AI Scribe and GDPR: A UK Compliance Guide
A practical guide to the data protection requirements that apply when using AI medical scribes in UK healthcare settings.
WhiteFieldHealth
Built for reviewable clinical documentation, not generic AI output.
AI medical scribes process some of the most sensitive data categories recognised in UK law: health data, which falls under special category data within the UK General Data Protection Regulation (UK GDPR). For clinicians, practice managers, and data protection officers evaluating AI medical scribes, understanding the compliance landscape is not optional. It is a prerequisite for lawful adoption. This guide covers the key GDPR requirements that apply specifically to AI-powered clinical documentation tools in the UK.
GDPR Requirements for Clinical AI
The UK GDPR, retained from EU GDPR after Brexit and supplemented by the Data Protection Act 2018, governs the processing of personal data in the UK. Health data is classified as special category data under Article 9, which means it requires both a lawful basis under Article 6 and an additional condition under Article 9 before it can be processed.
An AI medical scribe processes personal data at multiple stages: audio recording of the consultation (which may contain the patient's name, date of birth, and health information in spoken form), transcription of that audio into text, and generation of a clinical note that contains structured health data. Each processing stage must have a lawful basis, and the overall processing must comply with the data protection principles set out in Article 5 of the UK GDPR.
Article 5 Principles Applied to AI Scribes
- Lawfulness, fairness, and transparency: Patients must be informed that AI is being used to process their consultation data. Privacy notices must explain what data is collected, how it is processed, and why.
- Purpose limitation: Data collected for clinical documentation must not be repurposed for marketing, training AI models, or any purpose beyond what was communicated to the patient.
- Data minimisation: Only the minimum data necessary for generating the clinical note should be processed. Audio recordings should be deleted after transcription unless there is a specific lawful reason to retain them.
- Storage limitation: Retention periods must be defined and justified. Clinical notes follow NHS Records Management Code retention periods, but audio recordings and intermediate processing data should have much shorter retention.
- Integrity and confidentiality: Appropriate technical and organisational measures must protect data at every stage, including encryption in transit and at rest, access controls, and audit logging.
Additionally, Article 35 of the UK GDPR requires a Data Protection Impact Assessment (DPIA) for any new processing that is likely to result in a high risk to individuals. AI processing of health data almost always triggers this requirement. The DPIA must assess the necessity and proportionality of the processing, the risks to data subjects, and the measures in place to mitigate those risks. The Information Commissioner's Office (ICO) publishes detailed guidance on conducting DPIAs at ico.org.uk .
Lawful Basis for Processing
Processing health data through an AI scribe requires identifying both an Article 6 lawful basis and an Article 9 condition. This dual requirement is where many organisations encounter complexity. The appropriate bases depend on the context: whether the healthcare provider is an NHS organisation, a private practice, or an occupational health service.
Article 6(1)(e) Public task
For NHS organisations, processing is typically justified under the public task basis. The provision of healthcare is a task carried out in the public interest, and clinical documentation is a necessary part of delivering that care.
Article 6(1)(b) Contractual necessity
For private healthcare providers, processing may be justified as necessary for the performance of a contract with the patient, where the contract is the provision of healthcare services.
Article 6(1)(f) Legitimate interests
In some contexts, legitimate interests may apply, but this requires a balancing test and is generally considered weaker than public task or contract for health data processing. It should not be the primary basis relied upon.
Article 9(2)(h) Healthcare purposes
The most commonly relied-upon condition for clinical AI tools. This permits processing of health data for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems. The processing must be by or under the responsibility of a health professional subject to professional secrecy obligations.
Article 9(2)(a) Explicit consent
Explicit consent is an alternative condition but is generally not recommended as the primary basis for clinical documentation. Consent must be freely given, and in a healthcare setting where refusing consent could affect the quality of record-keeping, the voluntariness of consent is questionable.
It is important to note that the lawful basis and Article 9 condition must be identified before processing begins and documented in the organisation's records of processing activities (ROPA) as required by Article 30. Retrospectively identifying a basis is not permissible under the UK GDPR.
