Abstract
Confidentiality and disclosure of information in the public interest present difficult dilemmas for healthcare practitioners and call for clear legal and regulatory guidance. The common law duty of confidence, and established exceptions to it, are shaped by medical practice and detailed guidance produced by the General Medical Council. Guidance issued by other healthcare regulators in a highly fragmented environment is at best unclear and at worst inaccurate. This article assembles and justifies a framework of evaluation against which regulators’ guidance can be assessed, focussing on the specific issue of when the duty of confidentiality can be set aside in the public interest. Comparison of statutory regulators’ guidance reveals wide variation which creates uncertainty for practitioners confused by inconsistency between guidance documents. The results of this analysis raise questions about the relationship between common law and regulatory guidance, in particular, whether it is appropriate to recognise different standards for different healthcare professions. This article argues that there is an opportunity to correct this anomaly and ensure appropriate consistency as part of a wider review of healthcare professional regulation.
Introduction
Confidentiality and disclosure of information are complex areas of professional responsibility, of interest to healthcare practitioners since antiquity. 1 Despite being one of the least litigated areas of medical practice, the British Medical Association (BMA) has received more queries relating to confidentiality than other areas of ethical concern, indicating professional uncertainty about legal and regulatory guidance. 2 Confidentiality is centrally important to therapeutic relationships 3 and has a clear basis in both utilitarian and deontological theories of ethics. 4 While classic codes of medical ethics describe the duty of confidentiality in absolute terms, 5 it is widely accepted that the duty is qualified and permits exception in the public interest. 6
Finely balanced decisions about whether public interest disclosure is justified are made by healthcare professionals, and although a decision is unlikely to be so urgent as to constitute a medical emergency, neither will all circumstances allow for a thorough examination with a full range of clinical, ethical, and legal texts and opinions available. These decisions can be challenged through the courts and fitness to practise hearings held by professional regulators. Hitherto, most decisions have been made by doctors, aided by comprehensive guidance written by their regulator, the General Medical Council (GMC). However, in recent years, the range of statutory regulation 7 has increased with non-medical health care professionals solely accountable for their decisions. The relationship between GMC pronouncements and the common law has been established for over 100 years, and with its guidelines for 50 years. 8 However, in the absence of case law involving non-medical regulated health care professionals, a key question for healthcare law and practice arises: Is disclosure by non-medical health professionals held to the same standards as in medical practice, or do different legal and professional standards apply?
This article examines this unanswered question by comparing the confidentiality guidelines of eight non-medical regulators against a framework reflecting medical practice in GMC and Department of Health (DH) guidance. Following contextual introductory information about medical confidentiality, professional regulation, and the role of standards and guidelines, the framework is introduced and defended with analysis of five questions for consideration by healthcare professionals contemplating public interest disclosure. The questions are applied to guidance from the statutory regulators, and inconsistencies identified. The article concludes with further discussion and recommended remedies.
Medical confidentiality and the law
In the United Kingdom, personal information is protected by the Data Protection Act 2018, the UK General Data Protection Regulation, and the Human Rights Act 1998. 9 In addition to these statutory frameworks, the common law duty of confidentiality has long been recognised 10 and can only be overridden in three circumstances: (1) with patient consent, (2) where disclosure is required by statute, or (3) where there is an overriding public interest. 11
Disclosure with consent, whether explicit or implicit, is least contentious and does not, strictly speaking, involve any breach of duty. 12 There has been no specific judicial analysis of the precise meaning of consent in this context. It might be assumed that the common law approach to informed consent 13 applies, although some have argued for the requisite information to be set at the same broad terms which would defeat a claim in battery. 14 While not the focus for this article, there is undoubtedly a lack of clear guidance on how individuals can effectively signal such consent to disclosure. 15 Examples of disclosures required by statute include the Road Traffic Act 1988 16 and the Terrorism Act 2000. 17 Doctors must also inform public health authorities of certain notifiable diseases 18 and healthcare professionals must disclose information when ordered by a court, or risk being found in contempt. 19
When patients lack capacity, decision-making on disclosure defaults to professionals acting in their patients’ best interests, according to the terms of the Mental Capacity Act (MCA) 2005. 20 In particular, Section 4(7) of the MCA requires that ‘anyone engaged in caring for the person or interested in his welfare’ should be consulted about the patient’s wishes and beliefs. The Mental Capacity Act Code of Practice further notes that ‘Healthcare and social care staff who are trying to determine a person’s best interests must follow their professional guidance, 21 as well as other relevant guidance, about confidentiality’. 22
This article is concerned with the specific question of disclosure of confidential information where there is no consent from a capacitous patient. This may arise when the patient is capacitous but unavailable or when the patient refuses a request for disclosure. In cases without capacitous consent, the complex judgement required of healthcare professionals is whether the wider public interest justifies or requires disclosure. The broad concept of public interest has been applied in three situations: (1) preventing serious harm to others, (2) preventing or detecting serious crime, or (3) enabling effective public health research. 23 The leading case is W v Egdell, 24 where the Court of Appeal agreed that disclosure of a psychiatric report on W, convicted of manslaughter by reason of diminished responsibility and detained in a secure hospital under the Mental Health Act 1983, was justified in the public interest. W, diagnosed with paranoid schizophrenia, was applying to a Mental Health Review Tribunal for a conditional discharge or transfer to a regional secure unit. Dr Egdell was commissioned by W to provide an independent psychiatric report which concluded that W remained a risk to the public and disclosed this to the secure hospital and the Secretary of State. The GMC guidance applicable at this time described disclosure in the public interest, citing the example of investigation of a ‘very serious crime’. 25 In deciding that there was a real risk of serious harm to others, the court concluded that the guidance accurately reflected the legal position and dismissed W’s claim for breach of confidence against Dr Egdell. 26
The issue of rules which ‘do not themselves have statutory authority’ 27 effectively becoming the legally enforced standard has long been considered problematic given the greater public scrutiny and debate generated by statutory reform. 28 In the recent case of ABC v St George’s Healthcare NHS Trust, 29 raising the issue of liability for failure to warn a relative about genetic health information, 30 the Court of Appeal noted that ‘The GMC Guidelines have evolved over time, taking account of developments in medicine and in the law. They are likely to continue to do so’ and that GMC guidance gives ‘practical advice on applying ethical and legal principles in practice’, 31 endorsing the view of the High Court in the same case which stated that ‘The standard of care will be measured by reference to the professional guidelines’. 32 Ultimately, regulatory guidance and the common law inform each other, but with a greater number of regulators operating with different rules and guidance, the symbiotic relationship between them becomes more complicated and uncertain.
