Legal basis of maintaining confidentiality: Keep it to yourself

Key points

  • Under common law, employers have a duty of confidence to employees, as do nurses to patients or clients.
  • A nurse can reveal anything with the consent of the employee.
  • If the employee refuses to give consent, the OH professional should not break confidence unless it is necessary to protect others. 
  • If a legal duty overrides the duty of confidence the nurse has no choice but to break the confidence.
  • The Information Commissioner in the Code of Practice, states that OH records are, or should be, in the control of the OH department, not the employer.

The duty to keep secrets is both an ethical and a legal one. The Nursing and Midwifery Council in its Code of Professional Practice (2002) advises that: “To trust another person with private and personal information about yourself is a significant matter. The patient or client has a right to believe that this information, given in confidence, will only be used for the purposes for which it was given and will not be released to others without their permission”.1

The law of confidentiality is contained partly in common law, made by the judges when they set precedents in cases and in statute, as laid down by Parliament.

Common law

The duty of confidence arises whenever there is a relationship between the parties which implies such a duty. So, for example, the common law duty of confidentiality exists between husband and wife, priest and penitent, employee and employer and nurse or patient and client. OH professionals owe a duty of confidence to workers in employment and also job applicants in respect of pre-employment screening. 

A breach of the duty of confidence may give rise to a civil action in the courts for damages for financial loss. If, for example, a nurse reveals to HR without the consent of the job applicant, the existence of a medical condition which leads to the applicant not being appointed, she might be liable, though it is acceptable to advise the employer that a person is unfit for the job without giving details, as long as the nurse has considered the possibility of adjustments to the physical environment or working practices that might make the appointment possible in the case of disabled employees.

There are a number of exceptions. The nurse is entitled to reveal anything with the consent of the employee. Consent must be freely given and must be informed, that is the employee should be made aware of the fact that a report is to be made, for what purpose it is likely to be used, and what the report will contain. For that reason it is good practice for the employee to be given a copy of reports to management and for the OH professional to obtain signed consent to their disclosure. 

Strictly speaking, the Access to Medical Reports Act 1988 (which requires the employer to ask for the consent of the employee to obtain a report from a doctor who has been concerned with their clinical care, and to give them the opportunity to peruse it before it is sent to the employer) does not apply to reports by a nurse. Nevertheless, the need to obtain informed consent justifies disclosure to the employee, other than when a report is requested by a lawyer for legal proceedings, when it is covered by legal professional privilege and should be addressed only to the lawyer.

If the employee refuses to give consent, the OH professional should not break confidence unless it is necessary to protect others. In W v Egdell a consultant psychiatrist who had examined a violent patient confined to a secure mental hospital came to the conclusion that he should not be released.2 When his report was not submitted to the Mental Health Review Tribunal he sent it without consent to the medical director of the hospital and the Home Office. This was held by the Court of Appeal to be justified because of the potential danger to the public.

Revelations should not normally be made to the police or other public authorities unless the duty to protect others is paramount. If an employee is known to be in the habit of driving a car when intoxicated the nurse may be justified in reporting the matter to the DVLA if that is the only way of preventing the danger to the public.

Special regulations were passed in 1992 to assist in the collection of medical data for research and the maintenance of registers relating to cancer and communicable diseases, without first obtaining the consent of the individual to using data for this purpose. It is in the public interest that the incidence of disease be documented and epidemiological research undertaken. The regulations are the Health Service (Control of Patient Information) Regulations 2002 and are monitored by the Patient Information Advisory Group, responsible to the secretary of state for health. Research findings may only be published in anonymised form.3  

Occasionally, a legal duty overrides the duty of confidence and the nurse has no choice but to break the confidence. An obvious example is where a court or a tribunal has ordered a health professional to produce evidence for the purpose of legal proceedings. It is contempt of court to refuse. The nurse should ask for the order to be produced and not be misled by solicitors making vague indications that an order has been applied for. This is the law even where the employer is asking for its own OH records. 

However, the employee should be made aware that if they refuse consent to the production of records which are relevant to the case, it is likely that the court will order their production or refuse to continue with the action. In Hanlon v Kirklees Metropolitan Borough Council an employee alleged disability discrimination but refused to allow his OH records to be revealed to the employer.4 An employment tribunal ordered him to consent to their disclosure and struck out his claim for unreasonable conduct when he refused. This decision was approved by the Employment Appeal Tribunal.

If an employee agrees to be examined by an independent OH physician for the purpose of legal proceedings and consents to a report being given to the other side, the physician is entitled to give the report to the employer and the tribunal without further consent being requested (Kapadia v London Borough of Lambeth).5

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995 do not override medical and nursing confidentiality. OH professionals should not reveal that a worker has a disease listed under the regulations without the worker’s consent. The regulations only apply where there is a written diagnosis by a registered medical practitioner (often a GP).  If this does not exist, the employer has no duty to report to the Health and Safety Executive or local authority and cannot be in breach of the regulations.

