Information Governance
Because "I was only trying to help" is not a defence the GMC accepts β learn the rules that keep your patients (and you) safe.
Good practice in handling, securing and protecting patient and employee data β in plain English, with the real-world scenarios that catch GPs out, the GMC rules you must know, and the consultation phrases that keep you confident under pressure.
Last updated: 20 April 2026π₯ Downloads
Handouts, flowcharts and decision tools β ready when you are. Print them, share them, or stash them for the moment you need them most.
path: INFORMATION GOVERNANCE
- caldicott 7 principles.docx
- decision template tool for information data sharing - ukcgc.pdf
- information data sharing decision template ukcgc.pdf
- information governance user handbook.pdf
- information governance.pdf
- information handling - at a glance.doc
- police - disclosing information flowchart.pdf
- police - information sharing in homicide missing persons and other general enquiries.pdf
π Web Resources
A hand-picked mix of official guidance and real-world GP resources. Because sometimes the best pearls aren't hiding in the official documents.
πΉ GMC & Core Guidance
πΉ Caldicott & Data Security
πΉ BMA & Defence Unions
πΉ Law & Records Management
πΉ Police & Missing Persons
πΉ Domestic Abuse Resources
β‘ Quick Summary β One-Minute Recall
If you only read one box, read this one. The whole topic, boiled down to what you must know before tomorrow's clinic or exam.
π― Information Governance in 60 seconds
- Information Governance (IG) is the framework that keeps personal data safe, legal, and used for the right reasons.
- Start from "no" β you cannot share patient information unless you have consent, a legal duty, a vital interest, or a clear public interest.
- The 8 Caldicott Principles run the show β with the 7th (the duty to share) and 8th (the duty to inform) the most often forgotten.
- If the police ring without a court order β breathe, think, call your defence union. You are accountable for the release, not them.
- If you do disclose β share the minimum necessary, tell the patient where practicable, and document everything.
- Gunshot wounds β always tell police (name/address come later). Knife wounds from attacks β tell police. Accidental or self-harm knife β usually no need.
- Domestic abuse β use "patient says", never "alleges". Code as History of Domestic Abuse and hide from online record.
- Deceased patients β common law duty of confidentiality persists after death. The Access to Health Records Act 1990 governs access.
- GP records retention β the NHS Records Management Code of Practice sets the minimum at 10 years after death for GP patient records.
- Subject Access Requests (SARs) β respond within one calendar month, free of charge, under UK GDPR / DPA 2018.
π― Why This Matters in General Practice
You will face an IG dilemma more often than you think. A ringing phone. A knock at the door. A relative asking about a dead patient. An email sent to the wrong person. These are the everyday reality of UK general practice β and getting it wrong can end a career.
πΌ It is daily GP work
Every consultation produces information. Every letter, every referral, every Slack-style message between colleagues engages IG. You don't have to work on an "IG project" β you live it every day.
β οΈ Mistakes have real consequences
A wrongly released email, a careless disclosure to a relative, a chatty comment in the waiting area β any of these can trigger a GMC referral, an ICO fine, or lasting harm to the patient's trust.
π It is heavily tested in the AKT
Confidentiality, Caldicott, capacity, police disclosure, SARs, records retention β these come up reliably. The ethics and administrative domain is where many candidates lose easy marks.
π It is scored in the SCA
A consultation that touches confidentiality tests you on Medical Complexity and Relating to Others. Examiners want to see you balance the patient's rights, the public's safety, and your professional duty β calmly.
π€ Let's Talk Confidentiality
Before we get technical, let's start with where the word itself comes from β because the etymology tells you everything about what the duty really is.
The Roots of the Word
Con
with
Fides
trust or faith
Alitas / Alitatis
a nature, state or condition
Confidentiality, then, is a condition of trust. A patient hands you something private β a symptom, a fear, a secret β and trusts that it will go no further than it has to. That is the whole thing.
The Three Ingredients of Trust
Trust doesn't appear by magic. It is built from three recognisable traits in the person doing the listening:
π§ Honesty
You are straight with people. You don't bend the truth to make a consultation easier.
π Sincerity
You genuinely care. Your warmth is real, not a performance for the examiner.
βοΈ Judiciousness
You use good judgement. You think before you share, speak, or decide.
Sweeney's 3 C's of Trust
Colonel Sweeney, studying what made soldiers trust their leaders, found something remarkably similar. He called them the Three C's β each necessary, none sufficient alone:
| Sweeney's C | What it means | In GP terms |
|---|---|---|
| Character | Honesty, integrity, morality. | The patient senses you are principled and straight. |
| Caring | Genuine empathy and concern. | The patient senses you actually care about them. |
| Competence | Skilled at the job. | The patient senses you know what you are doing. |
The Common Law Duty of Confidentiality
When someone shares personal information in confidence, it must not be disclosed without a legal authority or justification. That authority can come from one of four routes only:
- The patient consents
- A vital interest (serious risk to life)
- The public interest
- The doctrine of necessity / legal requirement
Default position: do not disclose. The duty sits on the side of silence. You need a reason to open your mouth, not a reason to stay quiet.
π The 8 Caldicott Principles
The Caldicott Principles are the operating rules for handling confidential patient information across health and social care. Originally 6 principles in 1997, a 7th was added in 2013, and an 8th was added in December 2020 by the National Data Guardian. Every practice has a Caldicott Guardian (often a senior GP or the practice manager) whose job is to make sure these principles are followed.
Justify the purpose(s) for using confidential information
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
Use confidential information only when it is necessary
Confidential information should not be included unless it is necessary for the specified purpose(s). The need to identify individuals should be considered at each stage β and alternatives used where possible.
Use the minimum necessary confidential information
Where use of confidential information is considered necessary, each item of information must be justified so that only the minimum amount is included for the given function. No "whole record dumps".
Access should be on a strict need-to-know basis
Only those who need access to confidential information should have access to it, and then only to the items they need to see. Receptionists don't need to read consultations. Locums don't need to browse at random.