Case law on confidentiality and other areas of healthcare practice has tended to orbit around medical practice, 33 and despite contemporary discourse emphasizing a multidisciplinary approach, medicine continues to be regarded by many as primus inter pares. Medical practitioners are often leaders of clinical services 34 referring patients to other professional services. 35 However, increasingly other healthcare professionals have their own caseloads and powers, including independent prescribing, and are required to make autonomous decisions for which they are alone accountable. 36 Deference to another occupational group has not been part of professional practice for many years, 37 and it would be unusual for a member of an independent profession to look for guidance written for a different profession, unless they are clearly directed to do so.
A short recent history of professional regulation
The twenty-first century has been a turbulent time for healthcare professional regulation following public inquiries into poor quality care 38 and the fallout from the mass murder perpetrated by Dr Harold Shipman. 39 Reforms which diminished the self-regulating status of professions were initiated by the white paper Trust Assurance and Safety published by the Labour government in 2007. 40 Following the 2010 election, the coalition government published Enabling Excellence 41 and asked the Law Commissions to undertake a simplification review of existing legislation on healthcare professional regulation. 42 Acknowledging that this would be a substantial body of work, this paper stated that the intention was to introduce legislation towards the end of the parliamentary term, in 2015. Although the report was delivered on time, and was followed by a ministerial commitment to legislate, 43 there was little further government action prior to the general election of 2015. In the interim, the Health and Social Care Act 2012 renamed the Council of Healthcare Regulatory Excellence 44 as the Professional Standards Authority for Health and Social Care (PSA), a new ‘meta regulator’ to monitor all health professional regulators 45 and ensure a form of ‘regulated self-regulation’. 46 The PSA monitors regulators in two main ways: (1) by undertaking annual performance reviews assessing regulators against standards of good regulation and (2) by examining final decisions of fitness to practise panels and appealing outcomes it considers are insufficient for protection of the public. 47
The Law Commissions’ remit was to consolidate existing legislation rather than rethink the entire system. It recommended a single statute to govern all healthcare professional regulation in order to improve consistency and remove ‘idiosyncrasies and inconsistencies in the powers and responsibilities of each regulator’.
48
Through several publications, the PSA advocated more radical reform, including a single professional register, common professional standards, and a reduction in the number of regulators.
49
Building on the Law Commission’s report and PSA proposals, a new DH paper for consultation, Promoting Professionalism, Reforming Regulation, was issued in 2017,
50
reporting in July 2019.
51
This paper reiterated that in most areas the Government’s position had not changed since the wide-ranging response to the Law Commission’s proposal and also recognised a role for regulators in promoting professional practice: There is more to regulation than fitness to practise. The regulatory system should also support the professional development of all registrants to ensure the workforce has the right skills and experience to deliver high quality care.
52
Current legislative intention for professional regulation, set out in a further response to consultation Busting Bureaucracy 53 and a White Paper Integration and Innovation, 54 consists of reviewing the detail of regulation, including numbers of regulators and professional groups requiring regulation, and extending the ability of Government to shape professional regulation through secondary legislation under Section 60 of the Health Act 1999. A further consultation on professional regulation, discussing proposed legislation mainly concerned with the structure and processes of regulators, was launched in March 2021. 55 While this might appear promising in terms of regulatory reform, progress has been subject to a number of false dawns over the last 15 years, which have been further exacerbated by delays caused by Brexit and Covid. Regrettably, Government responses to consultations have been much delayed and of low quality.
Standards and guidance
A principal function of healthcare professional regulators is setting professional and educational standards, including the writing of codes of ethics and/or conduct. 56 These documents have a number of purposes, including setting standards and requirements against which practice can be assessed in fitness to practise hearings. Indeed, in this context, regulatory codes are quasi-legal documents, articulating minimum standards, often prefaced by the declamatory ‘you must’, for example, from the Health and Care Professions Council (HCPC): ‘You must treat information about service users as confidential’. 57 This apparently simple instruction cannot capture the complexity of professional practice in relation to information disclosure, nor is it intended to. The Law Commissions found that their general nature meant that ‘the content of some codes of conduct can at best be described as vague and rhetorical’ 58 and noted three concerns about more detailed guidance supporting the standard-setting codes provided by regulators: overload and unnecessary duplication, uncertain legal status, and the quality and efficacy of guidance.
