Legal and Professional Framework

The legal framework combines statute, common law and professional standards. Understanding the basics helps clinicians and managers make proportionate, defensible decisions at pace. ^[1][4][9]

Core UK-wide laws

The Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR) govern processing of personal data, including special category health data. ^[1][4]

The Human Rights Act 1998 reinforces privacy in Article 8. ^[5]

The Access to Health Records Act 1990 governs access to a deceased person's records. ^[6]

The Common Law Duty of Confidentiality requires information given in confidence to be kept confidential unless consent, legal requirement, or overriding public interest applies. ^[7]

Health system differences

Each nation has its confidentiality codes and information governance standards. England references the NHS Confidentiality Code of Practice and Care Quality Commission (CQC) oversight. ^[7] Scotland, Wales, and Northern Ireland have parallel standards under the Caldicott Principles. ^[8] These frameworks align on minimum necessary disclosure, need-to-know access, and accountability. ^[8]

Professional standards and consequences

GOC Standards of Practice require confidentiality and respectful privacy. ^[9] Breaches can trigger Fitness to Practise processes, GDPR penalties, civil claims, and employment sanctions. Proportionate documentation of decisions protects patients and professionals. ^[4][1]

• Documentation to keep current: privacy notice; data-flow map; Record of Processing Activities; Data Protection Impact Assessments (DPIAs) for new systems; confidentiality policy; staff training logs; processor contracts; and incident/breach logs. ^[2][3]

Lawful bases and conditions

For routine care, the GDPR lawful basis is typically legitimate interests or public task for NHS providers, with special category processing justified under provision of health or social care. ^[4] Consent may still be needed to share beyond care, such as marketing or non-essential disclosures. ^[7]

Common law and consent

Even with a GDPR basis, common law requires consent for disclosure outside direct care unless an exception applies. Where consent is impracticable and risk is serious, disclosure may be justified in the public interest; recording the rationale and proportionality is important. ^[7][8]

• Three quick tests before sharing: Is sharing necessary for care or safety? Is the recipient appropriate and authenticated? Is the amount disclosed the minimum necessary? ^[8]

Deceased patients

Confidentiality continues after death.

The Access to Health Records Act allows limited access for personal representatives or those with a claim. Coroners (or Procurators Fiscal) may lawfully require information; disclose only what is necessary. ^[6]

Accountability signals

Record who requested data, the legal basis, identifiers shared, and safeguards used (e.g., encryption). Note any refusal with reasons and an alternative route offered, such as requesting a court order. ^[2][3]

Co-operating with formal inquiries and investigations

Optical professionals may be asked to provide information during formal inquiries or investigations — for example by the GOC, NHS commissioners, safeguarding boards, coroners, or law enforcement. Co-operation is a professional duty, but confidentiality obligations still apply. Information shared must be relevant, proportionate, and transmitted securely.

Always verify the authority of the request, record the legal basis for disclosure, and, where possible, inform the patient or their representative unless this would compromise the investigation. Keeping a clear log of who requested the information, what was released, when, how, and why provides accountability and protects both patients and professionals.

References (numbered in text) Why we include references

1. Data Protection Act 2018 — legislation.gov.uk (The National Archives) Find (opens in a new tab)
2. Record of processing activities (ROPA) — Information Commissioner's Office (ICO) Find (opens in a new tab)
3. Data Protection Impact Assessments (DPIAs) — Information Commissioner's Office (ICO) Find (opens in a new tab)
4. UK GDPR guidance and resources — Information Commissioner's Office (ICO) Find (opens in a new tab)
5. Human Rights Act 1998 — legislation.gov.uk (The National Archives) Find (opens in a new tab)
6. Access to Health Records Act 1990 — legislation.gov.uk (The National Archives) Find (opens in a new tab)
7. Confidentiality: NHS Code of Practice — Department of Health and Social Care (GOV.UK) Find (opens in a new tab)
8. The Caldicott Principles — National Data Guardian (GOV.UK) Find (opens in a new tab)
9. Standards of practice for optometrists and dispensing opticians — General Optical Council (GOC) Find (opens in a new tab)