Where a health professional is ordered by an employer to breach confidentiality, they have a right to refuse since this would be a breach of the law. An example was the case of Tracey Cooke v West Yorkshire Probation Board.6 Cooke is an experienced OH nurse who was ordered by the human resources manager to disclose a confidential pre-employment health questionnaire.  When she refused to do this without the consent of the job applicant the manager removed the file from the OH department when Cooke was absent at a conference. She asked for the assistance of the Royal College of Nursing, and an RCN representative explained the legal duty of confidence of a nurse to her employer. Shortly afterwards Cooke was dismissed. 

The Leeds employment tribunal held that the reason for her dismissal was that she had complained of her employer’s breach of the law, and awarded compensation for unfair dismissal even though at the time she had not worked a full year. She was classified as a “whistleblower”, an employee dismissed because she complained of her employer’s breach of a legal obligation, which counts as an automatically unfair dismissal under the Employment Rights Act 1996.

This ruling does not prevent the employer from sending out health questionnaires to job applicants which are clearly stated to be directed to managers rather than the occupational health department, but the Information Commissioner in Part 4 of the Employment Practices Data Protection Code: Information about Workers’ Health advises that assessment of the implications of a worker’s health on their fitness for work should normally be left to a suitably qualified health professional.7

Data Protection Act 1998

The Act controls the holding of personal data, defined as data which relate to a living individual who can be identified from those data or from other information in the possession of the ‘data controller’. Health records, meaning any record which consists of information relating to the physical or mental health or condition of an individual, made by or on behalf of a health professional in connection with the care of that individual, are covered by the Act whether in computer or manual form, or a mixture of both. 

The data controller is the person who determines the purposes for which and the manner in which personal data is to be processed. My view, and that of the Information Commissioner in the Code of Practice, is that OH records are, or should be, in the control of the OH department, not the employer. The commissioner states that compliance with the Faculty of Occupational Medicine’s Guidance on Ethics is likely to ensure that the requirements of the Data Protection Act are satisfied.

The data controller must notify the holding of personal data on computer to the Information Commissioner and pay an annual fee. It must also observe the data protection principles, the first of which is that personal data shall be processed fairly and lawfully. A breach of the common law duty of confidence is unlawful and thus also a breach of the Act.

Certain data are classified as sensitive and include information about a person’s physical or mental health or condition. Such data may only be disclosed to a third party where one of the conditions in Schedule 2 of the Act and one of the conditions in Schedule 3 of the Act are met. These are very complex, but in essence either the individual must give explicit consent to disclosure or disclosure must be necessary for medical purposes and undertaken by a health professional or a person owing an equivalent duty of confidentiality (for example a clerical worker with a duty of confidentiality in their contract of employment). Medical purposes include preventative medicine, diagnosis, medical research, the provision of care and treatment and the management of healthcare services. Sharing of confidential information among members of a team of health care workers, as in general practice, is permitted because the patient is deemed to have consented to this by implication. 

Other data protection principles entitle the individual to information about what data is held and for what purpose, entitle them to a copy of the data on payment of £50, and impose an obligation on the controller to keep data secure, and to ensure that it is accurate and up to date.

Human Rights Act 1998

In 2000, when the Human Rights Act came into force, the European Convention on Human Rights became part of UK law. This is the creation of the Council of Europe (different from the European Union) and the European Court of Human Rights in Strasbourg is quite separate from the European Union Court in Luxembourg.

A direct action can be brought in a UK court only against a public body, such as an NHS trust or a local authority, but the courts must take the convention into account in deciding claims against all kinds of defendants.

Article 8 of the convention gives the right to respect for private and family life, home and correspondence, and therefore supplements the common law of confidentiality, but it is not an unqualified right. Privacy may be justifiably invaded to prevent crime and disorder, to protect health and to protect the rights and freedoms of others. The provisions of Article 8 are therefore very similar to the common law of disclosure in the public interest.


1. Nursing and Midwifery Council (2002) The Code of Professional Conduct.  London. NMC

2. [1990] 1 All ER 935

3. SI 2002/1438

4. (2004) EAT 0119/04

5. [2000] IRLR 699

6. (2004) ET 1800941/04

7. (2005) Office of the Information Commissioner, Wilmslow, Cheshire

Diana Kloss is a barrister, part-time employment tribunal chairwoman and author of Occupational Health Law, 4th edition 2005, (Blackwell)

For more on confidentiality, go to Confidentiality: Missing persons – how reviewing procedures ensures people attend occupational health appointments

Confidentiality: Stick to the code

Comments are closed.