Everyone with access should be aware of their responsibilities
Action should be taken to ensure all those handling confidential information β clinical or non-clinical β understand their responsibilities and obligations to respect patient confidentiality.
Comply with the law
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring their use complies with statute and the common law duty of confidentiality.
The duty to share for individual care is as important as the duty to protect confidentiality
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users, within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure no surprises for patients β so they can have clear expectations about how and why their information is used, and what choices they have. Added by the National Data Guardian in December 2020.
π§ Trainer Pearl β the two principles most often forgotten
Most trainees can rattle off principles 1β6. The ones most often missed β and most often tested β are Principle 7 (the duty to share) and Principle 8 (the duty to inform). Principle 7 exists because Dame Fiona Caldicott found clinicians were hiding behind "confidentiality" to avoid awkward safeguarding conversations. Principle 8 exists because patients should never be surprised about how their data is used β the "no surprises" rule. Remember: over-caution and under-communication can both cause harm.
π‘ Note for revision
Older teaching resources β and some older AKT revision materials β still describe only 7 Caldicott principles. The current authoritative set published by the National Data Guardian (December 2020) contains 8 principles. Learn the 8.
π When Can You Disclose Information?
There are four β and only four β routes that make disclosure legally permissible. Memorise them. Every real-life IG dilemma eventually fits into one of these.
Route 1: Valid Consent
β For consent to be valid, the patient must:
- Understand the information relevant to the decision
- Retain that information long enough to weigh it up
- Weigh up the balance β pros, cons, consequences
- Communicate their decision in some way
Watch for coercion. Is the patient afraid? Pleasing someone else? Influenced by pain, fear, faith, love, loyalty, or hope? Consent must be given freely.
Capacity is dynamic. A patient may have capacity for some decisions but not others. It may come and go. Always re-assess for the decision in front of you.
Route 2: To Protect the Patient
For example, a patient who lacks capacity and is at risk to themselves. A vulnerable missing adult. A known victim of domestic abuse who may be silent out of fear.
Route 3: To Protect Others From Harm
"Others" includes children in the household, other family members, or the public at large. You do not have to prove there is a risk β you only need a genuine belief that a risk exists. That genuine belief gives you permission to release, not an order to release.
Route 4: When the Law Tells You
- Notifiable diseases β inform the Proper Officer of your local authority.
- Statutory requests from regulatory bodies (e.g. GMC).
- Specific crimes β terrorism, FGM, knife and gunshot wounds from attacks.
- Threats or assaults against you or your staff by a patient.
- Court orders β you must comply, but release only what the order specifies.
π‘ The Minimum Necessary Rule
Even when disclosure is permitted, release only what is relevant and proportionate to the request. A court order asking about mental health history is not a permission slip to hand over the whole record. Think surgical, not shotgun.
βοΈ Public Interest β What Does That Mean?
"It's in the public interest" is one of the most frequently misused phrases in medicine. There is no tool, no calculator, no simple test. But the GMC gives you six factors to weigh. Learn them β they come up in both the AKT and as examiner probing in the SCA.
π GMC Public Interest Test (from para 68 of Confidentiality guidance)
When deciding whether the public interest in disclosing outweighs the patient's (and the public's) interest in keeping it confidential, you must consider:
- Potential harm or distress to the patient β will they disengage from care afterwards?
- Potential harm to trust in doctors generally β if patients believed doctors disclosed freely, fewer would share.
- Potential harm to others if you do not disclose β specific individuals or society more broadly.
- Potential benefits to an individual or society if you do disclose.
- The nature of the information to be disclosed and any patient views.
- Whether the harm can be avoided without breaching privacy β what is the minimum intrusion?
π― A useful mental model
Think of the public interest test as a pair of scales. On one side: the patient's privacy + society's general trust in doctors. On the other: the risk of serious harm to identifiable others. Only when the second side clearly outweighs the first should you consider disclosure without consent.
π The Police Are Asking β What Do You Do?
It happens. The phone rings. A polite officer explains they need information about your patient, "in the public interest", without a court order. They may even ask you not to tell the patient. Here's how to handle it without losing your registration or your nerve.
π¨ The golden rule
You are accountable for the release, not the police. If you disclose something that wasn't lawful to disclose, the GMC will come knocking at your door, not theirs.
The Calm-Down Protocol
1. Breathe
You have at least 15 minutes. This is not a 999 call. Don't let urgency in their voice become urgency in your thinking.
2. Don't decide alone
Your partners, your practice Caldicott Guardian, your defence union (MDU / MPS / MDDUS) β call them. That is literally what they are for.
3. Pin down "public interest"
Ask the officer exactly what the public interest is. A patient roaming the streets attacking people? Yes. A patient who caused an accidental death opening a car door? Probably not.
4. Consider risk appetite
Weigh the consequences of disclosing vs not disclosing. Both carry risk.
5. Minimum & relevant only
If you do release, release the smallest amount that satisfies the lawful request. Never a whole record.
6. Tell the patient
Where practicable and safe. Unless telling them would undermine the purpose (e.g. they might flee or destroy evidence).
7. Wait for the court order
Unless the patient poses immediate danger to others' lives, the default is to wait. The police can get an order from a judge if the case is strong.
8. Document everything
Who asked, what they asked, what you said, who you consulted, what you released and why. Your notes are your defence.
