Consent to using and sharing patient information

Version 1.0, 28 March 2023

This guidance is part of the Data sharing and interoperability section of the Good practice guidelines for GP electronic patient records.

Sharing of confidential patient information is an essential requirement in providing care to patients.  The information collected also plays an important role in planning and evaluating health and care services and supporting medical research. 

All clinical and administrative staff working in primary care are responsible for knowing how, and when, to seek patient consent for information sharing.  It is important that you understand both your professional responsibilities and legal obligations.

It is essential that staff recognise the difference between obtaining consent for information sharing in order to provide optimal treatment to patients, and consent for information sharing for planning and research purposes.

Advice and support about data protection issues generally, including consent to using and sharing patient information, may be available through your local Integrated Care Board.  Local arrangements differ, though, and practices may choose to make their own arrangements for securing the services of a Data Protection Officer.

Sharing information for individual patient care

Consent is not required when recording information about individual patients.  You have a professional requirement to keep clear, accurate, and legible records, as set out by registered bodies.

Relevant information should be shared to ensure that patients receive safe and effective care. 

Consent can be implied when sharing relevant information with those who are directly involved in providing care to a patient unless they have indicated an objection.  This is because it is reasonable to assume that the patient would consent if asked, and that the patient would expect relevant information to be shared with those caring for them on a need-to-know basis.

Sharing information for planning and research

When using confidential patient information for purposes other than individual care, such as planning, or research, you must always consider whether confidential patient information is actually needed.  If it is essential, then explicit consent is normally required to share that information for purposes beyond individual care.

Explicit consent means a very clear and specific statement of consent.  It can be given in writing, verbally or through another form of communication, such as sign language. 

If it is not practicable to either work with anonymous data or to obtain explicit patient consent, then support under the Health Service (Control of Patient Information) Regulations 2002 is required.  This is often known as ‘section 251 support’. 

Further information on section 251 is in the ‘Legal and professional requirements’ section below.

What you need to do

GP practices are legally obliged to be transparent about how information is used and shared.

You should make information readily available to patients explaining how their information will be used, and their right to object.  This should be stated in the practice’s published privacy notice.

The same information should also be made available to patients in public areas such as waiting areas, on notice boards, in practice welcome packs and published on your practice website and social media channels. 

Handling objections and opt-outs

You should consider any patient objections and opt-outs before using and sharing information either for individual care or for planning and research purposes.

Objection to information sharing for individual care purposes

If an individual patient specifically objects to their information being shared for the purposes of their individual care, then you should not share it unless it is in the overriding public interest, for example, if not sharing the patient’s information would put other staff members at risk of harm.

You should explain to the patient the potential consequences of not sharing information.  If, after a discussion, the patient continues to object and you are convinced that it is essential to share the information to provide safe care, then it should be explained to the patient that treatment cannot be arranged without sharing the information.  This is set out in the General Medical Council’s (GMC) confidentiality guidance.

Some local areas have provided mechanisms for patients to state a preference over whether they have a shared record, for example by providing an opt-out form.  You should consult your local policy to see what the arrangements are for shared care records. 

Further information about choices in relation to shared care records is in the Information Governance Framework for Shared Care Records.

Objection to information sharing for planning and research purposes

Patients have a choice about whether their information is used for the purposes of planning of services and research.

Individual patients can opt out of sharing confidential patient information by completing a Type 1 opt out form, which means that the GP practice will not share confidential patient information for research and planning.  This includes confidential patient information for both the General Practice Extraction Service (GPES – including the GPES data for pandemic planning and research) and the  General Practice Data for Planning and Research (GPDPR) programme, which is still in development and predates the pandemic.

Patients can also register for ‘National data opt-out’ which means that their confidential patient information will not be used by other healthcare organisations for research and planning (except in certain circumstances e.g. when required by law). 

The national data opt-out does not apply where explicit consent has been obtained from the patient for a given specific purpose.

Further information on the national data opt-out, including how a patient can register their choice is on the NHS website

You should be willing to discuss any concerns about confidentiality with the patient which may address their concerns.  Many patients raising objections may, for example, wrongly fear their information will be used for marketing or for insurance purposes without their consent.

Duty to share

Registered health and care professionals have a legal and professional responsibility to ensure that information is shared appropriately to support care, as set out by the GMC, Nursing & Midwifery Council (NMC) and Health & Care Professions Council (HCPC).

In addition, the Caldicott Guardian Principles state that:

‘The duty to share information for individual care is as important as the duty to protect patient confidentiality’

Common law duty of confidentiality

The law relating to consent is complex and often leads to confusion.  ‘Common law’ is a form of law based on previous court cases decided by judges.  It is not written out in one document like an Act of Parliament.  Common law is also referred to as ‘judge-made’ or case law and is said to be based on precedent. 

The common law duty of confidentiality states that confidential patient information cannot be disclosed without their consent.  As set out above, for individual care you can rely on implied consent.  For purposes beyond individual care, in most cases you need to obtain explicit consent to disclose confidential patient information.

Information can only be disclosed without consent if one of the following applies:

  • you have obtained support from the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006. The CAG aims to protect and promote the interests of patients and the public, while at the same time facilitating appropriate use of confidential patient information for purposes beyond individual care.  CAG support under section 251 enables the common law duty of confidentiality to be lifted for a period of time, subject to review, so that confidential patient information can be used without breaching the duty of confidentiality
  • there is a legal requirement – examples of where information is required by law include court orders, where the Care Quality Commission requires documents as part of its powers of inspection, or where NHS Digital collects information when directed by the Secretary of State for Health and Social Care or NHS England
  • there is an overriding public interest – disclosure decisions in the public interest must be assessed on a case-by-case basis. You must consider whether the disclosure is sufficiently necessary to override an individual’s right to confidentiality and this must be weighed up against the public interest in maintaining a confidential health service

The General Medical Council provides guidance on when information can be disclosed without consent including disclosures required by law and public interest disclosures.

UK General Data Protection Regulation

Whilst consent is usually required to meet common law, you do not need to seek consent to meet data protection laws when using information for individual care, planning or research. 

Other helpful resources