The proposal set out in the Law Commissions’ consultation document was that a new statute should regard the provision of explanatory guidance as a duty rather than a power because the issuing of such guidance is an essential part of the regulatory role. However, regulators could streamline the amount of guidance provided if they are satisfied that adequate guidance is already produced by a professional body. 59 The subsequent consultation analysis clearly states that an overwhelming majority agreed with this proposal: of the 46 responses received, 44 were in favour. 60 However, despite this near unanimous support for an unambiguous proposal, the final report and draft legislation reverted to a position where provision of guidance (as opposed to standards) should be a power and not a duty, a matter for individual regulators as they see fit. The discussion in the final proposal is not clear why the position, accepted in principle by the Government, 61 had changed. A further provisional proposal that the statute should provide for two distinct levels of guidance was not so readily received by consultees who considered it over complex, and in withdrawing this detailed proposal, the baby was thrown out with the bathwater. 62
The Government’s response to the consultation claimed that the ‘current approach generally works well because the regulatory bodies provide detailed advice which is tailored to particular situations, rather than being high level and therefore difficult to apply in practice’. 63 Some regulators, for example, the General Dental Council (GDC), 64 provide more detail within their codes about how the rules can be applied in practice, whereas the GMC distinguishes between a standard and guidance by use of different modal verbs, must and should. 65 ‘Should’ is used where an explanation is being provided or an overriding duty will not apply in all situations. 66 Other regulators are not so clear: The HCPC conflates standards and guidance by stating, ‘You must keep up to date with and follow the law, our guidance and other requirements relevant to your practice’. 67 The Nursing and Midwifery Council’s (NMC) response to the Law Commission’s consultation supported the proposal that regulators be required to issue guidance, but during the process of development of a new code of conduct this view changed and nearly all existing guidance was withdrawn, partly because the code was considered sufficiently detailed. 68 The analysis undertaken in this article challenges the Government’s assumption that the current approach generally works well in relation to public interest disclosure.
Framework for analysis
In order to construct a framework against which regulators’ guidance is compared, this article utilises three sources of benchmarking guidance on the issue of confidentiality: DH NHS Code of Practice on confidentiality, 69 its supplementary guidance on disclosure, 70 and the GMC guidance on confidentiality. 71 The comprehensive DH documents are explicitly concerned with practice within the NHS, applying, importantly, to all professional groups 72 and are ‘also relevant to anyone working in and around health’. 73 The NHS Code of Practice is not badged as guidance but refers to itself as ‘a guide to required practice’, a term which might be considered something of an oxymoron. The preface of the Code states that it 74
[. . .] has been published by the Department of Health following a major public consultation in 2002/2003. The consultation included patients, carers and citizens; the NHS; other health care providers; professional bodies and regulators. The guidance was drafted and delivered by a working group made up of key representatives from these areas. Endorsements from the Information Commissioner, General Medical Council, British Medical Association and Medical Research Council can be found on the Department of Health’s Confidentiality website.
The supplementary guidance ‘expands upon the principles set out with the Department of Health’s key guidance Confidentiality: NHS Code of Practice’. 75 The authorship and endorsement of this supplementary document are not so visible, but the two documents are considered together in this article.
The GMC was the first health professional regulator to issue confidentiality guidance, which is more detailed compared to other regulators and has been endorsed in court judgments. Importantly, on the points covered by the framework, these three documents are largely consistent with each other and together articulate an account of the legal position recognised by the courts and clearly apply to all healthcare professionals.
A framework of five key questions was developed by repeated close reading of the reference documents as they concern public interest disclosure and identifying key areas of practical importance for health professionals. It excludes issues of capacity and consent, which though complex are considered in detail elsewhere. 76 It is not claimed that the framework is exhaustive, but it is sufficiently detailed to provide an effective comparative assessment from the point of view of a professional seeking guidance from their own regulator. The questions are explained below with detail about how they are addressed by the reference documents, with a scoring system detailed in Table 1. The way that individual regulators answer the framework questions is detailed in Table 2, and brief synthesis of the findings follows.
Possible Scores for Framework for Assessment.
Assessment of Regulators’ guidance.
https://www.gmc-uk.org/registration-and-licencing/the-medical-register (accessed 6 November 2021).
https://www.gcc-uk.org/assets/publications/Annual_Report_2020_GCC.pdf (accessed 6 November 2021).
https://www.gdc-uk.org/docs/default-source/annual-reports/gdc-annual-report-and-accounts-2020c7d6bc84-c137-48b9-badc-11be21fb95c5.pdf?Status=Master&sfvrsn=1e06e4a8_2 (accessed 6 November 2021).
https://www.optical.org/download.cfm?docid=650C435B-06C7-4CE0-AE329BCB52CB5D22 (includes students and business registrants) (accessed 6 November 2021).
http://www.osteopathy.org.uk/news-and-resources/document-library/about-the-gosc/annual-report-and-accounts-2019-20/ (accessed 6 November 2021).
https://www.pharmacyregulation.org/sites/default/files/document/gphc-annual-report-2020-21.pdf (accessed 6 November 2021).
https://www.hcpc-uk.org/about-us/insights-and-data/the-register/registrant-snapshot-sept-2021/ (accessed 6 November 2021).
https://www.nmc.org.uk/globalassets/sitedocuments/annual_reports_and_accounts/2021-annual-reports/annual-report-2020-21 (accessed 6 November 2021).
https://www.socialworkengland.org.uk/media/4042/hc420-report-and-accounts-of-social-work-england-_final.pdf (accessed 6 November 2021).
Is public interest explained?
Public interest is discussed by the GMC: . . . there can be a public interest in disclosing information if the benefits to an individual or society outweigh both the public and the patient’s interest in keeping the information confidential . . . ‘ . . .such as from serious communicable diseases or serious crime’.
77
The DH Code of Practice: Supplementary Guidance states, . . . Exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader societal interest. Decisions about the public interest are complex and must take account of both the potential harm that disclosure may cause and the interest of society in the continued provision of confidential health services.