The UKCGC 8-Point Decision Template
When you face an IG dilemma, use this structured template to record your reasoning. It protects both the patient and you.
| # | Question | Why it matters |
|---|---|---|
| 1 | What is the issue? | Define the question clearly before answering it. |
| 2 | What pieces of law have you considered? | e.g. DPA 2018, common law duty, Caldicott. |
| 3 | What professional guidance has been considered? | GMC, BMA, defence union. |
| 4 | How have the Caldicott Principles been satisfied? | Go through all 8. |
| 5 | Who have you talked to? | Colleagues, Caldicott Guardian, defence union, patient or relatives. |
| 6 | Is the information sufficient to decide? Is urgency a factor? | Do you have all you need? How fast must you act? |
| 7 | What is the rationale for the decision? | Show your working β your reasoning is the defence. |
| 8 | What is the decision? | What did you do, how was it implemented, was the patient informed? |
πͺ Gunshot and Knife Wounds
This is one of the most heavily tested IG topics in the AKT. The GMC guidance is specific and slightly counter-intuitive β so know the distinctions.
| Type of injury | Report to police? | Name & address? |
|---|---|---|
| Gunshot wound (any) | β Yes β always make an initial report | Not at initial report β only after further consideration, consent or public-interest test |
| Knife/blade from an attack | β Yes β usually report | Same rule β initial report without identifiers |
| Accidental knife injury | β No β usually not required | N/A |
| Self-harm with a blade | β No β usually not required | N/A |
| Firearms / shotgun licence concerns | β Consider β public interest if non-disclosure risks death or serious harm | Case by case |
π‘ The name-and-address trick
When you first alert the police to a gunshot or attack-related knife wound, you typically do not need to give the patient's name or address. The initial notification allows the police to allocate resources. The patient's identifying details are considered separately, under the usual confidentiality rules.
π© Children and young people under 18
Any child arriving with a gunshot wound, or a knife wound from an attack, raises child protection concerns automatically. Even accidental knife injuries in under-18s may warrant safeguarding referral. Escalate to your safeguarding lead.
π Domestic Abuse and Information Sharing
Domestic abuse is one of the most common, most hidden, and most consequential IG topics a GP will face. The rules for sharing, recording, and protecting are specific β and easy to get wrong.
The Language Rule β "says", not "alleges"
β Don't write
"Patient alleges Mr X assaulted her."
"Mr X assaulted the patient."
Why not? "Alleges" implies doubt. Stating assault as fact implies you witnessed it.
β Do write
"Patient says Mr X assaulted her."
Why? Neutral, faithful to the patient's account, legally safe.
The Ethical Starting Point
An individual's information may be shared if it is necessary to prevent or reduce the risk of serious harm β to themselves or to others.
"It cannot be ethically justified if we hold information that we know could prevent serious harm to others, and yet knowingly decide not to share it." β "Striking the Balance", joint Department of Health and UK Caldicott Guardian Council guidance on information sharing for MARACs (Multi-Agency Risk Assessment Conferences).
The Proportionality Principle
The more serious the potential harm, the greater the justification to share without consent. Risk must be quantified where possible β that's where structured tools like DASH (Domestic Abuse, Stalking and Honour-based Violence) come in.
Recording Domestic Abuse in the Medical Record
The RCGP (2021) provides clear guidance on how to code and protect the record of a patient experiencing domestic abuse:
- Code as "History of Domestic Abuse" β a major active problem, not a past one, until resolved.
- Remember that domestic abuse does not always stop when the relationship ends β coercive control can persist.
- The nature of abuse can change β what was physical may become financial or emotional. The code may remain relevant for many years.
- Use the online visibility function to hide these consultations from the patient's online record access β perpetrators often coerce victims into sharing login details.
β οΈ The online record trap
Modern GP systems give patients real-time access to their record via the NHS App. If a perpetrator sees your DV entry, the consequences for the victim can be severe. Hide the consultation from online visibility before you save it. This is not optional β it is safeguarding.
ποΈ What About the Deceased?
A common source of confusion. Different laws apply after death β but the duty of confidentiality doesn't simply vanish.
π Data Protection Act 2018 / UK GDPR
Does not apply to the deceased. Data protection law only protects the living.
π€ Common Law Duty of Confidentiality
Continues after death. If the patient indicated during life that they did not want information disclosed, that wish should be respected.
Who Can Access a Deceased Patient's Records?
Access is governed by the Access to Health Records Act 1990. Access may be granted to:
- The personal representative of the deceased (e.g. executor of the will).
- Any person who may have a claim arising out of the death β but only for information directly relevant to the claim.
π¨ Always pause and seek advice first
Access to deceased patients' records is legally nuanced. Before releasing anything, contact your defence union. They can check the applicant has proper standing, advise on what is relevant to release, and help you navigate contested family disputes.
The contested will
A patient of yours died a month ago. The family are contesting the will. The executor now approaches you for access to the full medical records to support their case. What do you do?
π Discussion
- Stop. Pause. Breathe.
- This is a legal matter, not a clinical one β phone your defence union before disclosing anything.
- Check the applicant has a legitimate standing under the Access to Health Records Act 1990.
- Even if access is permitted, release only what is directly relevant to the claim β not the whole record.
- Consider whether the deceased expressed views in life about disclosure.
π Record Keeping, Retention & Subject Access Requests
Boring but brilliantly testable. How long do you keep records? How quickly must you respond to a request? These are easy AKT marks.
How Long to Keep Records
Guided by the NHS Records Management Code of Practice 2021. Different records, different periods.
| Record type | Minimum retention |
|---|---|
| GP patient records after death | 10 years after death (or after the patient has permanently left the country, unless they remain in the EU) |
| De-registered GP records (patient no longer on a practice system) | Currently retained centrally for up to 100 years β under review by NHS England |
| Adult hospital records | 8 years after last contact |
| Children's records | Until the patient's 25th birthday (or 26th if they were 17 at last contact), or 8 years after death β whichever is sooner |
| Maternity records | 25 years after last live birth |
| Mental health records | 20 years after last contact, or 8 years after death β whichever is sooner |
| CreutzfeldtβJakob Disease (CJD) records | 30 years from diagnosis, including deceased patients |
Source: NHS England Records Management Code of Practice 2021, Appendix II. Check the live HTML version for the most current schedule β a PDF snapshot may not reflect recent updates.
π‘ AKT lightning fact
GP patient records after a patient's death: 10 years is the NHS Records Management Code minimum β not "indefinite". Older guidance and some older revision resources still quote "indefinite" for electronic records; that position is superseded by the 2021 Code.
