Motics logo
Compliance guide

UK Compliance Guide for Clinic AI (2026): GDPR, DTAC, DSPT, CQC & Consent

By Dr Harvinder Power, MDLast updated

Deploying AI in a UK clinic is governed by rules that already exist — nothing about AI suspends them. The working stack: UK GDPR (health data is special category data needing an Article 9 condition on top of a lawful basis), patient consent for ambient recording (with a dictation fallback for patients who lack capacity, per Mental Capacity Act principles), a DPIA before go-live, CQC's good-governance regulation for your records and oversight, and — if you touch NHS work — DTAC and the Data Security and Protection Toolkit. This guide turns that into the checks a clinic owner can actually run — practical orientation, not legal advice.

Which framework applies to what

FrameworkWhat it isWho it applies toWhat to do about it
UK GDPR — special category dataHealth data requires a lawful basis plus an Article 9 conditionEvery clinic, every AI tool touching patient dataDPA with vendor, DPIA, privacy-notice update, data-flow record
Patient consent (recording)Informed consent to capture the consultationAny ambient/recording scribePer-session verbal consent, documented; dictation mode where consent isn't possible
Mental Capacity Act 2005Framework for decisions when a person lacks capacityPatients who can't consent to recordingUse dictation instead of recording; follow MCA principles for care decisions
CQC Regulation 17 (Good governance)Accurate, complete, contemporaneous records + quality systemsCQC-registered providersDocumentation standards, systematic audit, AI-use governance on file
DTACNHS assessment framework for digital health technologiesNHS buyers; suppliers selling into the NHSAsk NHS-facing vendors for their DTAC evidence; optional signal for private clinics
NHS DSPTSelf-assessment against the National Data Guardian's 10 standardsOrganisations with access to NHS patient data and systemsRequired if you access NHS data; check vendors' DSPT status for NHS work
ISO 27001 / Cyber EssentialsInformation-security certificationsVendor signals (and good practice for clinics)Ask vendors for certificate scope and validity

Start here: the data protection layer

Everything an AI scribe, receptionist, or audit tool touches is health data, and under UK GDPR health data is special category data: you need both a lawful basis (Article 6) and a separate condition for processing special category data (Article 9 — the health and social care condition is the usual fit for clinical care). The ICO's guidance is the canonical reference. Practically, this translates to four artefacts before any AI tool goes live: a data processing agreement with the vendor (they're your processor), an updated privacy notice telling patients an AI tool is involved and what it does, a record of data flows (what's captured, where it's processed and stored, what's retained and for how long), and a DPIA.

On the DPIA: novel technology processing health data at scale is squarely the kind of processing the ICO expects a data protection impact assessment for. It doesn't need to be a thesis — identify the processing, the risks (mis-transcription entering the record, overseas transfers, vendor training on patient data, retention), and the mitigations (clinician review, UK/EU residency, no-training commitments, deletion schedules) — but it does need to exist before go-live, not after the first complaint.

Consent for ambient recording — and the capacity question nobody covers

Recording a consultation needs the patient's informed consent: tell them what's recorded, what the AI does with it, where it's processed, and that they can decline — then document the consent in the note. Good practice is verbal consent at the start of every session (some tools build the prompt in). The ICO's consent guidance sets the bar: consent must be a real, informed choice, and if saying no is hard, something is wrong with the design.

The harder case is the patient who can't give informed consent to recording — common in community, neuro, and elderly-care caseloads. The Mental Capacity Act 2005 governs decisions for people who lack capacity, and its principles (assume capacity, support decision-making, act in best interests, choose the least restrictive option) point to a practical answer for scribes: don't record — dictate. Every credible scribe has a dictation mode; the clinician dictates findings after the session and the AI structures the note, with no patient audio captured at all. Clinics that treat this caseload should write the rule down: ambient recording only with documented consent; dictation mode otherwise. It's the difference between a tool that fits your whole caseload and one that quietly excludes your most vulnerable patients.

The NHS-facing frameworks: DTAC and DSPT

DTAC — the Digital Technology Assessment Criteria — is NHS England's assessment framework for digital health technologies, covering clinical safety, data protection, technical security, interoperability, and usability. It's a buyers' framework: NHS commissioners and providers use it to assure products they procure. If you're a private clinic, DTAC isn't a legal requirement for you — but a vendor that has been through DTAC (or supplies DTAC evidence) has answered, in writing, most of the questions this guide says to ask, which is why it's a useful signal even outside the NHS. DSPT — the Data Security and Protection Toolkit — is the NHS's self-assessment against the National Data Guardian's ten data security standards, required for organisations with access to NHS patient data and systems. If your clinic holds NHS contracts or accesses NHS systems, DSPT applies to you; either way, a vendor's DSPT status is worth checking for NHS-adjacent work.