78
Evaluating where the public interest lies involves much more than weighing consequences in a specific case; additional weighting is required to account for the public interest in maintaining a confidential health service. Indeed, in the case of W v Egdell, Bingham LJ rejected the trial judge’s focus on W’s private interest in confidentiality, which ‘should not be allowed to obscure the public interest in maintaining professional confidences’. 79 The rationale for this is that if the threshold for disclosure is too low, patients would be discouraged from sharing information within consultations, to the detriment of their own and public health, and in practice this additional weighting in favour of maintaining confidentiality requires nuanced thinking from practitioners. The framework assesses regulators’ guidance as explaining public interest fully only if it includes consideration of the additional benefit of maintaining confidential practice.
Is the nature and level of harm to be avoided explained?
The justification for public interest disclosure is the avoidance of harm. Harm is clearly a major concept for many applications of medical law, not least the most famous Hippocratic idiom of all: primum non nocere. Despite the central importance of this concept, even the classic Millian ‘preventing harm to others’ 80 is vague about the nature of harm, and other definitions, such as Feinberg’s used in relation to criminal law, that harm [is] ‘the thwarting, setting back or defeating of an interest’, 81 are so wide-ranging as to be of little practical value. Where ‘harm’ is defined in statute, it is similarly open to interpretation. For example, the Children Act 1989 definition that ‘harm means ill-treatment or the impairment of health or development’ 82 was significantly amended by the Adoption and Children Act 2002 83 by the addition of ‘including, for example, impairment suffered from seeing or hearing the ill-treatment of another’. In W v Egdell, 84 the Court of Appeal weighed up the competing private and public harms of whether or not to disclose confidential information. The concept of harm does not feature explicitly in the judgement, perhaps because the facts of the case established an obvious risk of serious harm (W had killed five and wounded two people and thrown homemade bombs from his car.) In relation to the reasons for justifying disclosure, a strict reading of the case would limit this to preventing physical harm to others, given the repeated reference to public safety in the judgement. However, it is arguable that this should also include the related psychological harm that disclosure could prevent. 85
Reference to both physical and psychological harm can be found in the GMC guidance 86 which requires doctors to consider the potential harm or distress to the patient whose confidentiality is breached, as well as potential harm to trust in doctors generally caused by a perception of readiness to disclose. In addition, the justification to prevent and detect serious crime might include significant financial or property theft which could be understood to include harm outside harm to health – physical and psychological. Although this article cannot hope to settle these points, we can note that while disclosure can be made to prevent harm to others, this harm must be sufficiently serious to override both the specific disclosure and the general public interest in maintaining trust that professionals will not disclose confidential information. Both the GMC and DH make this clear by the repeated use of the word ‘serious’: 87
For example, disclosure may be justified to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.
Guidance which fails to make this clear with consistent use of the word ‘serious’ is assessed as inconsistent with the reference documents, as setting the threshold for disclosure too low.
Is the intended beneficiary of disclosure explained?
Respecting autonomy is perhaps the most important principle in Western bioethics, 88 generally requiring non-interference, even where healthcare professionals believe that a patient’s wishes do not serve their best interests and even when they are considered harmful or even fatal. This is so firmly established in healthcare ethics and law as to need no further justification here. 89 In practical terms, the principle of respecting autonomy is reflected in the process for seeking consent to treatment and in the possible torts of battery or negligence. 90 A patient declining a request from a health professional to disclose information, in the interests of that patient, is analogous to declining treatment, although as Cave notes, the analogy does not extend to equivalence: consent is stronger as a defence to bodily invasion than to information disclosure. 91 However, breaking a confidence without consent because the professional thinks it in the patient’s best interests is equally paternalistic.
In contrast, while disclosure without consent might violate the autonomy of that patient, this is justified in order to prevent harm to others, drawing on Mill’s famous conceptualization. 92 Consideration of the nature and extent of preventable harm to others required to justify disclosure can be finely balanced, but in order to avoid paternalistic disclosure it is necessary to make the distinction between the patient and others, as clearly set out in GMC guidance: 93
You should, however, usually abide by the patient’s refusal to consent to disclosure, even if their decision leaves them (but no one else) at risk of death or serious harm.
The guidelines use the caveat ‘usually’ but set a high threshold for disclosure, albeit one that can be reached in unspecified circumstances. Cave details the evolution of GMC guidance detecting a trend in the decades either side of the millennium towards a more restrictive public interest test, bucked, she suggests, by the 2009 guidance. 94 Since Cave’s paper, the GMC has again updated its guidance, with modifications which appear to re-emphasise the high threshold. The distinction, signposted by headings, between disclosure to protect the patient and disclosure to protect others is maintained. 95 In the 2017 version, an extra heading ‘the rights of adults with capacity to make their own decisions’ is added and the addition of ‘or death’ (emphasis added) to serious harm further confirms this very high threshold. Even if the guidance stops short of saying that disclosure is never justified solely in the interests of a patient with capacity and fails to give an indication of circumstances where disclosure is justified, it is nevertheless clear that even the risk of death of the patient is usually insufficient. 96
The paradigm case of death by suicide is not directly addressed in the GMC guidance, but there is a footnote directing readers to the DH consensus statement: Information sharing and suicide prevention. Consistent with GMC guidance, this states that 97
It is clear that, where the common law duty of confidentiality applies, practitioners will usually be under a duty to respect a person’s refusal to consent to disclosure of their suicide risk, if the person has the relevant capacity and they do not pose a risk to anyone but themselves.
