D5. You must respect your patients’ rights to privacy and confidentiality, and maintain and protect patient information effectively.


  1. Maintaining patient confidentiality includes:
    1. keeping confidential your patients’ identities and other personal information, and any opinions you form about them in the course of your work
    2. ensuring that your staff or anyone else attending your clinic in a professional capacity (for example, students of osteopathy, potential students or peers) keep such information confidential
    3. ensuring that the information is kept confidential even after the death of a patient
    4. not releasing medical details or information about the care of a patient to anyone – or discussing such information with anyone – including their spouse, partner or other family members, unless you have the patient’s consent to do so (see standard D5(7) and standard D5(8) below)
    5. taking appropriate measures to ensure that that such information is securely protected against loss, theft and improper disclosure.
  2. Patients are entitled to obtain copies of their notes and, if such a request is made, you must comply with this in accordance with relevant legislation and good practice.
  3. Management of patient information

  4. You should have adequate and secure methods for storing patient information and records. Patient records should be kept:
    1. for a minimum of eight years after their last consultation
    2. if the patient is a child, until their 25th birthday.
  5. You should have a written policy regarding retention, transfer and disposal of patient information and records, which should include whether it is your practice to retain them beyond eight years, or, in the case of a child, beyond their 25th birthday. Your patients should be made aware of this.
  6. You should make arrangements for records to continue to be kept safely after you finish practising, or in the event of your death or incapacity. Patients should know how they can access their records in such circumstances.
  7. You must comply with the law on data protection and associated legislation. For further information on data protection, please refer to the website of the UK Information Commissioner’s Office.
  8. Disclosure of confidential information

  9. There may be times when you want to ask your patient if they (or someone on their behalf) will give consent for you to disclose confidential information about them; for example, if you need to share information with another healthcare professional. In that case, you should:
    1. explain to the patient the circumstances in which you wish to disclose the information, and make sure they understand what you will be disclosing, the person you will be disclosing it to, the reasons for its disclosure, and the likely consequences
    2. allow them to withhold permission if they wish
    3. if they agree, ask them to provide their consent in writing or to sign a consent form
    4. advise anyone to whom you disclose information that they must respect the patient’s confidentiality
    5. disclose only the information you need to (for example, does the recipient need to see the patient’s entire medical history?).
  10. Disclosure of confidential information without consent

  11. In general, you should not disclose confidential information about a patient without their consent; however, there may be circumstances in which you are obliged to do so. Such circumstances might include:
    1. if you are compelled to do so by order of a court or other legal authority. You should only disclose the information you are required to under that order.
    2. if it is necessary in the public interest. In this case, your duty to society overrides your duty to your patient. This might happen when a patient puts themselves or others at serious risk; for example, by the possibility of infection, or a violent or serious criminal act.
    3. if it is necessary, in the interests of the patient’s health, to share the information with their medical adviser, legal guardian or close relatives, and the patient is incapable of giving consent.
  12. In any such circumstances, you are strongly advised to seek appropriate legal advice.
  13. If you need to disclose information without your patient’s consent, you should inform the patient, unless you are specifically prohibited from doing so (for example, in a criminal investigation), or there is another good reason not to (for example, where a patient may become violent).
  14. Any disclosures of information should be proportionate and limited to the relevant details.
  15. If a patient is not informed before disclosure of confidential information takes place, you should record the reasons why it was not possible to do so and maintain this with the patient’s records.