Disclosing records to third parties

If third parties request confidential patient information, or you want to share it with them, here's what you need to know first.

  • The decision to disclose records to a third party rests with the data controller of the practice or organisation.
  • Each case needs its own consideration.
  • Record fully any decision to share information in the patient's notes. Be prepared to explain and justify your decisions and actions.

Relatives and carers

You can share information with those helping to care for a patient, with the patient's permission.

If the patient is unable to give permission, you may share necessary information - provided it is in the patient's best interests.

Other healthcare workers

Patients should understand why and when information about them might be shared with others involved in their clinical care.

You should only share information on a 'need-to-know' basis, and you must respect a patient's objections to disclosure.

NHS bodies

Primary care organisations and the NHS business services authorities have certain rights to see NHS records for purposes such as verification and audit.

  • Dentists should comply with their lawful requests, but only subject to patient consent.
  • Some NHS claim forms include an authority to disclosure of records to the relevant NHS authorities.

Healthcare regulators

You may be required to disclose information to organisations such as the GDC, CQC, HIW, HIS, RQIA, the relevant ombudsman and Accountable Officers (controlled drugs).

  • Anonymised information can be provided in some circumstances, so seek DDU advice.
  • While the GDC may require a dental professional to produce patient records as part of its fitness to practise procedures, you should still seek the patient's consent to such disclosure.

Insurance companies and private dental funding schemes

When asked to submit reports to employers or insurers, you should seek permission and check if the patient wants to see the report before it is sent.

Explain to the patient the extent of the information to be disclosed, and that relevant information cannot be concealed or omitted.

Social services

Consent is usually required before disclosing information to social services.

There may be occasions when it is necessary to disclose information about a patient without consent, either because the patient lacks capacity and it is in the patient's best interests, or is otherwise in the public interest.

You should do everything you can to inform the patient when information about them is shared.

The police

The police do not have an automatic right to information about patients.

However, there are specific provisions that require disclosure, such as S172 of the Road Traffic Act 1988 and S38B of the Terrorism Act 2000.

Since 31 October 2015, dental professionals in England and Wales have had a legal obligation to notify the police if they discover that an act of FGM appears to have been carried out on a girl under the age of 18.

If the police have a valid court order, information should be released to them.

  • Information may be released to the police if it is in the public interest; you should be prepared to justify a disclosure made on this basis, so contact us for advice
  • If you have information that a patient is or could be at risk of significant harm, or you suspect they are a victim of abuse, you should ordinarily inform the appropriate social care agencies or the police.


Disclosure to solicitors, other than those acting for the patient, requires the patient's specific consent, unless the solicitors provide proof of a court order requiring disclosure.

Courts, tribunals and coroners/procurators fiscal

A judge and presiding officers at tribunals can make an order to produce confidential documents.

The coroner (or procurator fiscal in Scotland) has a right of access to a deceased patient's records.

HM Revenue & Customs

Tax inspectors have legal powers to obtain documents under the Finance Act 2008.

They may request any information it is reasonable for them to have to assist them in checking a taxpayer's position, but they must give notice in writing of the information they require.

When disclosing information for this purpose you would need to be satisfied that it is reasonably required, as the Act places limits on the disclosure of personal (ie, medical) information.

Publication, research and audit

Personal information cannot be published without a patient's consent.

Data for research must be anonymised, unless a patient has given consent.

Documents for financial audit and administration should be anonymised and kept separate from clinical records.

Appointment books and diaries

Disclosure of information contained in appointment books and diaries risks breaching the confidentiality of patients.


Before disclosing any confidential patient information to third parties, consider the following points.

  • Are you clear about the legal, clinical and ethical grounds of information-sharing where a request to release information has been made?
  • Where a decision to release information has been agreed or made, have you made sure that only the minimum information necessary is disclosed?
  • Are the names of other patients blanked out when diaries and appointment books are being disclosed?
  • Have all documents for your financial audit and administration been anonymised?
  • Has the data controller of the practice or organisation authorised the disclosure?

This page was correct at publication on 10/12/2021. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.


Login to comment

Be the first to comment