Confidentiality, consent & medical ethics

The law on confidentiality and HIV status

Abbey Stanford
Estimated reading time 15 minutes
A man in discussion with a woman sitting opposite him.
Domizia Salusest | www.domiziasalusest.com

Key points

  • In the UK, it's unlawful for organisations (including your employer, public services, charities, businesses, and the government) to share your HIV status without a good reason. You can take action if this happens.
  • There are fewer legal protections if your HIV status is shared by someone in your personal life, but legal action may still be possible.
  • There are support services available to help if your HIV status is shared without your consent.

This page gives you information about the law in the UK when it comes to keeping your HIV status private (confidential), and when and how it can be shared (disclosed).

Who you talk to about your HIV status is your decision. There are other pages on this website to help you to consider this:

Jump to

What does the law say about HIV and confidentiality?

If you share confidential medical information, including your HIV status, your confidentiality is protected by law in the UK.

Any information you share in confidence (privately) should not be shared with anyone else. This is called the ‘common law duty of confidentiality’. Read more about this law

There are more protections which apply at work, and when dealing with public services, businesses, companies, and government institutions, as well as in some other settings.

A ‘breach of confidentiality’ is when certain information about you is shared even though it shouldn’t be. This can be intentional (on purpose), but it can also happen because of a mistake, or due to theft.

There are several laws and acts which are useful to know about if you’re concerned about HIV and confidentiality.

Data protection legislation

The UK General Data Protection Regulation and Data Protection Act 2018 say that any data collected about you must be:

  • done for a clear reason
  • limited to only what is needed
  • relevant to the reason it’s being collected
  • stored securely.

Data which identifies you must only be kept for as long as it’s needed. Read about the act in more detail.

The Information Commissioner's Office (ICO) provides guidance on how organisations should follow the legislation. It can take action against organisations that break the law, including issuing fines. The legislation can also be enforced by the courts: the County Court (England, Wales, and Northern Ireland) or the Sheriff Court (Scotland).

You always have the right to see the data held about you by an organisation. You can find out what information they are storing about you, how they are using it, who they are sharing it with, and where they got your data from.

This is called a right of access. In order to access your data, you will need to submit a Subject Access Request.

To submit a request, you should try to contact the individual or team who deal with these requests, such as a data protection officer. Some organisations may ask you to fill out a form to process this request.

You can give permission for someone else to make a request on your behalf, but you should think about whether you want this person to have access to all of the personal information that may be given.

If you find out that information held about you is incorrect, you have the right to challenge this. For example, if your record says you have HIV, but you don’t. You can ask for the information to be corrected or deleted. If you feel it is incomplete, it can be added to.

You can make these requests in person or over the phone, but it is better to put them in writing. Read more about these requests. 

The Human Rights Act

The Human Rights Act 1998 allows you to take action against public authorities that have interfered with your human rights. These include local authorities, police, healthcare bodies, and central government.

The act includes Article 8, which covers respect for your private and family life. Under Article 8, personal information such as your HIV status should not be shared without your consent.

Read more about the act.

The Equality Act

If you are treated differently, and worse, because of your HIV status, in some settings you are protected by the Equality Act 2010.

The latest news and research on confidentiality, consent & medical ethics

The act protects you from unfair treatment (discrimination) by employers, businesses, organisations which provide goods or services, and health and care providers.

The act protects people from discrimination based on nine protected characteristics:

  • disability
  • age
  • gender
  • marriage and civil partnership
  • pregnancy and maternity
  • race
  • religion or belief
  • sex
  • sexual orientation.

People living with HIV are protected under this law, because HIV is classed as a disability from the time you are diagnosed. The Equality Act can be enforced by the courts.

Is it illegal to disclose someone's HIV status in the UK?

If someone shares your HIV status without your consent in your personal life and in a personal capacity, legal protection is limited. For example, if a friend told your neighbour you are living with HIV.

But if an organisation, such as an employer or healthcare provider, shares your HIV status without your consent you would be protected by the Data Protection Act 2018.

