Common law of confidentiality

Why do I need to know about the common law of confidentiality?

  • ‘Common law’ is not written in statute, but established by court decisions over time.   Accordingly, use of sensitive patient data obtained in healthcare settings for research purposes, which the patient did not anticipate or authorise, could be found to be unlawful because such a use shares characteristics with the kinds of breaches of confidence that courts have judged unlawful.

  • However, a breach can be lawful if justified in the public interest.  So you need to know that if a strong case for a public interest in the research can be made, and / or measures taken to remove the sensitivity of the data then the research could be lawful.

Background

Under the common law individuals have a right to bring legal proceedings on the basis that the collection, use and disclosure of personal information is in breach of the obligation of confidence. Essentially the common law provides that anyone who receives confidential information must not disclose it without consent or justification. Although there are still some uncertainties surrounding the law in this area, in general it can be said that information is ‘confidential’ and thus protected by the common law if it can be shown that:

  • The information in question has the ‘necessary quality of confidence,’ i.e. it is not in the public domain and it has a measure of sensitivity and significance.
  • The information was communicated in circumstances giving rise to an obligation of confidence. This can be implied from, for example, the relationship between the parties, such as between doctor and patient. In less obvious circumstances the communication should be assessed in light of the content of the information and whether the subject of the information had a ‘reasonable expectation of privacy.’
  • There was an unauthorised use of the information.

However, while the common law does establish core principles, it does not specify the specific circumstances in which confidential information may be disclosed to others. This means that such decisions must be made on a case by case basis. Please see the guidance sections on confidentiality and public interest for more information on this.

Common law confidentiality and deceased persons

The common law duty of confidentiality extends to confidential information about deceased persons. In addition, access to the medical records of deceased persons is also covered by the Access to Health Records Act 1990.

The ‘public interest defence’

Confidentiality is not an absolute right. It has long been established that acting in the ‘public interest’ is a defence to an action for breach of confidence. Please see the guidance section on public interest for more information on this.

In addition, since the enactment of the Human Rights Act 1998 it is now necessary for the courts to take into account European case law relating to the justifications for interfering with the article 8 right to privacy.

Return to top of page