risk, particularly, but not exclusively, for example:

  • children
  • adults in an abusive relationship or at risk of domestic violence
  • elderly, or otherwise vulnerable adults

Keeping personal information secure may be more difficult for a vulnerable adult or child, and access to a patient’s health record can be particularly attractive to an abusive partner, an abusive carer, or an abusive parent.

More detail about controlling or coercive behaviour in an intimate or family relationship can be found in the Home Office Statutory Guidance Framework.

Practice responsibilities

As part of a wider duty of care, practices must have measures in place to protect those who are vulnerable or susceptible to controlling or coercive behaviour, for example if they are:

  • experiencing domestic or other forms of abuse
  • children who are ‘looked after’ or are on the practices safeguarding register
  • resident in a care home
  • cared for or supported by others because of a special need or a disability
  • detained by the police or immigration services, or in prison
  • subject to compulsory treatment or assessment orders, or at risk of becoming so

Practices should:

  • ensure they have a named Caldicott Guardian (or practice information governance lead) and safeguarding lead. The National Data Guardian for Health and Social Care in England has published guidance on appointing Caldicott Guardians
  • ensure all practice staff are fully trained in safeguarding both adults and children (to levels appropriate for their role) and that they are familiar with the practice safeguarding policy and the appointed safeguarding leads
  • ensure the practice safeguarding policy covers coercive or controlling behaviour with regards to online access and online proxy access
  • ensure that all staff fully document any concerns in the patient record as they arise, using appropriate terminology, coding and, if necessary, flagging of the record (particularly important if a patient sees a range of clinicians within the practice)
  • ensure consideration is given to the visibility of documentation of any sensitive information, such as a safeguarding concern, remember who may potentially view this in the patient record now or in the future
  • ensure staff have access to a clear process for raising concerns and the safeguarding lead is able to follow up any suspicions of coercive or controlling behaviour, by following local safeguarding procedures
  • remember that following an individual assessment, online access can be refused at the initial request, or amended at any time afterwards if there is a likely risk of serious harm
  • be prepared to consider providing transactional services or a custom level of access only (in some circumstances access to records could help a victim retain independence as they may be able to keep their phone secure and utilise the 24-hour access it provides) remembering that the GP should discuss any decision to restrict access with the patient.
  • draw patients’ attention to guidance on managing security and privacy whilst using the app
  • ensure that patient access to digital services is integrated into practice safeguarding plans, policies, and procedures


  • Controlling or coercive behaviour is an offence in law.
  • Online services should be open and safe for everyone to use.
  • With the increasing use of online and digital platforms to access services, and in particular patients accessing their record online, general practice has a part to play in keeping people safe. Practices must ensure that online and digital safeguarding precautions are an integral part of all practice policies and procedures, ensuring sensitive information is redacted as it is entered onto the clinical system or, in rare circumstances, know when it may be inappropriate to give a patient access to the medical record.
  • Perpetrators of domestic abuse often use online tools to abuse their victims. Use of technology, such as phone tracking, and monitoring of phone usage, is commonly used in controlling or coercive behaviour.
  • Patients can register independently for digital services, but practices should ensure that patient safety is taken into consideration and integrated into the processes for provision of all online services. Guidance should be provided for patients registering in practice for online services at the time of registration to help ensure patient safety.

Other helpful resources