Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

- England


- Health Research Authority (HRA)

Page last reviewed: 15 Jan 2023

Common law duty of confidentiality

Reviewed by: Health and Care IG Panel

Common law is a form of law based on previous court cases decided by judges.

The common law duty of confidentiality means that when someone shares confidential information in confidence, you cannot disclose it without some form of legal authority or justification (a ‘legal’ or ‘lawful’ ‘basis’ in common law, not to be confused with a legal/lawful basis under UK GDPR).

In practice, this means you’ll need to get explicit consent from an individual before sharing confidential information collected about them when they were receiving care, unless there is another legal basis (also known as ‘setting aside’ the common law duty of confidentiality).

Important note reminder: this form of consent is distinct from UK GDPR consent. If the person has died without giving consent, you cannot receive the information unless another legal basis applies. It is irrelevant how old the person is, or the state of their mental health; the common law duty of confidence still applies.

Before receiving confidential patient or service-user information, therefore, you will need to check that you meet 1 of the following legal bases:

  • Consent, which may be implicit or explicit as follows:
  • Implied consent when no positive action is required (only relevant if you are a member of the direct care team, such that people would have a reasonable expectation of their confidential information being accessed by you)
  • Explicit consent (received from the patient to agree to the information being shared for research purposes)
  • A legal obligation (set out in legislation or otherwise required by law, such as ordered by a judge) requiring the information to be shared
  • Overwhelming public interest (this is exceptional and public interest can rarely provide a legal basis for sharing large volumes of information)
  • A statutory authority or gateway that sets aside the common law duty of confidentiality: for example, support under The Health Service (Control of Patient Information) Regulations 2002 (known as ‘section 251 support’). Applications to process confidential patient information for medical purposes under its regulation 5 will be considered by CAG. CAG reviews applications to set aside the common law duty of confidentiality for research purposes under section 251 of the NHS Act 2006 in circumstances when obtaining consent to share confidential patient information is not practicable. CAG then advises the HRA, which in turn determines whether an application to process confidential information without consent should be approved

See guidance from the NHS Transformation Directorate on consent and confidential patient information for more detail.

You should also consult your organisation’s information governance team for advice.

Important note reminder. The above legal bases relate to the common law duty of confidentiality only. These legal bases are different from the legal bases under UK GDPR. You should refer back to Step 4: Have a lawful basis for processing health and care data to determine which legal basis you should use to process data for research purposes under UK GDPR. You must also still comply with all other relevant legal obligations including data protection legislation and obtaining relevant research approvals before you start your research.

Is there anything wrong with this page? Let us know