The law on confidentiality and HIV status

Chinnapong/Shutterstock.com

Key points

  • In the UK, there are legal protections which can enable you to hold employers, public services, businesses, the government and others to account, in the event that your HIV status is unlawfully disclosed.
  • There are fewer legal protections if your HIV status is shared by someone in your personal life, but legal action may be possible in some circumstances.
  • There are support services available to help challenge situations where your HIV status is shared without your consent. They will be able to give you advice and support, including help if you choose to take legal action.

This page gives you information about the law on confidentiality and disclosure of HIV status in the UK. If you share confidential medical information, your confidentiality is protected by law.

Who you talk about your status with is your decision. There are other pages on this website to help you to consider this. They cover the pros and cons of sharing your HIV status, deciding whether to tell people you are living with HIV, and telling employers, healthcare workers and people you have sex with.

What legal protections are relevant for people living with HIV?

In the UK, everyone is entitled to legal protections for confidential information, such as your HIV status and other medical information. The common law duty of confidentiality stipulates that any information you have shared in confidence should be treated as such and not shared with anyone else. You can read more about this law here.

There are additional protections which apply in your workplace, when dealing with public services, businesses, companies and government institutions and in some other settings. A breach of confidentiality may be intentional, an error or due to theft.

The Data Protection Act 1998 states that any data collected about you must only be done for specified, explicit purposes and must be limited to what is necessary and relevant. Data which identifies you must only be kept for as long as is necessary. Your data must always be stored securely, with appropriate measures in place. You can read about the act in more detail here.

The Human Rights Act 1998 allows you to take action against public authorities that have interfered with your human rights. These include local authorities, police, healthcare bodies and central government. The act includes Article 8, which covers respect for your private and family life. Under Article 8, personal information such as your HIV status should not be disclosed without your consent. You can read more about the act here.

If you are treated differently and worse because of your HIV status, in some settings you are protected by the Equality Act 2010. The act protects you from discrimination by employers, businesses, organisations which provide goods or services, and health and care providers. The act protects people from discrimination based on nine protected characteristics. People living with HIV are protected under this law, because HIV is classed as a disability from the point of diagnosis. As well as disability, other protected characteristics covered by the Equality Act are age, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation. You can read more about the act here.

Is it illegal to disclose someone’s HIV status?

If someone discusses your HIV status without your consent in your personal life and in a personal capacity, legal protection is limited. 

If an organisation such as an employer or health care breaches your confidentiality by sharing your HIV status without your consent you would be protected by the Data Protection Act 2018. You should consult any internal policies and processes for challenging situations where your data has been shared without your consent.

Where can I report a breach of confidentiality?

If your confidential information has been shared by an organisation without your consent, you should first look to make a complaint to the organisation that is responsible.

Glossary

consent

A patient’s agreement to take a test or a treatment. In medical ethics, an adult who has mental capacity always has the right to refuse. 

disclosure

In HIV, refers to the act of telling another person that you have HIV. Many people find this term stigmatising as it suggests information which is normally kept secret. The terms ‘telling’ or ‘sharing’ are more neutral.

referral

A healthcare professional’s recommendation that a person sees another medical specialist or service.

sexually transmitted infections (STIs)

Although HIV can be sexually transmitted, the term is most often used to refer to chlamydia, gonorrhoea, syphilis, herpes, scabies, trichomonas vaginalis, etc.

investigator

Scientific researcher.

If you are not satisfied with the response, you should make a complaint to the Information Commissioner's Office (ICO). If the ICO thinks that the organisation has failed to comply with its legal obligations, it can support you with advice and ask the organisation to resolve the problem. You can submit a complaint to the ICO up to three months after your last contact with the organisation. They are unable to offer compensation, even if they find that an organisation did breach your confidentiality.

The Data Protection Act can be enforced by the courts. This would be the County Court (England and Wales) or the Sheriff Court (Scotland). You have up to six years, less one day to take legal action. The Equality Act can also be enforced by the courts. You can take legal action for six months, less one day from when discrimination occurred.

What if I am being harassed because of my HIV status?

If you experience unwanted behaviour because your status has been shared without your consent, you might be able to pursue legal action. Unwanted behaviour which you find offensive, intimidating or humiliating is considered to be harassment. If the harassment is connected with your HIV status, it is considered to be a form of discrimination under the Equality Act. It does not have to be intentional. It could include receiving unwanted correspondence (phone calls, letters, emails or visits), abuse and bullying online, stalking, verbal abuse, threats, smashing windows or using dogs to frighten you. There are some grey areas about online abuse on social media, so you should seek legal advice in this situation.

You may be eligible for legal aid, or you might be able to access legal support via a trade union membership or through insurance (home contents). However, legal action is not always appropriate due to time limits, the stress and expense it involves, and limited access to legal advice.

If you are experiencing harassment in an employment setting, you should follow your employer’s grievance procedures and also make a claim to the Employment Tribunal within three months. There’s more information about sharing your HIV status with your employer on another page.

If you are being harassed in relation to something that is not a protected characteristic under the Equality Act, then you could consider another form of legal recourse. A legal injunction could prevent any further information about your HIV status from being disseminated or remove information that is already shared. You might be able to make a civil claim for misuse of private information. There is no legal aid available in these cases.

If I share my status with healthcare workers, what happens to my data?

It is normal for healthcare services to mention your HIV status and your current medication when referring you to another service (for example, if you are sent to see a doctor in a different hospital department). In this situation, there is usually ‘implied consent’. This is when your information is shared with healthcare workers involved in your care without you being asked, in situations where it is reasonable to think you would agree to your information being shared.

