Requests from employers, schools, police and other organisations

Third-party requests do not only come from family or carers. Employers, schools, insurance companies, solicitors, police, social workers, pharmacies, hospitals and other agencies may ask for patient information. These requests must follow the practice's formal processes rather than being answered informally at reception.

Use the formal route

A straightforward-sounding request from an employer, a school or a solicitor can still require confirmation of written consent, a formal subject access process, a safeguarding check, legal advice, Caldicott input or clinical approval.

Frontline staff should not confirm facts such as attendance, registration, diagnosis, medication, address or contact details unless the local procedure explicitly allows it. Even confirming that someone is a patient can disclose confidential information.

Written requests and email caution

Letters, headed emails and scanned documents still need verification. Use the practice's established route to confirm identity, check consent and decide whether disclosure is appropriate. Replying from a personal inbox or sending ad hoc attachments is unsafe.

If a request appears urgent, take any necessary safety action immediately but still involve the appropriate senior, clinician or information governance lead rather than resolving it informally.

Examples of higher-risk requests

• Employers asking whether a patient attended or what their condition is.
• Schools asking for appointment details or health explanations.
• Police asking for contact details without the approved route.
• Solicitors, insurers or benefits agencies asking for records informally.

Formal organisations still need proper authority; a professional-sounding request is not a shortcut around confidentiality.

Police and serious harm