UKMy GP shared my medical records without consent. Is this a breach?
Yes, sharing your medical records without your consent is usually a breach of data protection law and medical confidentiality, unless a specific legal exception applies.
What the Law Says
In the UK, your medical records are protected by strict data protection and confidentiality rules. GPs must have a lawful basis to process your personal health data — and consent is one of several possible bases.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how your personal data — including sensitive health information — can be used and shared. Health data is classified as 'special category data', which requires extra safeguards.
Under UK GDPR Article 9, processing special category data (like medical records) is prohibited unless one of the specific conditions in Article 9(2) applies. Consent is one condition — but others include 'substantial public interest' or 'legal obligation'.
The common law duty of confidentiality also applies: doctors owe patients a strict duty not to disclose confidential information without consent, unless justified by law or overriding public interest (e.g., preventing serious harm).
Statutory TextProcessing of personal data shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes...
— UK GDPR, Art. 6(1)(a) — Lawfulness of processing
Statutory TextProcessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited...
— UK GDPR, Art. 9(1) — Processing of special categories of personal data
Statutory TextAn application may be made to the Secretary of State for approval to process patient-identifiable information without consent where it is necessary for medical purposes and where consent cannot be obtained.
— Health Service (Control of Patient Information) Regulations 2002, Reg. 5 — Section 251 support
What Courts Have Said
Courts have consistently upheld the strength of patient confidentiality and the seriousness of unauthorised disclosures by healthcare professionals.
The court held that a psychiatrist could disclose concerns about a patient’s risk to public safety to authorities without consent — but only where the risk was real, serious, and imminent; mere suspicion was insufficient.
Reaffirmed that breach of confidentiality by a doctor gives rise to a claim in equity and/or under data protection law, and damages may be awarded even without financial loss.
What to Do
Contact your GP practice in writing to request details of what information was shared, with whom, when, and the reason given.
Ask them to confirm whether they relied on consent, a statutory exemption (e.g., Section 251), or another lawful basis under UK GDPR Article 6 and Article 9.
If unsatisfied, make a formal complaint to the practice’s Data Protection Officer (DPO) or via their complaints procedure.
Escalate to the Information Commissioner’s Office (ICO) using their online complaint form — they can investigate and issue enforcement notices.
Consider seeking legal advice if you’ve suffered distress or harm — you may be entitled to compensation under UK GDPR Article 82.
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.