This can only happen as long as:

  • you have not objected to the sharing of your data
  • information is available showing how your data might be used and your rights to objection
  • the person receiving your data understands they are receiving it in confidence and will respect this.

Health services must adhere to the Caldicott Principles, which stipulate that the duty to share information needed for individual care is as important as the duty to protect patient confidentiality.

Data will never be passed on by sexual health clinics to GPs without your consent. Information kept by sexual health clinics is kept securely and not shared with any other health services. If your sexual health clinic would like to share this information, they must only do so after a discussion with you in which you provide consent.

In England, some information about your health will also be included in an electronic health record called the Summary Care Record. There’s more information about this in the next question.

If you have recently been diagnosed with HIV or a sexually transmitted infection (STI), staff at the sexual health clinic might want your recent sexual partners to be informed, so they can get tested. This is called ‘partner notification’ and is usually done with your consent. You may choose to tell your partners yourself, or you may ask clinic staff to notify your sexual partners on your behalf, without giving your name. In exceptional cases, your provider is able to do this without your consent.

Your GP may be asked by insurers, employers or other non-NHS third parties to share some of your medical information. Your GP should send only necessary information in response to specific queries. You have the right to see a report before it is sent, to refuse consent to it being sent, and to ask for inaccuracies to be corrected. If you have any concerns about the information that may be shared, it’s a good idea to ask to see a report before it is sent.

Exceptions to this are some benefit claims and litigation cases, where your GP is able to share your full medical history.

Breaching confidentiality can be lawful in some rare situations. This could be when a court or the police request the information or a doctor can justify that a patient is putting others at risk.

If your data is shared without your consent by the NHS, you should write to the local Patient Advice and Liaison Service. They should support you to resolve the issue informally. However, if you are not satisfied with the resolution, you can contact the Chief Executive of the NHS Trust, NHS England or a Clinical Commissioning Group. If you are not satisfied with their response, you can contact the Parliamentary and Health Service Ombudsman. If you live in Wales, you should contact the Public Services Ombudsman. If you live in Scotland, you should contact the Scottish Public Services Ombudsman. If you live in Northern Ireland, you should contact the Northern Ireland Public Services Ombudsman. There is a time limit of 12 months in which you should report your matter to an Ombudsman. 

What information is included in my Summary Care Record?

If you are in England, some of your personal health data may be in your Summary Care Record. This is an electronic copy of important patient information, referred to as ‘Core Information’. This includes current medication, allergies or bad reactions to medicines, and identifiable details like name, address, date of birth and NHS number. It may also include what is referred to as ‘Additional Information’, such as details of long-term conditions (such as HIV), significant medical history, end-of-life decisions and specific communications needs.

The Summary Care Record is created from your GP medical records. Authorised staff in other parts of the health and care system who are caring for you can access it. If you have given permission for your record to be accessed, this consent to access applies to all NHS staff directly involved in your care. An audit trail of those accessing your Summary Care Records is kept.

You can also opt out of having your information uploaded onto the Summary Care Records. You can choose to opt out of it completely, choose to only have core information recorded or have both your core and additional information on your record.

What information is included in the NHS app?

Since November 2022, most people in the UK can access their GP health records using the NHS App. It’s also available on some other online patient apps. Your GP health record contains information about medications, test results, and appointments. It doesn’t include your hospital records, but does include letters sent to your GP by other healthcare professionals, including hospital doctors.

This means that your GP health record might contain details about HIV.  

This information will only be available on the app if you have given consent (permission). It will also be password protected.

If you’re concerned about the information that will be visible on the app, speak to your doctor. You can ask them to hide this information, but this might not always work as well as you’d like. You can also ask your GP to turn off online access. This means you won’t be able to see your GP record on the app. 

If you’re unsure, speak to your GP surgery. You don’t have to use a patient app if you don’t want to.

If I share my HIV status with the police, what happens to my data?

Your HIV status is confidential medical information and should not be recorded by police in an identifiable way, unless it is to enable you to access your medical treatment, and with your consent.

Healthcare professionals must not release information to the police unless you have given consent, if there is a court order in place, or in exceptional circumstances defined by the General Medical Council.

If you are part of an investigation, the investigators must not disclose your HIV status to third parties unless it is necessary for the purposes of the investigation. They should always seek your consent before doing so.

How can I find out what information an organisation holds about me?

You always have the right to see the data held about you by an organisation. This is called a right of access. In order to access your data, you will need to submit a Subject Access Request. You can find out what information they are storing about you, how they are using it, who they are sharing it with, and where they got your data from.

To submit a request, you should try to contact the individual or team who deal with these requests, such as a data protection officer. Some organisations may ask you to fill out a form to process this request. You can give permission for someone else to make a request on your behalf, but you should consider if you want this person to have access to all of the personal information that may be provided.

You have the right to challenge inaccurate data; this is called a right to rectification. You can ask for information to be corrected or deleted. If you feel it is incomplete, it can be added to. You should start by informing the organisation that you are challenging the accuracy of the data they are storing about you. You should say that you believe it is incorrect, how they should correct it and any evidence you have of it being inaccurate.

You can make these requests verbally, but it is better to put them in writing. You can read more about these requests here.

Who can offer support if your HIV status has been shared against your will?

Citizens Advice: www.citizensadvice.org.uk

Information Commissioner's Office: ico.org.uk

ACAS: www.acas.org.uk

GOV.UK: www.gov.uk/check-legal-aid

Next review date
Acknowledgements

Thanks to Tamara Manuel for her advice.