The statement goes on to suggest reasons where disclosure might be made. First, where there is imminent risk of suicide, it is suggested that there may be doubts about patients’ mental capacity, and so a refusal to allow disclosure can be overridden without disregarding patient autonomy. Second, it is suggested that public interest disclosure could be used because suicide has a far-reaching impact on others. This might be taken to mean the effect on grieving family and friends, but the example given concerns the method rather than the fact of the suicide attempt. An example of this might be the harmful psychological effects of suicides on train drivers. 98 These examples do not suggest areas where unconsented disclosure in the patient’s interest is justified, offering instead reasons supporting the maintenance of confidentiality for competent patients harming only themselves. The patient’s interest, alone, is not sufficient. The DH guidance is equally clear: 99
However, an individual’s best interests are not sufficient to justify disclosure of confidential information where he/she has the capacity to decide for him/herself. There has to be an additional public interest justification, which may or may not be in the patient’s best interests.
Arguably, there is a difference in emphasis in these different guidelines. The GMC and the consensus statement on suicide prevention both use the caveat ‘usually’ when guiding professionals not to disclose information from a capacitous patient. Though not explicitly addressed in the GMC guidance, Cave
100
suggests that the caveat protects patients with capacity as defined by the MCA, but who are under duress or coerced, while the DH guidance on disclosure can be read as more restrictive, with no caveats. However, of key importance for the analysis undertaken in this article, the reference documents are consistent to the extent that preventing harm to the patient and preventing harm to others are not part of the same consideration. Guidance failing to make the distinction, suggesting that disclosure can be justified equally to prevent harm to the patient
Is disclosure to prevent or detect serious crime explained?
Disclosure is required under specific statutes, but also justified more generally in the public interest in order to prevent or detect some crimes. The GMC states that 102
Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.
DH guidance documents support the distinction between crime and serious crime, and while a definitive list is not possible, some detail is given: 103
The definition of serious crime is not entirely clear. Murder, manslaughter, rape, treason, kidnapping, child abuse or other cases where individuals have suffered serious harm . . . ‘Serious crime’ is not clearly defined in law but will include crimes that cause serious physical or psychological harm to individuals . . .
Guidance failing to use the word ‘serious’ when discussing crime is assessed as being inconsistent with the reference documents
Is safeguarding explained?
In England, the Care Act 2014 places a statutory duty on local authorities to act upon concerns in relation to a person at risk of abuse or neglect because of their need for care or support. Section 45 of the Act requires that a person from whom information has been requested by a Safeguarding Adults Board Review ‘must comply with the request’ if certain criteria relating to the purpose of the request are met. The Explanatory Notes to the legislation 104 refer to a general practitioner (GP) who provided medical advice or treatment to an adult who is the subject of a review. NHS England has a safeguarding policy which states that professionals should refer to their own professional (sic) body’s advice regarding information sharing, 105 but the examples given relate to regulatory rather than professional bodies including the GMC’s advice on protecting children and young people, and the NMC Code, which does not contain advice and never has. The policy states ‘seven golden rules’ for information sharing, including: 106
Information sharing should be by consent where appropriate, and, wherever possible, respect the wishes of those who have not consented to share confidential information. Information may be shared without consent if it is believed, based on the facts of the case, that lack of consent can be overridden in the public interest.
Despite the provisions of Section 45, this clause appears to rely on public interest, but there is no further explanation of how this is to be considered. The following clause in the NHS policy appears clearer in stating that the interests and well-being of the individual should be considered, although they are not determinative: 107
It is important to consider the safety and well-being of the individual concerned, as well as others who may be affected by their actions.
GMC guidance on safeguarding for adults is consistent with its general guidance on confidentiality. A link to a case study at the bottom of the web page entitled ‘Should a doctor disclose evidence of abuse without the patient’s consent?’ 108 linking to the confidentiality guidance gives the answer that the patient’s decision should be respected, even though the doctor considers that the patient may be left at risk of serious harm, maintaining a high threshold for disclosure. However, a link on the GMC adult safeguarding webpage leads to the Social Care Institute for Excellence which appears more concerned that 109
Some frontline staff and managers can be over-cautious about sharing personal information, particularly if it is against the wishes of the individual concerned. They may also be mistaken about needing hard evidence or consent to share information. The risk of sharing information is often perceived as higher than it actually is.
This resource also suggests that a capacitous patient’s refusal to allow disclosure can reasonably be overridden if ‘they may be under duress or being coerced’. 110 Cave offers a detailed analysis on this point, concluding that a person’s autonomous decision-making ability impaired by duress falls outside the definition of incapacity in the MCA, and a decision to disclose confidential information against the wishes of, but in the interests of, a patient is a jurisdiction limited to the High Court. 111 Guidance suggesting that a healthcare professional can make this decision risks advising unlawful disclosure. 112 Safeguarding vulnerable adults is clearly a special case requiring additional ethical considerations and legal frameworks in the four UK countries, and while much of the discussion here relates to the profession of Social Workers, adult safeguarding is clearly a significant issue for all health care practice. As far as the framework of assessment for this article is concerned, the question is whether the specific provisions of safeguarding have been fully explained.
Framework assessment of regulators’ guidance
Detailed application of the framework to individual regulators can be found in Table 2 and supplementary files. There is a large variation in size between regulators, from the General Chiropractic Council (GCC) at just over 3,000 to the NMC which, at over 700,000 registrants, is responsible for over 40% of the total registered healthcare workforce. The issue of confidentiality applies to all and is recognised in codes and standards. With the exception of the NMC, all regulators provided extra guidance although this is of variable quality. Surprisingly, few linked or referred to DH guidance, 113 and only the GCC provides a link to GMC guidance. Almost all regulators fail to inform registrants about which statutes require disclosure, with only the GMC providing a list.
All regulators, with the exception of Social Work England (SWE) and the NMC, attempt to explain public interest, but the important general public interest in maintaining confidential health services is omitted by all except the GMC and the GCC. There is, therefore, a risk that registrants guided to considerations on disclosure only as they apply to an individual patient may apply a lower threshold.
