The national data opt-out does not apply to the disclosure of confidential patient information where the information is required by law or a court order.
Examples of disclosures required by law are summarised below.
- the Care Quality Commission, which has powers of inspection and entry to require documents, information and records – a code of practice sets out how the CQC can use these powers (Health and Social Care Act 2008);
- NHS Digital when using its section 259 powers to collect information when directed by the Secretary of State or NHS England (Health and Social Care Act 2012);
- the NHS Counter Fraud Service, which has powers to prevent, detect and prosecute fraud in the NHS (National Health Service Act 2006);
- investigations by regulators of professionals (e.g. Health and Care Professions Council, General Medical Council, or Nursing and Midwifery Council investigating a registered professional’s fitness to practise) (e.g. under the Medical Act 1983);
- coroners’ investigations into the circumstances of a death, that is if the death occurred in a violent manner or in custody (Coroners and Justice Act 2009);
- health professionals must report notifiable diseases, including food poisoning (The Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010);
- the Chief Medical Officer must be notified of termination of pregnancy, giving a reference number, date of the birth and postcode of the woman concerned (Abortion Regulations 1991);
- employers must report deaths, major injuries and accidents to the Health and Safety Executive (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013);
- information must be provided to the police when requested to help identify a driver alleged to have committed a traffic offence (The Road Traffic Act 1988);
- information must be provided to the police to help prevent an act of terrorism or prosecuting a terrorist (The Terrorism Act 2000 and Terrorism Prevention and Investigation Measures Act 2011);
- information must be shared for child or vulnerable adult safeguarding purposes (e.g. s.47 Children Act 1989);
- health professionals must report known cases of female genital mutilation to police (Female Genital Mutilation Act 2003)
- judge or presiding officer of a civil or criminal court can require disclosure of confidential patient information through a court order
- information required to be reported to HFEA for inclusion on the register of assisted reproduction and fertility treatments (Human Fertilisation and Embryology Act 1990
- some disclosures of information to ONS (please see Data flows to ONS for official statistics for further information of the impact of the national data opt-out on such disclosures)
- disclosure of information relating to transplant approvals and serious and adverse reactions notifications (Human Tissue Act 2004)
- responsible bodies including health boards, trusts and regulatory bodies are required to co-operate on the handling of, and acting on, shared information relating to the management and use of controlled drugs. (The Controlled Drugs (Supervision of Management and Use) Regulations 2013)
This is not an exhaustive list, so information governance and/or legal advice should be sought where necessary. Further details are available in Appendix 5: Information required by law or court order.
It should be emphasised that any legal requirement must set aside the common law duty of confidentiality. It should be noted that the exercise of a statutory function does not necessarily constitute a legal requirement for the disclosure of confidential patient information – organisations should always give due regard to the common law duty of confidentiality.