We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Data protection policy for the use of third party software in general practice
1. Purpose
This policy outlines how Irwell Medical Centre ensures the safe, lawful, and ethical use of software (including AI based software the transcribes a conversation between a patient and clinician into a written document), in compliance with UK data protection legislation, including the UK GDPR and Data Protection Act 2018.
2. Scope
This policy applies to:
- All staff (clinical and non-clinical)
- Temporary staff, contractors, and trainees
- All systems and processes involving third party software within the practice
3. Definitions
Ambient AI: Technology that listens to and processes consultations in real time to generate clinical notes or insights.
Personal Data: Any information relating to an identifiable individual.
Special Category Data: Health data requiring higher protection under UK GDPR.
4. Legal basis for processing
The practice processes patient data using Ambient AI and other software under the following lawful bases:
- Article 6(1)(e): Task carried out in the public interest
- Article 9(2)(h): Provision of health or social care
Explicit patient consent may also be sought where appropriate, particularly when introducing new AI systems.
5. Principles of data protection
All use of software must comply with UK GDPR principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
6. Patient transparency and consent
- Patients are made aware that Ambient AI is being used within the practice.
- Information should be provided via privacy notices, posters, and verbal explanation.
- Patients must have the option to opt out without affecting their care.
7. Data collection and use
- Only necessary data for clinical documentation and care should be captured.
- AI-generated notes must be reviewed and verified by a clinician before being added to the patient record.
- A staff member operating any software must check that the correct patient's details are being entered
8. Data security
- All data must be encrypted in transit and at rest.
- Systems must comply with NHS Digital and DSP Toolkit standards.
- Access must be role-based and restricted to authorised personnel.
- Regular security audits and risk assessments must be conducted.
9. Data Storage and Retention
- Data processed by software must be stored within approved UK/EU data centres.
- Retention periods must align with NHS records management guidelines.
- Raw audio recordings should not be retained unless strictly necessary and justified.
10. Third-party processors
- Any software provider must have a formal Data Processing Agreement (DPA) in place.
- Providers must demonstrate compliance with UK GDPR and NHS standards.
- Data must not be used for secondary purposes (e.g., model training) without explicit agreement and safeguards.
11. Data protection impact assessment (DPIA)
- A DPIA must be completed before implementing the use of new software and systems.
- Risks to patient privacy must be identified and mitigated.
- DPIAs should be reviewed regularly.
12. Staff responsibilities and training
- Staff must receive training on data protection and safe software use.
- Clinicians remain responsible for the accuracy of clinical records.
- Any data breaches or concerns must be reported immediately.
13. Data subject rights
Patients have the right to:
- Access their data
- Request correction of inaccuracies
- Object to processing
- Request restriction or deletion where applicable
Requests must be handled in line with practice procedures.
14. Incident management
- Data breaches must be reported to the Data Protection Officer (DPO) immediately.
- Serious breaches must be reported to the ICO within 72 hours.
- Incidents must be documented and reviewed to prevent recurrence.
15. Governance and oversight
- A designated DPO or Caldicott Guardian will oversee compliance.
- Regular audits and reviews of computer system performance and data handling must be conducted.
16. Review
This policy will be reviewed periodically, and if:
- Regulations change
- New software, AI or other computer programs are introduced
- A significant data incident occurs