The level of harm to be avoided is generally not made clear by regulators. The GMC and DH guidance is clear that harm must be serious. Some regulators, for example, the GCC, are inconsistent in their use of the word ‘serious’, while others such as the GDC and General Osteopathic Council (GOsC) refer to serious risk instead of serious harm. This is curious as assessment of risk commonly includes consideration of both impact and likelihood. In risk management, the word ‘risk’ refers to the likelihood of a hazard causing harm, and so a serious risk might be taken to mean that the harm is likely rather than its consequences severe. 114 The HCPC Standards document refers to harm instead of serious harm, 115 but additional guidance from the same regulator differs on this point, stating that public interest disclosure might be in ‘circumstances where disclosing the information is necessary to prevent a serious crime or serious harm to other people’. 116 None of the guidance documents elaborate on the nature of the harm.
An area of significant concern is that many regulators fail to make clear the differences between public interest disclosures to prevent harm to others and to prevent harm to the patient. In some guidance, these two quite different considerations are conflated, with the result that patient-benefitting considerations allow paternalistic disclosure at too low a threshold. For example, the HCPC advice is contradictory between its documents. Their standards state that ‘You must only disclose confidential information if: 117
you have permission;
the law allows this;
it is in the service user’s best interests; or
it is in the public interest, such as if it is necessary to protect public safety or prevent harm to other people’.
The ‘or’ at the end of the third clause above implies that only one of the bullet pointed criteria needs to be met in order to justify disclosure. The standard clearly states that disclosure must be made in the service users’ best interests, inconsistent with both the GMC and DH guidance, but the additional guidance document does not mention a capacitous patient’s best interests and refers to serious harm. 118 The GDC states that ‘In exceptional circumstances, you may be justified in releasing confidential patient information without their consent if doing so is in the best interests of the public or the patient’. 119 The GOsC, General Pharm Council (GPhC), NMC (in its Code), and SWE all fail to make the distinction clear.
Disclosure to prevent serious crime is discussed in some documents, but others fail to make the distinction between crime and serious crime or use the word ‘serious’ inconsistently. The GPhC has two references to crime, one accompanied by the word ‘serious’ and one without. Other regulators, for example, the GDC, are consistent in their use of the word serious but have no detail to assist registrants in their application of the word. The GCC does not mention serious crime but instead uses the example of not informing a patient of a disclosure where he is a suspect in a criminal investigation.
Safeguarding is a serious and specific issue, and all regulators discuss this albeit some discussions lack depth. Only the GMC and the GDC have additional guidance, and the GDC guidance lacks detail. The GPhC has links to an in-house journal article which gives some information and case studies and provides links to government safeguarding guidance from the four countries of the United Kingdom. 120 The NMC and SWE provide very little detail other than the most general statements in their codes of conduct.
As demonstrated by application of the framework for analysis, apart from the GMC, none of the health professional regulators surveyed produced documents which are fully consistent with the reference documents. Generally, the regulators’ positions as expressed in their codes and guidance tend to set a lower threshold than the reference documents by failing to use the word serious prior to ‘harm’ – for both crime and harm to others, and also by allowing public interest disclosure in the best interests of the patient. In both of these circumstances, the documents permit disclosure at a significantly lower threshold than the reference documents allow, representing a serious departure from the common law.
Two regulators which account for almost half of registered professionals in the United Kingdom, SWE and the NMC, are particularly poor. SWE is the newest regulator, only separating from the HCPC in 2019. Its code is unclear and the single guidance document which covers all standards adds very little. 121 There is a professional body, the British Association of Social Workers (BASW), which describes itself as a ‘professional membership organisation’ which provides no guidance on confidentiality, although there are links to some external documents including the Social Care Institute for Excellence. 122 There is also a Code of Ethics dating from the time when social work was regulated by the HCPC. This document has some information about confidentiality but defends disclosure on the basis of ethical rather than legal factors which are unclear. 123
Previously, the NMC published a range of guidance, but this was removed in 2015 with the publication of a revised code because the Council considered it unnecessary. 124 Their code, like all others, covers confidentiality but somewhat confusingly. Clause 5.4 states that ‘you must share necessary information with other health and care professionals and agencies only when the interests of patient safety and public protection override the need for confidentiality’. 125 This statement appears to exclude disclosure to individuals and agencies outside health care and social care and states that justification for a breach is ‘patient safety and public protection’, implying that both elements are required to justify sharing information. A further section is prefaced by the statement that you must ‘Raise concerns immediately if you believe a person is vulnerable or at risk and needs extra support and protection’. Although it is not overtly stated, presumably this section refers to safeguarding and requires registrants to ‘share information if you believe someone may be at risk of harm, in line with the laws relating to the disclosure of information’. 126 The laws are not specified, and the harm is not ‘serious’. The webpage entitled ‘safeguarding’ states that ‘We’ve removed the safeguarding toolkit and resources from our website. This is because it’s not within our remit as a regulator to provide this type of guidance on specific practice related issues’. 127
The professional bodies for Nurses and Midwives do not provide specific guidance on confidentiality. There is nothing on the Royal College of Midwives website, and although there is a webpage entitled ‘confidentiality’ at the Royal College of Nursing website, 128 it simply provides links to the NMC Code, which contains no guidance, the DH Confidentiality Code of Practice, and the Health and Social Care Information Centre (HSCIC) 129 with the instruction to search for ‘confidentiality’. After some searching, the HSCIC guide to confidentiality in health care and social care and a further document of references can be located.