Subject Access Requests (SARs)
Under UK GDPR and the Data Protection Act 2018, a patient has the right to see their own records on request.
| Aspect | Rule |
|---|---|
| Time to respond | 1 calendar month (extendable by 2 further months if complex) |
| Cost | Free of charge (a reasonable fee may apply for manifestly unfounded or repeated requests) |
| Identity | You may (and should) verify the requester's identity before releasing |
| Third-party information | Redact information about other identifiable people unless they consent |
| Serious harm exemption | You may withhold information if disclosure would cause serious harm to physical or mental health |
Chaperone Documentation
π GMC Rule
When a chaperone is present during an intimate examination, the medical record must document:
- That a chaperone was present
- The chaperone's name
- The chaperone's job role
Just writing "chaperone present" is insufficient β and a favourite AKT distractor.
π£οΈ The Duty of Candour
If something goes wrong, openness is not a courtesy β it is a legal and professional duty. UK GDPR Article 34 puts it plainly.
π UK GDPR Article 34
"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."
The misdirected email
An email about a patient has been sent to the wrong person via a non-secure email system. The mistake has been recognised and corrected (emails deleted, recipient contacted).
- Would you tell the patient?
- What if the patient were comatose and terminally ill?
- What if the patient had died?
π Discussion
- Very few things in IG are black or white. Start with the duty of candour β open, honest, prompt.
- Who received it? An email sent to the wrong specialist doctor is very different from one sent to a stranger or the national press.
- What was in it? A test result reminder is different from a sensitive mental health summary.
- General principle: if a reasonable patient would want to know about the breach, you should tell them. The comatose patient's relatives, and the deceased patient's executor, should usually be informed.
- Use secure systems. NHSmail is the safe default for clinical communication β the whole point of it is that both sender and recipient are secure.
- Report serious breaches via your practice's Data Security & Protection Toolkit to the ICO.
π Two More Scenarios That Catch GPs Out
Real IG never arrives in a textbook. It arrives in a consultation, at 4:45pm on a Friday, with a patient looking hopefully at you. Work these through β they are common exam scenarios too.
The 15-year-old and her 24-year-old "boyfriend"
A 15-year-old girl asks the school nurse for contraception. She reveals she is sexually active with her 24-year-old boyfriend. She does not want to get pregnant. She adores him and he adores her β she shows the nurse all the gifts he has bought her, including the latest top-end phone.
Should the nurse breach confidentiality and report this? If so, to whom?
π Discussion
- What the 24-year-old is doing is illegal β the age of consent is 16 in the UK.
- There is an element of grooming β gifts, financial power imbalance, secrecy.
- Report: Yes β this is not a simple Fraser / Gillick scenario. The risk to the child is serious.
- To whom: the child safeguarding team. They will coordinate the response, involving police if needed.
- Explain to the patient β where safe β why you are concerned and what you must do.
The 36-year-old who wants to die
A 36-year-old woman consults you. She wants it "on record" that she intends to end her life, and that her decision should be respected. Her husband died 8 months ago in a terrible accident. She has no dependents. She has tried to continue. She has previously attempted suicide but "didn't know how much paracetamol to take". This time she says she will succeed. She does not want medical help. She says she is of sound mind and the GP should not share this consultation with anyone. She came precisely because she wanted it documented that she was not depressed and had decided calmly.
Should the GP breach confidentiality? If yes, to whom?
π Discussion
- People of sound mind are entitled to make irrational choices. That is a cornerstone of medical ethics.
- But the real question is β is she of sound mind? Bereavement, a prior suicide attempt, and intrusive hopelessness all raise serious doubt.
- Capacity assessment must be decision-specific. Can she understand, retain, weigh, and communicate?
- GMC guidance (Confidentiality, para 59): "You should, however, usually abide by the patient's refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of death or serious harm." The "usually" is significant β so is the careful emphasis that this applies only when no one else is at risk. And it applies only once you are confident the decision is genuinely capacitous and not the product of treatable depression.
- Practical approach: you can discuss the case anonymously with the crisis team or psychiatrist β no patient identifiers β to help decide whether further assessment is needed.
- Disclosure is justified if a formal capacity assessment is needed urgently and cannot be achieved with consent. This is one of the hardest calls in general practice β never make it alone.
The patient who won't stop driving
A 78-year-old gentleman has newly diagnosed moderate dementia. His daughter phones the practice, distressed, saying he has driven through two red lights in the last fortnight, and reversed into the gatepost. You have previously advised him that he must inform the DVLA and that he should not drive. He insists he is fine and has not notified them. You now know he is still driving.
Do you disclose to the DVLA without his consent?
π Discussion
- The driver is legally responsible for informing the DVLA β not you. Your first job is to remind and encourage.
- Make every reasonable effort to persuade him to stop β offer a second opinion, bring in a close family member (with consent), repeat the conversation in writing.
- If persuasion fails and he continues to drive, GMC guidance is explicit: you should contact the DVLA and disclose the relevant medical information.
- If he lacks capacity to understand the advice (for example, due to dementia), you should inform the DVLA as soon as practicable.
- Tell the patient before you disclose, where safe and practicable, and confirm the disclosure to him in writing afterwards.
- Document everything: the conversations, the advice given, the patient's response, and the reasoning behind your decision.
- About the daughter's call: you can listen and take in the information she offers β but do not confirm or share anything from the record without your patient's consent.
β οΈ Common Pitfalls & Trainee Traps
The classics β the things that consistently catch trainees out in real practice, in the AKT, and in the SCA.
β Assuming "the police asked" means "I must release"
Police requests do not override confidentiality. You are accountable for your release.
β Releasing the entire record
Even when disclosure is lawful, only the minimum relevant information is permitted.
β Forgetting Caldicott Principles 7 and 8
The duty to share (Principle 7) and the duty to inform patients (Principle 8) are as important as the duty to protect. Over-caution and under-communication both cause harm.
β Saying "I can't discuss your relative"
Sometimes you can β with consent, or if they lack capacity. A blanket refusal is lazy practice.
β Using "alleges" in DV notes
Sounds legal β actually damaging. Use "says".
β Forgetting to hide DV entries from online access
Patients' online records are often visible to partners. Use the online visibility function.
β Deciding alone at 4:45pm on a Friday
Your partners and defence union are there for a reason. Never decide complex IG alone.