Before considering legal action, you should look into the organisation’s complaints procedures, or other policies, that would apply to this situation.

Where can I report a breach of confidentiality?

If your confidential information has been shared by an organisation without your consent, you should make a complaint to that organisation first. If you’re not happy with the response, you can make a complaint to the Information Commissioner's Office (ICO).

Community support services such as National AIDS Trust, Terrence Higgins Trust, or (in Northern Ireland) Positive Life can help you with this.

If the ICO thinks that the organisation has broken the law, it can support you with advice and ask the organisation to resolve the problem.

However, they can’t offer compensation, even if they find that an organisation did something wrong.

What if I am being harassed because of my HIV status?

Unwanted behaviour which you find offensive, intimidating, or humiliating is considered to be harassment. If the harassment is connected with your HIV status, it is considered to be a form of discrimination under the Equality Act. It does not have to be intentional.

This type of behaviour can include:

  • receiving unwanted phone calls, letters, emails, or visits
  • abuse and bullying
  • stalking
  • verbal abuse
  • threats
  • smashing windows
  • using dogs to frighten you.

Guidance about online abuse, such as on social media, is less clear, so you should seek legal advice in this situation.

Depending on your situation, you might be able to access legal support via a trade union membership or through insurance (such as home contents insurance). In some cases, you may be able to get legal aid which can help you pay for legal advice and representation.

If you are being harassed in a way that isn’t covered by the Equality Act, then you could consider another form of legal action.

A legal injunction could prevent any further information about your HIV status from being spread or remove information that is already shared. You might be able to make a civil claim for misuse of private information. There is no legal aid available in these cases.

If you are experiencing harassment at work, you should follow your employer’s grievance procedures and also make a claim to the Employment Tribunal within three months.

There’s more information about sharing your HIV status with your employer on another page.

Will healthcare workers share my status?

If you receive medical care at an HIV service there’s a chance your status will be shared with other healthcare professionals. Sometimes your HIV status won’t be stated explicitly, but it might be clear from information such as the medications you take.

Glossary

consent

A patient’s agreement to take a test or a treatment. In medical ethics, an adult who has mental capacity always has the right to refuse. 

referral

A healthcare professional’s recommendation that a person sees another medical specialist or service.

sexually transmitted infections (STIs)

Although HIV can be sexually transmitted, the term is most often used to refer to chlamydia, gonorrhoea, syphilis, herpes, scabies, trichomonas vaginalis, etc.

investigator

Scientific researcher.

capacity

In discussions of consent for medical treatment, the ability of a person to make a decision for themselves and understand its implications. Young children, people who are unconscious and some people with mental health problems may lack capacity. In the context of health services, the staff and resources that are available for patient care.

It’s also normal for healthcare services to mention your HIV status and your current medication when referring you to another service (for example, if you are sent to see a doctor in a different hospital department).

In this situation, there is usually ‘implied consent’. This is when your information is shared with healthcare workers involved in your care without you being asked, in situations where it is reasonable to think you would agree to your information being shared.

This can only happen as long as:

  • you have not objected (said no) to the sharing of your data
  • information is available showing how your data might be used and your rights to object
  • the person receiving your data (such as another doctor) understands they are receiving it in confidence and will respect this.

If you don’t want your information to be shared with other health and care professionals involved in your care, you should speak to a member of staff.

Read more detailed information about confidentiality in the NHS.

Are sexual health records confidential?

Data should never be passed on by sexual health clinics to GPs without your consent.

Information kept by sexual health clinics is kept securely and not shared with any other health services. If your sexual health clinic would like to share this information, they must ask you for your consent first.

If you have received sexually transmitted infection (STI) or HIV testing or care, your sexual health or HIV clinic will report some of your health information to the UK Health Security Agency (UKHSA). This information doesn’t include anything like your name, address or NHS number that could identify you.

In England, some information about your health will also be included in an electronic health record called the Summary Care Record.

What information is included in my Summary Care Record?

