There is a question clinicians should ask before any other when a new AI tool appears in the workflow — before "is it accurate?" and before "is it fast?" It is: where does my patient's data go? Accuracy matters enormously, but it is the second question. Information governance is the first, because a tool that mishandles patient data is a problem no amount of clinical accuracy can fix.
Why governance comes first
Patient information is protected by UK GDPR, the common-law duty of confidentiality, and the Caldicott principles. Using patient-identifiable data lawfully requires an appropriate basis and appropriate safeguards. A clinical AI tool processes information — sometimes the consultation itself — so it sits squarely inside that framework. The convenience of a tool does not change the obligations that attach to the data it touches.
The practical upshot is simple to state: patient-identifiable information generally does not belong in a public, consumer AI tool, and any tool you use clinically should be one whose data handling you (or your organisation) have actually checked.
The specific risks worth knowing
- Where the data goes. Some tools process and store data outside the UK or EEA. Data residency matters for compliance and for trust.
- Whether your data trains the model. A responsible clinical tool will be explicit that patient or consultation data is not used to train its models. A consumer tool's terms may say the opposite.
- Consumer terms for clinical use. General-purpose chatbots are governed by consumer terms never written for patient data — there is usually no data-processing agreement appropriate to clinical use.
- Ambient capture. Scribes record or process the consultation. Audio of a consultation is highly sensitive, which raises the governance bar, not lowers it.
What to check before using a clinical AI tool
A short, practical checklist for any tool that will touch patient data:
- Is it DTAC-aligned (the NHS Digital Technology Assessment Criteria)?
- Does the supplier meet the Data Security and Protection Toolkit (DSPT) standard?
- Where is the data hosted — is it kept in the UK?
- Is your data used to train the model? You want a clear "no."
- Is there a data-processing agreement and a DPIA appropriate to your use?
- Is it deployed through your organisation's governance, rather than something you have signed up to individually for clinical use?
If a tool cannot answer these, that is itself an answer.
The reference-tool nuance
Not every clinical AI tool carries the same data risk, and it is worth being proportionate. Asking a general clinical question — "what is the management of X?" — without entering any patient-identifiable detail is a much lower-risk activity than dictating a consultation or pasting in a patient record. A clinical reference tool used the way a textbook is used — to look something up, not to store a patient's data — sits at the gentler end of this spectrum. Even so, the tool you choose still matters: UK-built tools designed for clinical use are a better fit than consumer products.
Where iatroX fits
iatroX is a clinical reference and learning tool: clinicians use it to ask clinical questions and find source-linked UK guidance, rather than as a place to store patient records. As with any tool, clinicians should follow their organisation's information-governance policies and avoid entering patient-identifiable data where it is not appropriate. The broader point iatroX is built around is the one this article makes: a clinical AI tool should be UK-focused, purpose-built, and transparent about how it works — so that the governance question has a good answer before a clinician ever needs to ask it.
Accuracy will always matter. But the first question — where does my patient's data go? — is the one worth asking out loud, of every tool, before it earns a place in your practice.
Frequently asked questions
Can I put patient information into ChatGPT or other consumer AI tools? As a general rule, no. Entering patient-identifiable data into a public consumer AI tool raises issues under UK GDPR and the duty of confidentiality, and such tools are usually governed by consumer terms not appropriate for patient data. Follow your organisation's information-governance policies.
Is it safe to use an AI scribe in the NHS? It can be, where the product meets NHS governance standards and is deployed through your organisation. Because scribes process the consultation itself, the data-handling bar is higher — check DTAC alignment, DSPT compliance, UK data hosting and a clear position on whether data is used for training.
What are DTAC and DSPT, and why do they matter for clinical AI? DTAC is the NHS Digital Technology Assessment Criteria, a baseline for digital health products; DSPT is the Data Security and Protection Toolkit, an NHS data-security standard for suppliers. Both are practical signals that a tool takes governance seriously.
What should I check before using a clinical AI tool with patient data? Whether it is DTAC-aligned and DSPT-compliant, where data is hosted, whether your data is used to train the model, whether there is an appropriate data-processing agreement and DPIA, and whether it is deployed through your organisation's governance.
Does iatroX process patient data? iatroX is used to ask clinical questions and retrieve source-linked UK guidance, rather than as a store for patient records. As with any clinical tool, clinicians should follow local information-governance policies and avoid entering patient-identifiable data where it is not appropriate.