Five things to know about our Confidentiality guidance and the GDPR

There isn't any fundamental changes to our Confidentiality guidance, with the new General Data Protection Regulation (GDPR) in effect. We’ve made some updates to make sure it’s consistent with the GDPR – here’s what you need to know:

  1. We’ve added a few new paragraphs to our Confidentiality guidance so it reflects the new data protection law – take a look at paragraphs 25 and 67
  2. The definition of consent hasn’t changed. You can still rely on implied consent as long as the conditions set out in the guidance are met - see paragraphs 28 and 29 (for direct care) and paragraph 96 (for local clinical audit). 
  3. You shouldn’t ask for consent if you have already decided to disclose information in the public interest. It would be misleading to ask for consent if the patient has no real choice in the matter. However,you should if safe and practicable, tell a patient what you plan to disclose and consider any objections they may have - see paragraphs 63-70.
  4. Remember to always record your actions and decisions when you disclose information - see paragraph 11.
  5. There’s a summary of the GDPR in the Legal annex section and you can find out how this relates to other laws governing the use of patient information.

Other organisations have a range of useful resources to help you understand your responsibilities under the GDPR: 

  • The (ICO) – includes guidance for data controllers, including and a . They also provide resources designed specifically for the health sector.
  • The BMA has created a
  • The has developed detailed guidance on GDPR for health and social care organisations.
  • Your medical defence organisation will have learning materials.