NOTE: By submitting this form and registering with us, you are providing us with permission to store your personal data and the record of your registration. In addition, registration with the Medical Independent includes granting consent for the delivery of that additional professional content and targeted ads, and the cookies required to deliver same. View our Privacy Policy and Cookie Notice for further details.
Handling a confidentiality breach in general practice
By
Ms Sinead Lay
- 29th Jun 2026
https://www.istockphoto.com/portfolio/tadamichi
Ms Sinead Lay outlines how GPs should respond to an accidental breach of confidentiality, using a case study example
Confidentiality is central to the doctor–patient relationship. Patients must be able to trust that sensitive information shared in a clinical setting will be handled carefully and appropriately.
However, even in well-run practices, errors can occur. A breach of confidentiality may give rise to several distinct issues: The patient’s complaint, the doctor’s professional obligations, and the practice’s separate responsibilities under data protection law.
This case study highlights how Medical Protection can support a member where an accidental breach of confidentiality arises from a clinical act, while also recognising the separate role of the practice as data controller.
Background
Mr K, a 42-year-old IT consultant, had recently moved to a new town and registered with a local GP practice. He booked an appointment with Dr L to review his diabetes management and to ensure that his medication records were accurate and up to date.
During the consultation, Mr K also disclosed sensitive information about his mental health, including a recent breakdown. Dr L documented the consultation carefully and arranged a follow-up review.
The incident
Later that day, Dr L intended to send an educational leaflet and follow-up information to another patient regarding diabetes management. While preparing the email, he inadvertently attached the wrong document: Mr K’s consultation notes from earlier that morning, rather than the intended leaflet.
The email was sent directly by Dr L from his clinical email account.
A few days later, the unintended recipient contacted the practice, concerned that they had received another patient’s confidential medical information. The practice manager immediately investigated and confirmed that Mr K’s clinical notes had been disclosed in error.
Impact and initial response
Once the breach was confirmed, Mr K was informed promptly. He was understandably distressed that confidential information, including sensitive mental health details, had been shared with another patient.
Mr K submitted a formal complaint to the practice, citing emotional distress and a loss of confidence in how his personal information had been handled.
Dr L and the practice manager met with Mr K, apologised sincerely, explained how the error had occurred, and outlined the immediate steps being taken in response. Dr L accepted responsibility for his role in the incident.
As the breach involved the disclosure of special category personal data, the practice, as data controller, was required to assess the matter under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The practice notified the Data Protection Commission within 72 hours and began a review of its data-handling procedures.
Mr K later submitted a complaint to the Medical Council, alleging that Dr L had breached his professional duty of confidentiality.
Medical Protection assistance
Dr L contacted Medical Protection for medico-legal advice and support.
Medical Protection assisted Dr L in responding to the Medical Council complaint, including advising on the professional issues arising, helping to draft a clear and reflective response, and supporting him throughout the regulatory process.
As the breach had arisen directly from a clinical communication, Medical Protection was also able to advise Dr L on the data protection implications insofar as they affected him personally. This was distinct from the practice’s separate organisational obligations as data controller.
With Medical Protection’s guidance, Dr L prepared a reflective statement acknowledging the error, demonstrating insight, and setting out the remedial steps taken. These included additional training on confidentiality and data protection and participation in the practice’s review of its electronic communication processes.
Dr L offered undertakings to the preliminary proceedings committee (PPC) to complete further confidentiality and GDPR-awareness training and to ensure that relevant practice procedures were reviewed and followed. The PPC accepted those undertakings and concluded that no further action was required.
Data Protection Commission outcome
Separately, the practice engaged with the Data Protection Commission (DPC) in relation to its responsibilities as data controller.
The DPC required the practice to strengthen its systems for managing patient information and electronic correspondence, provide regular staff training on data protection compliance, and review and document its data-handling policies on an annual basis.
A modest administrative fine was imposed on the practice. The practice accepted the findings and implemented the recommended measures.
Medical Protection’s role in this aspect was limited to advising Dr L on his individual professional position and helping him understand how the data protection process intersected with his duties as a doctor. Medical Protection does not cover or contribute to administrative fines as these fall outside its remit.
Conclusion
This case demonstrates how an accidental breach of confidentiality arising from a clinical act can lead to both professional and data protection scrutiny.
Early engagement with Medical Protection enabled Dr L to respond appropriately to the Medical Council complaint, demonstrate insight, and take meaningful remedial steps. At the same time, the practice addressed its separate statutory obligations to the DPC.
For doctors, the key message is that any breach of confidentiality should be addressed promptly, transparently, and carefully. Early advice can help ensure that the patient is treated fairly, the professional response is appropriate, and the distinction between individual professional duties and wider organisational responsibilities is properly understood.
For more information on how Medical Protection can support members with confidentiality issues, visit:
Leave a Reply
You must be logged in to post a comment.