In healthcare, “being open with patients” can mean more than one legal obligation. Two common ones are the statutory Duty of Candour and patient notification after a personal data breach.

They can feel similar because they both involve openness, apology, and clear communication, but they come from different laws and apply in different situations.

Sometimes only one applies; occasionally both apply together. Understanding the difference helps practices respond confidently and consistently.

What is the Duty of Candour?

The Duty of Candour is a patient-safety duty. It requires GP practices and other CQC-registered providers to be open and transparent with patients when something goes wrong in their care or treatment that causes, or could cause, significant harm.

What triggers it?

A “notifiable safety incident” an incident that arose in the course of a regulated activity (care/treatment) and impacted the patient in a way that meets the harm threshold.

What must a practice do?

• Inform the patient (or representative) as soon as reasonably practicable.

• Explain what happened and what is known so far.

• Offer a sincere apology (this is not the same as admitting legal liability).

• Provide a written follow-up and record learning/actions.

What is notifying patients about a data breach?

Notifying patients about a data breach is a data protection duty. It applies when a personal data breach is likely to cause a high risk to the patient’s rights and freedoms.

A personal data breach could include:

• sending letters to the wrong person,

• emailing attachments to the wrong address,

• a lost laptop or USB containing patient data,

• cyber incidents involving unauthorised access.

  
  

What triggers patient notification?

A breach must be likely to result in a high risk to individuals (for example, realistic risk of distress, discrimination, identity misuse, or serious loss of confidentiality).

If it doesn’t meet the “high risk” threshold, you don’t tell patients. but you still document the incident and your assessment.

As DPO, we support our customers with this assessment.

When Duty of Candour applies but breach notification doesn’t

These are care incidents without a data breach.

Examples:

• Wrong medication dose causes moderate harm.

• Delayed diagnosis leads to prolonged pain.

• Clinical error with serious impact on the patient.

Why only candour applies: The issue is treatment harm, not information loss, so Regulation 20 is triggered.

When breach notification applies but Duty of Candour doesn’t

These are data/security incidents without clinical harm at Candour thresholds.

Examples:

• A letter with results sent to the wrong address.

• A referral attached to the wrong record then corrected quickly.

• A text meant for one patient sent to another number.

Why only breach rules apply: The primary risk is confidentiality/privacy, not care-related harm. Candour might still be considered if the incident causes moderate/severe or prolonged psychological harm, but it is not automatically triggered just because the data is sensitive.

When both apply

Sometimes an event creates both clinical harm risk and data risk.

Examples:

• A cyberattack disrupts urgent care and exposes records.

• Wrong notes used in treatment (safety incident) and then sent externally (data breach).

In these cases:

• apply Duty of Candour for the care harm/risk, and

• assess breach risk for ICO/patient notification.

Coordinate communication so patients get one clear story rather than two clashing letters.

Practical takeaway for practices

Ask two quick questions:

1. Did something go wrong in care/treatment that caused or risked significant harm? then there is a Duty of Candour.

2. Did patient data get lost/disclosed/ accessed improperly, and is there likely high risk to the patient? Notify as a breach (and/or report to ICO).

Can we over-notify to data subjects? Read our blog on this topic here.

If in doubt, speak to your DPO / clinical lead who will help you make that determination.