Data Processing Agreements
When a healthcare organisation uses an AI scribe, the relationship is typically that of a data controller (the healthcare provider) and a data processor (the AI scribe vendor). Article 28 of the UK GDPR requires a written contract, commonly called a Data Processing Agreement (DPA), that sets out the terms of the processing relationship.
Essential DPA Provisions (Article 28)
- Subject matter and duration: The DPA must specify what data is processed, for what purpose, and for how long. For an AI scribe, this includes audio recordings, transcripts, and generated clinical notes.
- Processing only on instructions: The processor must only process data on the documented instructions of the controller. The vendor cannot use consultation data for their own purposes, including training AI models on patient data.
- Security measures: The DPA must specify the technical and organisational measures the processor implements, including encryption, access controls, incident response procedures, and business continuity arrangements.
- Sub-processor management: If the AI scribe vendor uses sub-processors (for example, a cloud hosting provider or a speech-to-text API), these must be disclosed. The controller must have the right to object to new sub-processors, and the vendor must flow down equivalent contractual obligations.
- Data subject rights support: The processor must assist the controller in fulfilling data subject rights requests (access, rectification, erasure, portability) and DPIA obligations.
- Audit rights: The controller must have the right to audit the processor's compliance. In practice, this is often satisfied through third-party audit reports (SOC 2, ISO 27001) rather than on-site inspections.
When evaluating vendors, ask for their standard DPA and review it carefully. Pay particular attention to data retention terms, sub-processor lists, international data transfer mechanisms, and what happens to data on termination of the contract. The DPA should explicitly state that the vendor does not use patient data for AI model training or improvement.
Patient Consent Considerations
Consent in the context of AI medical scribes is frequently misunderstood. There is an important distinction between GDPR consent as a lawful basis for processing and the broader ethical and common-law duty to inform patients about how their data is handled.
As discussed above, GDPR consent (Article 9(2)(a)) is generally not the recommended lawful basis for clinical documentation. However, this does not mean patients should not be informed. The transparency principle (Article 5(1)(a)) requires that patients know their consultation is being recorded and processed by AI. This is typically achieved through privacy notices rather than consent forms.
What Patients Should Know
- That their consultation will be recorded
- That AI technology is used to generate clinical notes
- That the clinician reviews and approves all AI-generated notes
- That audio recordings are deleted after transcription
- That they can request their consultation not be recorded
- How to exercise their data subject rights
Practical Implementation
- Display clear privacy notices in waiting areas
- Include AI documentation information in patient registration forms
- Brief patients verbally at the start of recorded consultations
- Provide written information patients can take away
- Update the practice privacy notice on your website
- Document the patient notification process for audit purposes
If a patient objects to recording, the clinician should be able to conduct the consultation without the AI scribe and document notes manually. The system should support this gracefully. Patient objection should never be a barrier to receiving clinical care. Some patients, particularly those with mental health conditions, survivors of trauma, or those with concerns about data sharing, may have strong reasons for preferring non-recorded consultations.
Data Residency and Storage
Where patient data is processed and stored is one of the most critical compliance considerations for UK healthcare organisations. The UK GDPR restricts transfers of personal data to countries outside the UK unless adequate protection is in place.
Data Processing Locations
For an AI scribe, data processing occurs at multiple points: audio is uploaded for transcription, the transcript is processed by NLP models, and the generated note is stored. Each of these stages may involve different infrastructure. Ask vendors to specify the exact location of every processing stage. "Cloud-based" is not sufficient. You need to know whether data is processed in UK data centres, EU data centres, or US data centres, and whether any data leaves the UK during processing, even transiently.
International Transfers
If any processing occurs outside the UK, the organisation must ensure an adequate level of protection exists. For transfers to the EEA, the UK has made an adequacy finding. For transfers to the US, the UK Extension to the EU-US Data Privacy Framework provides a mechanism, but only for certified organisations. For other countries, Standard Contractual Clauses (International Data Transfer Agreement or the UK Addendum to the EU SCCs) must be in place. For NHS patient data, the strongest position is to require UK-only processing with no international transfers.