β Writing "chaperone present" without name and role
GMC requires the chaperone's identity to be recorded β name and job role.
β Thinking data protection ends at death
DPA 2018 does end β but the common law duty of confidentiality continues.
β Charging for a SAR
Under UK GDPR, subject access requests are free β charging is unlawful unless the request is manifestly unfounded or repetitive.
ποΈ The UK Caldicott Guardian Council (UKCGC)
A quiet but enormously useful body. If you have an IG dilemma and want expert help β at no cost β this is who to contact.
What the UKCGC does
- Acts as a first point of contact for Caldicott Guardians and organisations seeking advice on the Caldicott principles.
- Helps Guardians share experience, views, and practical approaches.
- Promotes consistent standards and training for Caldicott Guardians.
- Develops guidance and policies on the Caldicott principles.
Services are free. They are available to any Caldicott Guardian or any professional fulfilling the Caldicott function in their role.
Key resources: UKCGC website Β· Contact UKCGC for advice Β· Caldicott Guardian Manual
π A quiet rule of practice
Make sure you (or your practice manager) are registered on and actively using the NHS Data Security & Protection Toolkit to report incidents to the Information Commissioner's Office (ICO). This is not optional β it's a core DSPT compliance requirement.
Much of the original material on this page was originally informed by a 2021 UKCGC workshop on Information Governance for General Practitioners. We acknowledge the contributions of the facilitators whose shared wisdom shaped the early versions of this resource.
π¨βπ« For Trainers & Teaching Pearls
IG is taught badly in most training programmes β as a list of rules rather than a reasoning skill. Here is how to teach it so trainees actually use it in clinic and score in the SCA.
Common Trainee Blind Spots
- Confidentiality as an absolute. Trainees often believe confidentiality is unbreakable. They freeze when it conflicts with safety.
- Confusing Caldicott Guardian with ICO β trainees can't always explain who does what.
- Mistaking "public interest" for "police curiosity".
- Forgetting the patient is a person when IG discussions get technical.
- Not knowing where their defence union number is saved.
Tutorial Prompts You Can Use Tomorrow
π Prompt 1 β The phone call
"You are on call. The police ring about one of your patients. They want full records immediately, 'in the public interest'. Walk me through exactly what you'd say in the next 30 seconds β and in the next 30 minutes."
π Prompt 2 β The relative
"A woman tells you her elderly father was seen in your clinic yesterday and she wants to know what was discussed. He lives alone and she's worried. What do you do? What do you say?"
π Prompt 3 β The breach
"A colleague sent a referral letter to the wrong email address last week. It contained sensitive mental health information. They want to 'handle it quietly'. How do you respond?"
π Prompt 4 β The young adult
"A 17-year-old tells you she has been self-harming and has taken an overdose previously. She begs you not to tell her parents or school. Work through the ethical reasoning out loud."
How to Assess Learning
- Can the trainee name all 8 Caldicott Principles β including the 7th (duty to share) and 8th (duty to inform)?
- Can they describe the 4 routes to lawful disclosure?
- Can they state the SAR timeline and cost?
- Can they list 3 situations where statute requires disclosure?
- Can they phone their defence union without looking up the number?
- Can they run through the UKCGC 8-point template on a real case?
- Can they explain confidentiality limits to a patient in plain English in under 20 seconds?
π§ A simple teaching model β the "Pause-Ponder-Phone" rule
Pause: do not answer in the moment. Buy 15 minutes.
Ponder: What is the legal basis? What do the Caldicott principles say? What's the minimum necessary?
Phone: defence union, Caldicott Guardian, partner, or safeguarding lead. Never decide alone.
Every IG dilemma in general practice fits this three-step framework.
β FAQ β Quick Questions
The questions trainees ask most β answered quickly.
Who is the Caldicott Guardian in our practice?
Every NHS organisation handling patient-identifiable information must have a Caldicott Guardian. In a GP practice, this is usually a GP partner (often the senior partner) or sometimes the practice manager. Their name should be displayed in the practice and on the DSPT submission. If you do not know who yours is β find out today.
Can I discuss patients with my family?
No, not in any identifiable way. Even "you'll never guess who I saw today" gives too much away. Venting about a hard day is fine β names, ages, locations, or specific details are not.
A patient has asked me to remove something from their record. Can I?
No. Medical records are a contemporaneous clinical account. You cannot delete accurate information because the patient wishes it. You can, however, add the patient's own account alongside it β and you should, under UK GDPR's rectification rights, correct factually incorrect information.
Can I be sued personally for an IG breach?
Yes. Individuals can be held personally accountable β civilly, through the ICO, and professionally through the GMC. Your defence union provides indemnity and support. This is why their number should be in your phone.
What is NHSmail and why does it matter?
NHSmail is the NHS's secure email system. Emails sent between NHSmail accounts are encrypted and considered secure for clinical content. Use it for anything involving patient information. Standard email (Gmail, Hotmail, Yahoo) is not secure and should not carry identifiable patient data.
Can a 14-year-old have confidential care?
Yes, if they are Gillick / Fraser competent β able to understand, retain, weigh, and communicate a decision about their treatment. Confidentiality applies just as it would for an adult, unless safeguarding concerns arise.
What do I do if a patient lacks capacity and family members disagree about disclosure?
Act in the patient's best interests, guided by the Mental Capacity Act. Consider any advance decisions, appointed attorneys, or close family views β but the final decision rests on best interests, not majority vote. Document your reasoning carefully and involve your defence union for complex cases.
How do I report a data breach?
Report to your practice Caldicott Guardian and Information Asset Owner immediately. Serious breaches likely to result in high risk to individuals must be reported to the ICO within 72 hours via the Data Security & Protection Toolkit. Tell affected patients where appropriate under Article 34.
Can I refuse to hand over records to the police?
Yes β unless there is a court order, a statutory requirement, or a clear public-interest justification. A polite "I need to consult my defence union before I can respond" is an entirely acceptable reply to a verbal police request.
Do IMGs face anything specific in this topic?
