What is confidentiality?

In the context of health, confidentiality refers to the non-disclosure of all information that comes to a health practitioner in the course of their relationship with patients. This includes that a health professional (or anyone else who comes into contact with that information – such as administrative staff) must not disclose information to other individuals, the public or organisations.

Note, there are a number of circumstances in which otherwise confidential information, may be disclosed to third parties (see below).

Why does patient confidentiality matter?

Patient confidentiality serves to protect the health of the patient—and potentially the public—by increasing the chances that people will seek help when they need it because they are comfortable discussing anything they need to discuss with the health professional they consult.

Where are the rules of patient confidentiality found?

Ethics - Confidentiality
Law - Confidentiality

Confidentiality is often thought of as an ethical obligation. There is however, also recognition in the common law (judge-made law) area of ‘breach of confidence’. In some instances statutory obligations may also be viewed as protecting patient confidentiality. Each of these is briefly discussed further below.

Oaths and Codes of Practice

Health practitioners have long since vowed to respect the information they see or hear. For example, the Hippocratic Oath, which dates to around 500 BC, sworn by medical professionals states:

“…Whatever, in connection with my professional service, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret.

In Australia, in the modern day, ethical codes of practice also recognise that confidentiality must be protected.

The Australian Medical Board’s code of practice states that:

“Patients have a right to expect that doctors and their staff will hold information about them in confidence, unless release of information is required by law or public interest considerations. Good medical practice involves…treating information about patients as confidential.” 1

Similarly, the Australian Medical Association’s Code of Ethics 2states:

“Maintain the confidentiality of the patient’s personal information including their medical records,
disclosing their information to others only with the patient’s express up-to-date consent or as required
or authorised by law. This applies to both identified and de-identified patient data.”

The common law (judge-made law)

At common law both a contractual and equitable obligation of confidence has been recognised. 3 In Attorney-General v Guardian Newspapers 4 it was said:

It is a well-settled principle of law that where one party (‘the confidant’) acquires confidential information from or during his service with, or by virtue of his relationship with another (‘the confider’), in circumstances importing a duty of confidence, the confidant is not ordinarily at liberty to divulge that information to a third party without the consent or against the wishes of the confider.

That is, a duty of confidence arises in circumstances in which the information is given on the understanding that it is to be treated by the confidant on a limited basis (or where the confidant ought to have realised that in all the circumstances the information was to be treated in such a way). 5

Statute (Legislation) – Government made law

In some legislation, there exists what is often referred to as ‘secrecy’ provisions, which also serve to protect confidentiality. 6

An example of a statutory ‘secrecy provision’ may be found in Section 206(1) of the Western Australian Mental Health Act 1996, which provides:

(1) A person must not directly or indirectly divulge any personal information obtained by reason of any function that person has, or at any time had, in the administration of this Act or the Mental Health Act 1962. Penalty $2 000.

Are there situations in which confidentiality may be breached?

The answer to the above question is yes.

Neither legal duties of confidence, nor ethical undertakings to protect confidentiality are absolute. In some special circumstances, a patient’s confidentiality may lawfully (and ethically) be breached.

Such circumstances include, for example, disclosure of information:

  • following express or implied consent; (See the Health Law Central section on ‘consent’ to find out more about what consent is, and who may provide consent for example, in the case of children, or people suffering an incapacity);
  • pursuant to legal requirements: such as mandatory reporting of certain infectious diseases; reporting of the cause of death when a person dies; providing information pursuant to a subpoena; mandatory reporting of child abuse; or
  • on grounds of public interest. (Note the notion of public interest is flexible and there are no clear rules about when it would apply. Generally, it would arise in circumstances in which there is a real or immediate risk of danger to the public or a single person, and the risk is sufficiently grave. This might for example therefore include when there is a threat to national security; or contacting the authorities if a health practitioner is aware that a patient is going to cause serious harm to someone or to commit a crime. 7

Note: When a statutory duty of confidence exists, one must look to the relevant statutory provision for the circumstances (if any) in which the information may be disclosed.

What might happen if confidentiality is breached in other circumstances?

A breach of the duty of confidence can have a number of consequences. For example, it may lead to:

  • Disciplinary action by the employer of the person who made the disclosure.
  • Legal action claiming damages (compensation) against the person who made the disclosure and/or his or her employer.
  • Disciplinary proceedings under the health professional’s regulatory statute.
  • The imposition of a fine or other penalty when there is a contravention of a statutory duty of confidence.

Confidentiality and Privacy Regimes

More recently, privacy legislation has been introduced in a number of Australian jurisdictions to specifically regulate the handling of personal health information. Commonwealth legislation has also been introduced that is relevant to health care information and related privacy issues.

An overview of privacy regulation, relevant to health, may be found via links below and at the side of this page.

Here it is noted that health service providers continue to be subject to secrecy provisions and duties of confidentiality. Privacy laws exist side by side, and do not replace the duties of confidentiality.

Nevertheless, it has been recognised that causes of action in terms of breach of confidence in the context of health professionals would be extremely (and increasingly) rare. It has also been suggested that:

In practice the less costly, more ‘user friendly’ complaint procedures offered under the privacy regimes may in fact mean that they increasingly ‘cover the field’ and that the traditional, common law remedies for protecting confidentiality become archaic. 8

 Click on the link below to find out about privacy laws in Australia.

Find out more


  1. Australian Medical Board, Good Medical Practice: A Code of Conduct for Doctors in Australia, (2009) available at
  2. AMA Code of Ethics (2004 – editorially revised 2006), available at 2016.
  3. For a detailed analysis of this complex area of law please see Office of the Information Commissioner, Queensland, Breach of Confidence at Common Law, at accessed, 15 January 2015.
  4. Attorney-General v Guardian Newspapers (No. 2) [1988] UKHL 6.
  5. Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services and Health (1990) 22 FCR 73, 86–87; Coulthard v State of South Australia (1995) 63 SASR 531, 546–547.
  6. For examples, see, eg, National Health Act 1953 (Cth) s 135A; Health Insurance Act 1973 (Cth) s 130; Health Administration Act 1982 (NSW) s 22; Health Services Act 1988 (Vic) s 141; Mental Health Act 1996 (WA) s 206(1); Health Administration Act 1982 (NSW) s 22; Mental Health Act 2007 (NSW) s 189; Guardianship Act 1987 (NSW) s 101.
  7. Note the examples given have not been tested in Australian courts – see discussion in relation to negligence and duty of care on Health Law Central; see for an example of English case authority in which a court held that it would not be a breach of confidence to disclose information in such circumstances: W v Edgell [1990] 1 Ch 359, [1990] 2 WLR 471.
  8. M McMahon, ‘Re-thinking Confidentiality’ in I Freckelton and K Petersen (eds), Disputes & Dilemmas in Health Law (2006) 563, 583.