Encryption and Access Controls
Data must be encrypted both in transit (TLS 1.2 or 1.3) and at rest (AES-256 or equivalent). Access to patient data should be restricted to authorised personnel only, with role-based access controls, multi-factor authentication, and comprehensive audit logging. The vendor's staff should not have access to patient data in the normal course of operations. Any access for support or debugging purposes should be documented, justified, and time-limited.
Data retention is equally important. Audio recordings should be deleted as soon as the transcription and note generation are complete. There is rarely a lawful reason to retain consultation audio beyond the immediate processing period. Clinical notes, by contrast, must be retained in accordance with the NHS Records Management Code of Practice, which specifies retention periods of 8 years for general records and 25 years for paediatric or mental health records.
NHS Data Security and Protection Toolkit
The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that organisations must complete annually to demonstrate they are practising good data security and handling personal information correctly. It is mandated for any organisation that has access to NHS patient data or NHS systems.
The DSPT is based on the National Data Guardian's ten data security standards, which cover areas including leadership, staff training, data access controls, incident management, business continuity, and accountability. For AI scribe vendors, DSPT compliance demonstrates a baseline level of data security maturity that healthcare organisations should require before entering into any data processing arrangement.
What DSPT Covers
- Personal confidential data is handled, stored, and transmitted securely
- Staff understand their responsibilities through appropriate training
- Access to data is restricted to authorised personnel
- IT systems are kept up to date with security patches
- Plans are in place for responding to data security incidents
- Continuity plans are tested and maintained
- Data sharing agreements are documented and reviewed
DCB0129 Clinical Safety
Beyond data protection, AI scribes that generate clinical content must also comply with DCB0129, the clinical risk management standard for health IT system manufacturers. This requires maintaining a clinical safety case, appointing a Clinical Safety Officer, and conducting systematic hazard identification and risk assessment. Potential hazards include incorrect medication transcription, omitted allergy information, or inappropriate clinical advice in AI-generated notes. DCB0129 ensures these risks are identified, assessed, and mitigated through design controls, validation testing, and ongoing monitoring.
When evaluating AI scribe vendors, request their DSPT submission status (available on the DSPT portal), their DCB0129 clinical safety case report (or a summary thereof), and evidence of their clinical safety governance arrangements. Vendors who cannot provide these artefacts may not be suitable for processing NHS patient data.
How WhiteFieldHealth Handles Compliance
WhiteFieldHealth is designed for UK healthcare compliance from the ground up, not retrofitted from a product built for a different regulatory environment. Our compliance approach covers every aspect of the data lifecycle from audio capture through to clinical note storage and eventual deletion.
UK Data Residency
All patient data is processed and stored exclusively within UK data centres. Audio recordings, transcripts, and clinical notes never leave UK borders. Our infrastructure is hosted on UK cloud providers that hold ISO 27001 certification and SOC 2 Type II attestation.
Audio Data Minimisation
Consultation audio recordings are automatically deleted after transcription and note generation are complete. By default, audio is retained for no more than 30 days. Organisations can configure shorter retention periods. This aligns with the data minimisation principle and reduces the risk profile of the processing.
Audit Trail
Every action within the platform is logged in an immutable audit trail: note generation, edits, approvals, exports, and access events. Audit logs are retained for 7 years in accordance with NHS records management requirements. Organisation administrators can access and export audit logs at any time.
DPA and Governance
A comprehensive Data Processing Agreement is included with all service contracts. We maintain DSPT-aligned security practices, DCB0129-aligned clinical safety governance, and ICO registration. Formal DSPT submission and DCB0129 certification are in progress. Our sub-processor list is published and customers are notified 30 days before any sub-processor changes.
For detailed information on our full security and compliance posture, including encryption standards, incident response procedures, and healthcare compliance certifications, visit our compliance page.
Compliance-ready clinical AI
WhiteFieldHealth is built for UK healthcare regulation. UK data residency, NHS DSPT, DCB0129 clinical safety, and comprehensive audit logging from day one.