Some IMGs come from systems where family involvement in consultations is the norm, or where information-sharing with police is routine. UK practice places the individual patient's autonomy at the centre, often more strictly than other jurisdictions. Read the GMC guidance early, and discuss cases with your trainer β this is very much a learned, culture-specific skill.
π Insider Pearls β Real-World Wisdom
The things that don't make it into official guidance β but that every experienced GP eventually learns, often the hard way. Distilled from UK GP trainee discussions, defence union case reviews, training scheme teaching, and educators who see the same mistakes again and again. All cross-checked against GMC, RCGP, and NHS England guidance β nothing here conflicts with the rules. It just adds the texture that the rules leave out.
π The Police Phone Call β What They Actually Say
Trainees imagine the police will arrive with dramatic urgency. In reality, the call is usually polite, calm, and full of legal-sounding phrases designed to make disclosure feel obligatory. Recognise the patterns:
π― "I'm quoting DPA Schedule 2β¦"
An officer may cite sections of the Data Protection Act β often Schedule 2 paragraphs 2 and 5 β and hand you a form signed by a senior officer. These provisions can make disclosure lawful β but they do not compel you to disclose. A signed police form is not a court order. The decision remains yours.
π― "It's in the public interest β time is critical"
Urgency in their voice is not the same as urgency in the case. Ask them to specify the public interest in concrete terms. If they cannot, you almost certainly have time to phone your defence union.
π― "Please don't tell the patient"
This request is legitimate in some serious cases (e.g. where notifying the patient would let them flee or destroy evidence). But you still need to satisfy yourself that disclosure is justified. A request for secrecy does not itself make disclosure lawful.
π― "We can come in now and collect it"
They can't. Without a warrant or court order, police have no right to demand your records in person any more than by phone. Politely ask them to email or fax the formal request so you can consider it properly.
π‘ Insider Tip β the phrase that buys you time
"Thank you for the information, officer. Given the seriousness of what you're asking, I need to consult my defence organisation and our Caldicott Guardian before I can respond. Please could you send the request in writing, and I will come back to you within the hour."
This is calm, professional, legally sound, and protects everyone β including the officer, who does not want an unlawful disclosure either.
π The Police-at-the-Phone Decision Flow
A visual walkthrough of the thinking β not a shortcut, but a sanity check.
βοΈ The Times the Law Actually Compels You to Disclose
Most disclosures to the police are permitted but not required. There is a smaller, specific list where the law genuinely compels you β and confusing the two is where trainees go wrong.
| Statute / duty | What it compels | Don't forget |
|---|---|---|
| Road Traffic Act 1988 (s.172) | The registered keeper of a vehicle must identify the driver when required by police. Any other person must give any information it is in their power to give that may lead to identification of the driver. | Applies to identity information, not full clinical records. Failure to comply is a summary offence carrying a fine and penalty points. In a GP context this most often arises if a GP happens to have information that could identify a driver. |
| Terrorism Act 2000 (s.38B) | Disclose information that may help prevent an act of terrorism or apprehend a terrorist. | The duty applies regardless of patient consent. |
| Female Genital Mutilation Act 2003 (s.5B) | Report known cases of FGM in girls under 18 to the police. | Mandatory for regulated health professionals. No professional judgement involved. |
| Public Health (Control of Disease) Act 1984 | Notify the local authority's Proper Officer of notifiable infectious diseases. | Measles, meningitis, TB, food poisoning, and many more β the list is on GOV.UK. |
| A valid court order | Comply with what the order specifies. | You can query an order that seems to ask for too much β through legal advice. |
π© The trainee trap
Many trainees memorise "knife and gunshot wounds" as a legal duty. It is not. Reporting is strongly expected professional practice under GMC guidance β and it can be justified in the public interest β but there is no single UK statute that compels it in the way the Road Traffic Act compels driver identification. Get the distinction right and you'll get the AKT question right.
π What Counts as a "Serious Crime"?
The GMC's confidentiality guidance does not define "serious crime" β which is part of why trainees find it so confusing. The NHS's Confidentiality Code of Practice gives examples, and defence unions consistently work from the same list:
β Usually "serious"
Murder Β· manslaughter Β· rape Β· kidnapping Β· child abuse or neglect causing significant harm Β· terrorism Β· serious assault causing lasting injury
β οΈ Grey zone
Burglary Β· drug dealing Β· arson without injury Β· domestic violence without immediate danger Β· historic offences β judgement required on harm to others
β Usually not "serious"
Shoplifting Β· minor traffic offences Β· public order offences Β· cannabis possession Β· benefit fraud not involving vulnerable victims
π‘ The guiding principle
The question is not "how serious did the police call it?" β it is "how serious would the harm to others be if you didn't disclose?" That is the test the GMC and defence unions apply. A confession of shoplifting does not pass it. A confession of child abuse almost always does.
π§ Data Breaches β What Actually Happens in GP Practices
Trainees imagine data breaches as dramatic hacking events. Real breaches are almost always human and mundane β and trainee-level mistakes.
The top 5 breaches GP practices actually report
- The misdirected email β typing the first letters of a name, auto-complete picking the wrong contact, hitting send before checking.
- The wrong patient on a letter β using a previous letter as a template and forgetting to change the name or NHS number.
- The unlocked screen β leaving the consulting room for a minute with the record open; reception staff or cleaners can see.
- The home visit slip β patient summary sheet left in the car, in the waiting area, or in an unshredded bin.
- The shared password β a locum using the regular GP's login to save time. Never acceptable β ever.
What to do the moment you realise a breach has happened
| Time | Action |
|---|---|
| Within minutes | Contain the breach β recall the email, lock the screen, retrieve the document. Tell the practice manager or Caldicott Guardian. |
| Within hours | Document: who, what, when, how, severity. Log it in the practice's data breach register. |
| Within 72 hours | If the breach is likely to cause risk to the rights and freedoms of patients, report via the NHS Data Security & Protection Toolkit (which notifies the ICO). |
| Without undue delay | Tell the affected patient if the breach is likely to result in high risk to them (UK GDPR Article 34). |
| Next practice meeting | Run a significant event analysis. Identify the system failure β not just the human one. Update the process. |
π‘ Insider Tip β the 72-hour clock
The 72-hour ICO reporting clock starts when the practice becomes aware of the breach β not when the breach actually occurred. If a patient reports it to reception on Monday morning about an email sent the previous Thursday, your clock starts Monday. Document the moment of awareness clearly.