Discussion
Taken together, these assessments support the Law Commission’s view that the quality of some health professional regulatory guidance is poor. Where it is provided, guidance frequently misrepresents the law as explained in the reference documents used in this article. Remarkably, a large number of registered healthcare professionals have no readily available access to any guidance on confidentiality from the organizations which regulate them, represent them, or promote their professional practice. The results of the analysis undertaken in this article raise serious issues about the accuracy and consistency of professional guidelines, specifically their relationship with the common law and their impact on professional practice and education. It also raises an important general point about the quality of professional regulation, especially in relation to the issuing of guidance.
Professional guidelines and common law
The DH Code of Practice is clear that its provisions, which arguably set the highest threshold for disclosure of the reviewed documentation, apply not only to all professionals but also to all staff. However, the inconsistency between published guidance from different health professional regulators revealed by this analysis raises an important issue about the precise application of the common law on confidentiality. Strictly speaking, the decision in W v Edgell, in interpreting (and endorsing) guidance published by the GMC, only applies to medical professionals. The common law duty of confidence clearly exists independently from the guidance of health professional regulators. That is, the duty of confidentiality and justified departures from it draw their ultimate authority from the law and not professional regulation. However, in terms of identifying the scope of the duty and exceptions to it, the relationship between the common law and professional regulation is of greater importance and creates some uncertainty about what standards different healthcare professionals would be held to – the common law (as significantly informed by GMC guidance) or the guidance of their own regulators (which is different).
This uncertainty is not just of academic and legal interest but could present problems in practice. The purpose of guidelines, understood more widely as part of evidence-based healthcare practice, is to guide and inform practice not to direct it. 130 Issues of confidentiality are complex, and a close reading of the reference documents, which inform and guide healthcare professionals to make decisions, identifies examples of caveats such as the word ‘usually’. 131 Even in the specific guidance provided for doctors by the GMC, there is no detail about what ‘unusual’ circumstances might justify disclosure, and neither is there an extensive resource of case law so that a health care professional is able to predict with confidence how they might be called to account for their decision. The primary purpose of the guideline is to assist practitioners in making ethical and lawful decisions, not to act as the authoritative resource to decide, long after a difficult decision is taken, whether the law or a professional code has been violated. However, guidelines are highly likely to be consulted in court or at a fitness to practise hearing in the event of a decision being contested. 132 The internal inconsistency in documents from a single regulator, inconsistency between documents applied to a single regulator, and the wholesale absence of guidance altogether could all prove deeply problematic prospectively and retrospectively.
Could a registrant of the GDC face an action for breach of confidence based on unjustified disclosure as understood in the DH and GMC documents, despite following the standards and guidelines provided by their professional regulator? What of the HCPC registrant who followed their standards but not their guidance? Or the registered nurse who has no specific guidance at all provided by their regulator or professional body? Where disclosure decisions are taken jointly within multidisciplinary teams, which professional guidance will be used to justify a decision, and which would be referred to by the Court? While it is likely that judges would be reluctant to rule against professionals who act in line with the guidance of their own professional regulator, nevertheless, where this is inconsistent with the common law, this risk cannot be discounted. At the very least, such uncertainty is undesirable from the perspective of practitioners faced with difficult disclosure dilemmas and from patients unsure how their information might be disclosed.
Or should the law permit different standards for different professions? This may sound problematic, but one area where different practices might be appropriate is in terms of the public interest in maintaining confidential services. It could be argued that there is a weaker public interest in maintaining a confidential service in respect of professionals who do not treat the whole person but rather a single condition of part of the body, for example, osteopaths. 133 In this case, different standards of practice could be justified, accounting for the generally lower threshold for disclosure from regulators of healthcare professional groups outside medicine. The relationships between patients and different categories of health workers, including professionals, are not identical, and it is unknown whether patients expect the same level of confidentiality in relation to disclosure from a doctor or a podiatrist, for example, or whether the apparent difference in regulatory regime is understood. 134 In the absence of clearly written guidelines for all professionals, similar in quality and extent to the GMC guidelines, settling the question about what standards non-medical healthcare professionals are to be held to will require a series of cases or legislative review. A more pragmatic alternative would be for each regulator to review and revise its guidance to ensure it accords with the common law, or if not, to clearly justify reasons for difference.
Impact on professional practice and education
Regulators’ professional guidelines are very important documents, used in practice and teaching and contributing to important benchmarks for ethico-legal decision-making and professional identity. Registrants and students are entitled to have confidence in their regulators to provide detailed and accessible documents to guide their practice. 135 The low threshold for disclosure articulated by many of the guidelines reviewed represent a paternalistic approach to overruling competent wishes of patients which conflict with fundamental philosophical and stated policy imperatives emphasizing patient autonomy, the importance of which has been recently re-emphasised by the UK Supreme Court in relation to information giving prior to consent. 136 Unjustifiably equating considerations of benefit – or avoiding harm – to patients and others over-simplifies a complex and important distinction which is maintained elsewhere, 137 and it is unclear from simply reviewing the published guidance whether regulators intend the subtle distinctions revealed by close reading or whether they are simply errors. Healthcare professionals and educators are entitled to clarity on this point, but more importantly, without this clarity, patients will have little confidence in the standards of practice of those treating and caring for them
Role and quality of professional regulation
The framework used in this article has identified inconsistency in the amount and content of guidelines on the narrow question of public interest disclosure. Though this is of interest in its own right, it also raises questions about the quality of guidelines issued in other areas of professional practice. Recently revised Standards for Good Regulation
138
detail the PSA’s ‘expectations about the outcomes it requires from regulators and their approach to their work’. These note that ‘The Standards are informed by the Authority’s principles of good regulation which states that regulators should act in a way which is [. . .] consistent’.