Your Summary Care Record is an electronic copy of important patient information, referred to as ‘Core Information’. This includes current medication, allergies or bad reactions to medicines, and personal details like name, address, date of birth and NHS number.

It may also include what is referred to as ‘Additional Information’, such as details of long-term conditions like HIV.

If you have given permission for your record to be accessed, this consent to access applies to all NHS staff directly involved in your care. A log (audit trail) of those accessing your Summary Care Records is kept.

You can also opt out of having your information uploaded onto the Summary Care Records. You can choose to opt out of it completely or choose to only have core information recorded.

What information is included in the NHS app?

Since November 2022, most people in the UK can access their GP health records using the NHS App. It’s also available on some other online patient apps.

Your GP health record might contain details about HIV, for example, in information about medications you take, test results, and appointments.

This information will only be available on the app if you have given consent. It will also be password protected.

If you’re concerned about the information that will be visible on the app, speak to your doctor. You can ask them to hide this information, but this might not always work as well as you’d like. You can also ask your GP to turn off online access. This means you won’t be able to see your GP record on the app. 

If you’re unsure, speak to your GP surgery. You don’t have to use a patient app if you don’t want to.

Can a doctor tell your partner that you have HIV?

If you have recently been diagnosed with HIV or an STI, staff at the sexual health clinic might want your recent sexual partners to be told, so they can get tested. This is called ‘partner notification’. It is usually done with your consent.

You may choose to tell your partners yourself, or you may ask clinic staff to notify your sexual partners on your behalf, without giving your name. This is sometimes called ‘provider referral’.

In rare cases, a healthcare provider can do this without your consent. For example, this can happen when somebody is at a continued risk of exposure to HIV if they aren’t told.

Can doctors break confidentiality about HIV?

Your GP may be asked by insurers, employers, or other non-NHS third parties to share some of your medical information. Your GP should send only necessary information in response to specific queries.

You have the right to:

  • see a report before it is sent
  • refuse consent to it being sent
  • ask for any mistakes to be corrected.

If you have any concerns about the information that may be shared, it’s a good idea to ask to see a report before it is sent.

However, in some benefit claims and litigation cases, your GP is able to share your full medical history.

Breaching confidentiality might also be allowed in some rare situations. This could be when a court or the police request the information, or a doctor thinks that a patient is putting other people at risk.

Where can I report a breach of confidentiality in the NHS?

If your data is shared without your consent by the NHS, you can report this to the Information Commissioner's Office (ICO).

You can also get support from a patient advice service.

  • In England and Wales, contact the local Patient Advice and Liaison Service (PALS).
  • In Scotland, contact the Patient Advice and Support Service (PASS).
  • In Northern Ireland, contact the Patient and Client Council (PCC).

These services should support you to resolve the issue. However, if you are not satisfied with the resolution, you can contact the Chief Executive of the NHS Trust, or the Chief Executive your local Integrated Care Board (in England) or health board (in other parts of the UK).

If you are not satisfied with their response, you can contact an ombudsman. This also depends on where in the UK you live:

There is a time limit of 12 months in which you should report your matter to an ombudsman. 

If I share my HIV status with the police, what happens to my data?

Your HIV status is confidential medical information and should not be recorded by police in an identifiable way, unless it is to help you access your medical treatment. It should only be done with your consent.

Healthcare professionals must not give information about your HIV status to the police unless one or more of the following is true:

  • You have given consent.
  • There is a court order in place.

There are exceptional circumstances defined by the General Medical Council.

If you are part of an investigation, the investigators must not share your HIV status with other people or organisations unless it is necessary. They should always seek your consent before doing so.

Who can offer support if your HIV status has been shared unlawfully?

National AIDS Trust

Citizens Advice

Information Commissioner's Office

ACAS

GOV.UK

Acknowledgements

Thanks to Daniel Fluskey and Tamara Manuel for their advice.

Related topics
Confidentiality, consent & medical ethics
UK health services
Discrimination & the law
Human rights
Employment
Social & legal issues
Telling people you have HIV
Print