π What experienced GPs know about NHSmail
NHSmail is the only nationally-approved email system for sharing identifiable patient data. Most trainees know that. What they don't know is that NHSmail has an encryption feature that lets you send secure emails to non-NHSmail recipients (Gmail, Hotmail, patient addresses) β just type [secure] in the subject line. The recipient gets a secure portal link. This is how you share a letter safely with a patient who doesn't have NHSmail.
πΈοΈ Recognising Coercive Control β The Patterns Trainees Miss
Domestic abuse is rarely announced. It is more often revealed through small, repeated signals over multiple consultations. Trainees consistently miss these β experienced GPs learn to notice them.
π© Consultation-level red flags
- A partner answering questions for the patient.
- A partner attending every appointment, even intimate ones.
- The patient looking to the partner before answering.
- Frequent attendance with vague, somatic symptoms.
- Injuries that don't match the history given.
- Repeated cancellations or missed appointments β controlled access to healthcare.
- Sudden change of GP or repeated requests to change GP.
π© Record-level red flags
- Requests to see the patient alone are refused.
- The partner manages the online record.
- The patient asks questions that suggest the partner has been reading their notes.
- Sensitive consultations they don't remember having.
- Medication not being taken as the partner collects it.
π‘ The "see the patient alone" move
Create a routine reason to see the patient without their partner β a blood pressure check, a smear recall, a repeat prescription review. Practice receptionists can be briefed to say "the doctor asks to see patients alone for this appointment". That one minute alone is often when disclosure happens.
π― SCA Scoring Insights β What Examiners Consistently Flag
From patterns noted by UK GP educators who teach SCA preparation. These are the small moves that differentiate a pass from a distinction.
π The "honesty preamble"
Candidates who start a confidentiality-sensitive consultation with a brief, clear statement of the limits of confidentiality score higher. It signals mature professional practice. Don't skip it β even if you think it's obvious.
π The explicit consent ask
Asking "Would you be comfortable for me to share this withβ¦?" β out loud β is worth marks. Silent assumption of consent is not the same.
π Name the safety-net
Saying "before I do anything, I'll phone our safeguarding lead" or "I'll check with my defence organisation" is scored positively. It shows professional humility and safe practice.
π Explain in plain English
Saying "Caldicott" or "GDPR" to the simulated patient is marked down. Saying "there are rules about when I can share, and I'll follow them carefully" is marked up.
π The documentation sentence
End consultations with "I'll make a careful note of what we've discussed and what we've decided". Small, but scored. It shows you understand records as part of safe practice.
π Signpost the next step
Before closing, state what happens next: who you'll contact, when, and what will happen to the patient. Don't let the consultation end in ambiguity.
π For IMGs β What Differs in UK Practice
Information governance in the UK sits on an unusually strong axis of individual autonomy. If your previous training was in a different system, these shifts in mindset will catch you out before anything else.
π§ Family β automatic right to know
In many systems, families are expected to be told diagnoses and results. In the UK, the patient holds that right. You cannot tell a spouse "the results came back" without consent β even if they were sitting beside the patient last week.
π§ Police requests are not automatic
In some countries, refusing a police request is unthinkable. In the UK, it is expected professional practice when there is no lawful basis. Learn the phrase "I'll need to consult before I respond" and use it without apology.
π§ Teenagers have rights adults may not expect
A Gillick-competent 14-year-old can access confidential contraception without parental knowledge. This surprises doctors from many systems. It is firmly settled UK law.
π§ Silence is a duty, not a choice
Casual disclosure to colleagues ("did you see that awful case yesterday?") is a disciplinary matter in the UK. Corridor conversations, named mentions in the kitchen, or vivid stories at dinner parties are all breaches. The bar is high and the culture takes it seriously.
πͺ What GP Trainees Wish They'd Known Earlier
Distilled from reflective accounts across UK GP training discussions and educational blogs. The recurring lessons:
- Save your defence union number in your phone on day one. Not in your desk drawer. Your phone.
- Learn to say "I'll come back to you" without apologising for it. It's a professional skill, not a weakness.
- Write your notes as if the patient will read them β because they can. Online record access means every consultation is potentially visible.
- Never send a letter from a template without checking every name, NHS number, and address. The one time you don't is the time it goes to the wrong patient.
- If in doubt, hide the consultation from online visibility. You can always unhide it later. You cannot un-see what a partner has read.
- A 15-minute pause is not weakness. "Let me think about this and phone you back" has saved more careers than any textbook.
- The Caldicott Guardian in your practice is not mysterious. Find out their name this week. Introduce yourself. They exist to help you.
- Documentation is the defence. Every IG decision β even the small ones β should be written with the question "could I justify this later?" in mind.
- The AKT tests administrative topics lightly but reliably. Know your retention periods, SAR timelines, and Gillick/Fraser distinctions cold. Easy marks.
- In the SCA, the word "confidentiality" usually appears once β from you, early. Make it deliberate. It scores.
π The final pearl
Information governance feels like a rule book until you realise it is a trust book. Every rule exists because patients gave something sensitive to the system, and the system promised to handle it carefully. When you think of it that way, the decisions get easier β not because the rules become simpler, but because the point of them becomes obvious. Protect the trust. Everything else follows.
π₯ AKT High-Yield Points
Information governance and ethics sit squarely in the Administrative Issues domain of the AKT. Candidates consistently underperform here. Memorise this section and you will recover marks easily.