139
This consistency in purpose is recognised in enabling legislation yet with significant differences in interpretation.
140
The standards are used during performance reviews of the 10 overseen regulators. Standards six and seven state that
All of the statutory regulators whose guidance has been evaluated have been assessed by the PSA as meeting the Standards for Good Regulation. The regulator with the poorest record on guidance, according to the assessments in this article, is the NMC which was last reviewed in 2019–2020. In that review, 141 much of the commentary about guidance concerns developments made necessary by the Covid-19 pandemic. The standard was judged met.
There is nothing in the legislative framework 142 of the PSA which identifies that its function includes the provision of guidance of a general nature, but a small number of documents are provided, produced by its predecessor, the Council of Health Regulatory Excellence. 143 The Law Commissions Report envisaged a role for the PSA in regulating guidance: 144
However, we do consider that the Professional Standards Authority, through its duty to promote co-operation, should play a role in identifying areas where a common or shared approach by the regulators might be useful in relation to the issuing of codes and guidance The solution to this lies in greater joint working (including joint guidance where appropriate) and the Professional Standards Authority identifying such discrepancies
In relation to the specific issue of the reliance of implied consent for the sharing of information, the Information Governance Review 145 recommended that the professional healthcare regulators should agree and publish guidance, commissioned by the PSA. This was not undertaken.
There are remedies available. Outside legislative reform, the statutory regulators, guided by the PSA annual reviews, should review their guidance on confidentiality to ensure that it is consistent with the reference documents. This should, at minimum, refer to the reference documents which, it is clear, apply to all professional groups. Our findings in this article demonstrate that the quality of regulators’ guidance in relation to public interest disclosure is in some cases poor, and it cannot be assumed that other areas of guidance accurately represent lawful professional practice. From the perspective of a healthcare professional, poor quality and inconsistent guidance impairs practice, and findings of fitness to practise panels which refer to inaccurate guidance in any area of professional practice could result in appeals to the High Court. 146 The PSA is clearly highly influential here and should instigate, with appropriate regulatory and professional bodies, a review of the provision of professional guidance. Guidance on general matters, those which apply to the professional practice of all registrants, could fall within the jurisdiction of the PSA, and this could be extended to cover other professions currently lying outside statutory regulation, for example, psychotherapists, whose practice in the United Kingdom is guided by over 40 Codes of Conduct. 147 Public consultation on which aspects of confidentiality can justifiably differ between professional groups should be augmented by academic research.
The specific issue of guidance on public interest disclosure is an example of a wider problem. The UK Government is currently undertaking further reviews of professional regulation, and while the provision of guidance, shelved by previous reviews, does not feature in legislative intent, the provision of guidance should be reinstated with the requirement that guidance should be a duty and not a power of regulators, as recommended by the Law Commissions. This is not inconsistent with PSA proposals for a single professional register and core standards and would ensure greater consistency across professional groups in relevant areas of professional practice and would require legislation. The draft legislation produced by the Law Commissions, and accepted in principle by the Government, should be reviewed and revised to take account of the PSA recommendations.
Conclusion
Confidentiality is critically important to the effective functioning of trusting therapeutic relationships. This has long been reflected in classic codes of medical ethics, even if the call for an absolute duty has never been realistic or desirable. The tension between respecting privacy and preventing harm has informed the development of the common law duty of confidentiality and permitted public interest disclosures. In W v Egdell, 148 the Court of Appeal endorsed the applicable GMC guidance in justifying disclosure to prevent real risk of serious harm to others. As with other areas of medical law,courts have utilised the guidance of professional regulators in framing the detail of legal duties. The lack of confidentiality case law since Egdell might suggest a clear and settled area. However, when examined against specific GMC and DH guidance, and with reference to five key questions, guidance from eight health professional regulators reveals significant and unexplained differences which create uncertainty for practitioners. A significant number of healthcare professionals have no detailed guidance on confidentiality from their own professional regulators or professional bodies. This failure to guide practitioners in their application of a complex and important area of law could lead to errors which could harm patients and professionals, as well as public confidence in the regulatory regime which has allowed this unsatisfactory position.
While the legally prescribed purposes of health professional regulators are clearly articulated, there is wide variation in interpretation, and the competence with which they are caried out is not assured, to the detriment of professional practice and public confidence. In the examples discussed here, these shortcomings are not addressed by professional bodies. A half-hearted approach from Government to regulatory reform has contributed to a lacuna in the legal framework of practice, and patients and professionals are entitled to expect that this is filled with clear and appropriately consistent guidance. Two key proposals would go some way to addressing this situation. First, as set out by the Law Commission, a new unifying statute for health professional regulators should regard the provision of explanatory guidance as a duty rather than a power. Second, the PSA should assume a greater role in the provision of guidance, be clearer about expectations, and be more robust in its reviews of regulators. This seems especially important given the current direction of regulatory reform with its emphasis on upstream regulation and the promotion of professionalism. These suggestions can be addressed through legislation and should include, as suggested by the Law Commissions, collaboration with professional bodies, whose current performance can only be addressed, if they see fit, by their members. Without correction, the current position of inconsistency in confidentiality guidance maintains the risk of unlawful professional practice being encouraged, to the detriment of patients and professionals.
Supplemental Material
sj-docx-1-mil-10.1177_09685332221079124 – Supplemental material for Confidentiality and public interest disclosure: A framework to evaluate UK healthcare professional regulatory guidance
Supplemental material, sj-docx-1-mil-10.1177_09685332221079124 for Confidentiality and public interest disclosure: A framework to evaluate UK healthcare professional regulatory guidance by Paul Snelling and Oliver Quick in Medical Law International
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Supplemental material
Supplemental material for this article is available online.
Notes
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
