UK Care Reference

Records & Governance

Confidentiality and UK GDPR

Handling personal information lawfully and kindly: UK GDPR principles, sharing without oversharing, breaches, SARs and the 2025 Data Act changes.

Last reviewed 5 min read
In plain English

People receiving care hand over the most private facts of their lives — bodies, minds, money, families — because they must, to be cared for. Confidentiality is the promise that makes that bearable: what we learn to care for you is used to care for you, shared only with those who need it, and never becomes anecdote, gossip or content.

UK GDPR turns the promise into law with a handful of principles: use data lawfully, fairly and transparently; for stated purposes; keep it accurate, minimal, secure; and no longer than needed. Health and care information sits in the "special category" tier, which demands extra justification — in care, usually the provision of health or social care itself, not consent forms (consent as a legal basis is fragile where people depend on the service).

The everyday skill is proportionate sharing. The physio needs the mobility history, not the family dispute. The daughter with no legal authority gets warmth and general reassurance, not the record. And when safeguarding is in play, the rule reverses with equal force: information that protects someone at risk must flow — "confidentiality" has appeared apologetically in too many Safeguarding Adults Reviews as the reason nobody joined the dots.

The law
  • UK GDPR and Data Protection Act 2018: principles, lawful bases (Articles 6 and 9 — for care, typically 9(2)(h) health and social care provision), security, breach notification (serious breaches to the ICO within 72 hours), and data subject rights including access.
  • Data (Use and Access) Act 2025: the first major amendment to UK GDPR — phased commencement. Notable for care: a statutory footing for "recognised legitimate interests" (including safeguarding), a codified reasonable-and-proportionate standard for subject access searches with clock-stopping for clarification, required internal data complaints procedures, and information standards work for health and care IT interoperability. Check ICO guidance for what is in force at any given time.
  • Common law duty of confidence runs alongside statute; the Caldicott principles (eight of them) guide health and care sharing decisions — the eighth: inform people how their data is used.
  • Human Rights Act, Article 8: private life includes informational privacy.
  • Data Security and Protection Toolkit (DSPT): the NHS-linked self-assessment many providers complete annually, expected where services connect to NHS systems (and required for NHS mail and shared records access).
What CQC expects

Under Regulations 10 and 17, CQC expects confidentiality lived as culture: records stored and transported securely, screens locked, conversations about people held where others can't hear, staff clear on what they may share with whom, and personal phones kept out of care delivery. It looks for a nominated data lead, DSPT completion where applicable, breach logs with learning, and SARs handled within timescales. Discussing residents in cafés, group chats on personal WhatsApp, and photographs taken without consented purpose all feature regularly in enforcement and dismissal cases — assessors ask staff directly what they would and wouldn't share.

Good practice
  • Apply the need-to-know test before every share: does this person need this information to care for or protect someone? Share that much, no more.
  • Verify before disclosing: who is on the phone, what authority do they hold (LPA? court order? or just love and worry — which deserves kindness, not records).
  • Guard the physical layer: folders never visible in cars, handover sheets shredded not binned, printed rotas without full names where possible, screens angled and locked.
  • Breach reflexes: wrong-recipient email, lost diary, records left behind — tell your manager the same day. Early honesty usually contains harm; concealment always compounds it.
  • Route rights requests fast: SARs, corrections, complaints — to the data lead on the day received. Under the 2025 Act changes, timescales pause for clarification, but only if you actually ask for it.
  • Social media rule of one line: nothing about work identifiable to a person, family or incident — ever. "You'll never guess what happened at work" stories travel further than anyone intends.
  • Tell people how their information is used (privacy notices in accessible formats) — transparency is a legal principle, not a courtesy.
Everyday examples

Example 1. A hospital discharge coordinator phones a care home for "everything you have" on a resident being admitted. The senior shares the essentials for tonight's safe care — medication list, allergies, mobility and transfer method, communication needs, DNACPR status — and offers the rest through the proper records transfer. Need-to-know worked in both directions: the hospital got what protects him at 2am, and his forty-year-old family history stayed home.

Example 2. A care worker realises she left a client's visit folder on a bus. She phones the office within minutes, mortified. The manager thanks her, logs the breach, arranges the bus company recovery attempt, assesses the risk (name, address, medication list — real risk), informs the client and family with an apology, reports to the ICO within 72 hours given the sensitivity, and moves the service's folders to initials-plus-first-name format. Her same-day honesty is cited in the ICO's decision that the response was appropriate.

References — check the source

Reminder: Educational reference only. Nothing on this site is legal, clinical or professional advice. Guidance changes: always check the current official source before acting. Full disclaimer.