- GMC confidentiality guidance β when you can share without consent
- Gunshot and knife wound reporting β what counts, what doesn't
- Subject access requests β timelines, exemptions, third-party redaction, deceased records
- Capacity β the four-stage test, fluctuating capacity, Gillick competence
- Caldicott principles β all 8, especially the 7th (duty to share) and 8th (duty to inform, added 2020)
- Police disclosure β court order vs voluntary
- Records retention β GP records: 10 years after death (NHS Records Management Code of Practice 2021)
- Duty of candour β when to tell the patient, NHS GDPR Art 34
- Chaperone documentation β name AND role
Worked Example 1 β Knife Wound
Regarding sharing confidential information about knife wounds, which ONE of the following statements is INCORRECT?
Worked Example 2 β Records Retention
Under the NHS Records Management Code of Practice, what is the minimum retention period for GP patient records after a patient dies?
Worked Example 3 β Gillick / Mature Minor
A 15-year-old was seen alone, assessed as competent, and prescribed contraception. Her mother later calls the surgery asking what was discussed. What is the most appropriate response?
π₯ Rapid-fire AKT facts
- SAR deadline: 1 calendar month, extendable to 3 months for complex cases.
- SARs are free of charge β no exceptions for routine requests.
- Gunshot wounds: always report. Knife attacks: usually report.
- Accidental / self-inflicted knife wounds: usually not reported.
- Caldicott Guardian present in every NHS organisation handling patient data.
- GP patient records after death: 10 years minimum (NHS Records Management Code of Practice 2021).
- Notifiable diseases reported to the Proper Officer of the local authority.
- Chaperone documentation: name and role, not just presence.
- Court order: you must comply β but only with what the order specifies.
π― SCA High-Yield Tips
In the SCA, information governance rarely arrives with a big flashing sign saying "CONFIDENTIALITY SCENARIO". It slips in through the side door β a relative calling, a patient asking for records, a police officer on the phone, a sensitive diagnosis on a shared device. Spot it, handle it calmly, score the marks.
- That you recognise the IG dilemma β not the case itself, but the dilemma hidden in it.
- That you balance competing duties β to the patient, the public, the law, and your profession.
- That you explain clearly in everyday language β IG is dense, you must translate it.
- That you safety-net appropriately β especially when disclosure may follow.
- That you are willing to say "I need to consult" β showing professional humility rather than bluffing.
β οΈ Common candidate mistakes
- Over-promising confidentiality ("anything you say here stays with me") β and then having to row back.
- Refusing to disclose anything at all when safeguarding is obvious.
- Getting pulled into long clinical exploration and forgetting the IG layer.
- Speaking in legal jargon β patients don't know what "Caldicott" means.
- Forgetting to tell the patient what you will do next.
π‘ Quick wins for extra marks
- Flag the dilemma openly: "I want to be straight with you about what I can and can't keep private."
- Offer consent: "Would you be happy for me to share this with�"
- Explain the minimum: "If I do need to share, I will only share what is absolutely needed."
- Name a safe person: "I'll call our safeguarding lead / my defence union before I do anything."
- Close with empathy: "I know this isn't easy. I want to help you through it."
π― SCA Consultation Pearl
Honesty about the limits of confidentiality is more powerful than a false promise of it. A patient who is told up front "most of what you tell me stays between us, but there are a few things I can't keep private" respects you far more than one who feels betrayed later.
π Red flags you must mention in the SCA
- Safeguarding concerns β children, vulnerable adults.
- Threats to self or others.
- Patterns suggesting grooming, coercion, or domestic abuse.
- Statutory disclosure triggers β gunshot wounds, notifiable diseases, terrorism.
- Capacity concerns β especially in autonomy-based cases.
Common SCA Scenarios Involving IG
| Scenario | Core IG issue | Key move |
|---|---|---|
| Relative phones asking about patient | Disclosure without consent | Don't confirm registration; offer to call patient and pass on the message. |
| Patient asks for records | Subject access request | Explain the SAR process; 1 month; free. |
| Teenager requests contraception | Fraser / Gillick competence | Assess competence; confidentiality if competent; safeguarding if not. |
| Patient discloses DV | Consent vs safety | Assess risk; offer support; explain what you must do. |
| Police officer phones | Voluntary disclosure | Don't decide on the phone; defence union first. |
| Patient diagnosed with HIV, partner unaware | Public interest disclosure | Encourage patient to tell; last resort GMC test for disclosure. |
| Elderly patient with cognitive decline + driving | Confidentiality vs DVLA | Advise patient to inform DVLA; escalate if they refuse. |
π¬ Useful Consultation Phrases
Say any of these once out loud, and they will stick. Use them tomorrow in clinic. They work.
Opening with transparency about confidentiality
Exploring concerns sensitively
When you realise you need to share information
When handling a relative's request
When the police call
When a patient discloses domestic abuse
When a patient wants to refuse disclosure
Managing uncertainty honestly
Safety-netting the information governance decision
Closing
π― Style reminder
Every phrase above works because it is honest, short, specific, and humane. The patient feels respected because you are not pretending the situation is simpler than it is.
π Final Take-Home Points
- The default is silence. You need a reason to share, not a reason to stay quiet.
- Four lawful routes to disclose: consent, protect the patient, protect others, the law requires it. That's it.
- Minimum necessary, always. Even lawful disclosure does not mean full disclosure.
- Never decide alone at 4:45pm on a Friday. Defence union, Caldicott Guardian, partners. Always.
- Caldicott Principles 7 and 8 matter. Not sharing can be as harmful as over-sharing β and patients should never be surprised by how their data is used.
- In domestic abuse: "says", not "alleges". And hide from online visibility.
- In police calls: ask what public interest they mean, and phone your defence union.
- SARs: one calendar month, free of charge.
- GP records after death: minimum 10 years under the NHS Records Management Code of Practice 2021.
- Document everything. Your notes are your defence.
Information governance, done well, protects the patient, the public, and you. Done badly, it ends careers. Read this page again the week before your AKT β and again before your first tricky phone call from the police. You'll thank yourself.
PLEASE MAKE SURE YOU/YOUR PRACTICE MANAGER IS USINGΒ THE DATA SECUIRTY AND PROTECTION TOOL KITΒ TO REPORT INCIDENTS TO THEΒ ICO (INFORMATION COMMISSIONER’S OFFICE).