Confidentiality is core. We teach students not to gossip. Notes are password protected. Doctors are struck off if they reveal private facts about patients in public. And patients need this safety so that they can talk without fear: without an expectation of confidentiality doctors would know even less about patients’ problems.But privacy is eroding. Doctors have long been expected to breach confidences in specific circumstances—for example, in the United Kingdom, if patients disclose conditions that mean they should not drive. In such cases the doctor must tell the government, but only after making “every reasonable effort to persuade them to stop [driving],” and, the General Medical Council says, after the patient has been told in person and in writing.1On its website the Care Quality Commission (CQC) shows the number of patient records that are read during inspections. It says that its inspectors have had confidentiality training and that they “handle many types of sensitive personal information every day and abide by a code of practice, just like GPs.”2The Health and Social Care Act 2008 gave the CQC powers to “access, inspect and take” any documents held by any clinic that it inspects, where it considers this “necessary or expedient.” This is “without the consent of the people to whom those records relate—and even, if necessary, against their wishes.”3 It is unfathomable why the CQC should not ask patients for permission first. As it is, they may never know that their notes have been read by an external agent.UK local health authorities can inspect practices to check whether they have been accurate in their financing. Looking at patients’ notes is again legally allowed as “secondary data use” because the data are not being used for direct patient care but for commissioning, audit, or research.4 Patients may be advised of this when they join a practice, but is it widely and fully understood that this means their notes may be read by other people?Doctors should stand guard over uninformed, unnecessary access to the confidential information entrusted to us. Are we doing enough? Surely, anonymised data would be sufficient for contractual inspections. And patients should know that they can opt out of this secondary use of data by having a code placed on their records. The CQC says that it “should” then respect these patients’ wishes and not open their notes.Many citizens are keen to contribute to high quality academic research; they may be less keen on the myriad other secondary uses of their data. Should we routinely ask patients whether they want their records coded to minimise access by external organisations?