NMC Code Section 5: Respect Privacy and Confidentiality

Section 5 is the section the public most clearly recognises. A breach of patient confidentiality is the kind of misconduct that ends careers cleanly, and the boundary is widely understood.

“Respect people’s right to privacy and confidentiality.”

Sub-clauses:

• 5.1 Respect a person’s right to privacy in all aspects of their care.
• 5.2 Make sure that people are informed about how and why information is used and shared by those who will be providing care.
• 5.3 Respect that a person’s right to privacy and confidentiality continues after they have died.
• 5.4 Share necessary information with other healthcare professionals and agencies only when the interests of patient safety and public protection override the need for confidentiality.
• 5.5 Share with people, their families and their carers, as far as the law allows, the information they want or need to know about their health, care and ongoing treatment sensitively and in a way they can understand.

The section closes with a tension: confidentiality protected (5.1, 5.3) but openness with the patient and family encouraged (5.5). The dividing line is consent. Information about the patient flows freely to the patient and to those they’ve authorised; it doesn’t flow without that authority.

What it means in practice

The everyday Section 5 obligations:

• Don’t discuss patients in public places such as corridors, lifts, or the canteen.
• Don’t share patient information on social media, even anonymised. The 2017 NMC guidance treats this as a fitness-to-practise risk.
• Lock the computer screen when you step away from it.
• Hand over privately, not in earshot of other patients or visitors.
• Check who’s asking before sharing information by phone, particularly with family members the patient may not have authorised.
• Use the minimum necessary information for the purpose at hand (Caldicott principle).

The Caldicott principles are the standard reference for handling patient-identifiable information. Eight principles, all of them practical, and every NHS trust expects familiarity with them through information governance training.

Common breaches

Section 5 breaches that appear in fitness-to-practise outcomes:

• Social media posts identifying patients or wards, even when intended as innocent comment.
• Patient information shared with family without consent, particularly common with adult children of elderly patients.
• Discussion of cases in public places or with people who didn’t have a need to know.
• Loss or theft of patient data through unencrypted devices or papers taken home.
• Inappropriate access to patient records out of curiosity (looking up a celebrity, an ex-partner, a colleague’s family member).

Inappropriate access is the most underestimated breach. NHS audit systems track who accessed each record. A nurse who looks up a record without a clinical reason to access it is identifiable and increasingly likely to face investigation.

When disclosure is permitted

Section 5.4 sets out the exceptions. Disclosure without consent is permitted when:

• The patient lacks capacity and disclosure is in their best interests.
• There is a serious risk to the patient or others (safeguarding, suicide risk, threat to a third party).
• The law requires it (court order, statutory notification, child protection requirements, infectious disease notification).
• The public interest demands it (terrorism, serious crime, public health emergencies).

For each of these, the disclosure should be the minimum necessary information to the people who need it for the relevant purpose. Disclosure beyond what’s needed for the purpose is itself a breach.

CPD that maps to Section 5

• Information governance (mandatory in most NHS trusts, annual).
• UK GDPR training (often combined with information governance).
• Caldicott principles awareness.
• Social media for healthcare professionals, increasingly relevant.
• Electronic patient record training when implementing new systems.
• Information sharing in safeguarding, for understanding where confidentiality yields to safeguarding.

Common reflective account themes

Strong Section 5 reflections involve a moment of judgement:

• A family member asking for information you weren’t sure they were authorised to receive.
• A social media post you considered making and decided against.
• A safeguarding situation where you had to share information with another agency.
• A record access decision where you needed information about a former patient and worked through whether your access was appropriate.

The reflections that work show the registrant doing the careful thinking, not the easy thing. Recognising the boundary, pausing, checking, sometimes asking the Caldicott Guardian for advice.

Where Section 5 connects to other sections

• Section 4 (best interests): disclosures for patients who lack capacity.
• Section 14 (duty of candour): being open with the patient is itself a Section 5 obligation under 5.5.
• Section 17 (protect vulnerable people): safeguarding disclosure overrides confidentiality.
• Section 20 (uphold the reputation of the profession): social media confidentiality breaches are also reputation breaches.

This is the end of Pillar 1 of the Code (Sections 1-5). The next chapter starts Pillar 2, Practise Effectively, beginning with Section 6 on using the best available evidence.