CQC, professional standards, and where AI audit fits

For CQC-registered providers, Regulation 17 (Good governance) requires maintaining securely an accurate, complete, and contemporaneous record for each service user, and operating systems to assess and monitor quality. AI changes the inspection conversation in two directions: you should be able to explain which AI tools touch your records and the controls around them (consent, review, DPIA), and AI can strengthen your evidence — systematic documentation audit with 100% coverage is a materially better well-led story than quarterly sampling. Professional standards run alongside: HCPC registrants must keep full, clear, and accurate records, and the CSP publishes record-keeping guidance for physiotherapy — AI drafts don't dilute the registrant's personal responsibility for every filed note.

Where Motics sits, for transparency: Motics (our product) is ISO 27001 certified and UK GDPR compliant, stores patient data in the UK, doesn't use patient data to train AI models, supports dictation as well as ambient capture, and requires clinician review before notes are filed. Every vendor should answer those same points in writing — ours are on motics.ai/security, and the checklist below works on anyone.

The vendor checklist: ten questions in writing

  • Where is patient data stored and processed — UK, EU, or elsewhere? Any sub-processors overseas?
  • Will you sign a data processing agreement? (If hesitation: walk away.)
  • Is patient data used to train AI models? The answer should be an unqualified no.
  • What exactly is retained — audio, transcript, note — and for how long? What's the deletion schedule?
  • How is consent captured and recorded? Is there a dictation mode for patients who can't consent to recording?
  • Does the workflow force clinician review before output enters the record?
  • What certifications do you hold — ISO 27001 (what scope?), Cyber Essentials, DTAC evidence, DSPT status?
  • What happens to our data if we cancel?
  • Have you completed a DPIA template or clinical-safety documentation (DCB0129) we can reference in ours?
  • Who do we call when something goes wrong, and what's your breach-notification commitment?

How we chose

This guide summarises the frameworks as they stood on 10 June 2026, linking the canonical sources — ICO guidance for UK GDPR and consent, legislation.gov.uk for the Mental Capacity Act, CQC's regulation pages, NHS England's DTAC page, and the DSPT portal — rather than paraphrasing from memory. It's a practical orientation for clinic owners, not legal advice: for contentious cases (capacity disputes, novel data flows, NHS contracting) take advice from your indemnifier or a data-protection professional.

Motics is our product and is mentioned once, in a labelled transparency callout, with the same checklist applied to it as to any vendor. The rest of the page is vendor-neutral by design — the frameworks don't care whose AI you buy.

Frequently asked questions

Do I need patient consent to use an AI scribe?

For ambient recording, yes — recording a consultation processes special category health data, and patients need to know and agree: what's captured, what the AI does, where it's processed, and that declining is fine. Capture verbal consent at the start of each session and document it in the note. For dictation mode — where the clinician dictates after the session and no patient audio is captured — recording consent doesn't arise, though your privacy notice should still disclose AI processing of the dictated content.

What about patients who lack capacity to consent to recording?

Don't record them — dictate instead. The Mental Capacity Act 2005's principles (assume capacity, support decision-making, best interests, least restrictive option) govern care decisions for people lacking capacity, and an audio recording of the consultation is rarely necessary when a dictation workflow achieves the same documentation without capturing patient audio. Practical policy: ambient recording only with documented consent; dictation mode for everyone else. If your caseload is largely community, neuro, or elderly care, make dictation support a hard requirement when choosing a scribe.

Do I need a DPIA before deploying clinic AI?

Almost certainly. A data protection impact assessment is expected for processing likely to result in high risk — and systematic processing of special category health data with novel technology is the textbook case. Keep it proportionate: describe the processing, name the risks (transcription errors entering records, overseas transfers, vendor training on data, retention), and document the mitigations (clinician review, UK/EU residency, no-training commitment, deletion schedule, consent workflow). Do it before go-live, and revisit it when you add a new agent or the vendor changes sub-processors.

Is DTAC required for private clinics?

No — DTAC is NHS England's assessment framework for digital health technologies, used by NHS commissioners and providers when procuring; it isn't a legal requirement for private practice. It's still useful to you in two ways: a vendor with DTAC evidence has already answered the clinical-safety, data-protection, and security questions you'd otherwise have to ask one by one, and if you ever take NHS work, your tooling choices won't need re-litigating. Treat it as a strong signal, not a gate.

What is the NHS DSPT and does my clinic need it?

The Data Security and Protection Toolkit is an online self-assessment against the National Data Guardian's ten data security standards, required for organisations with access to NHS patient data and systems. A purely private clinic with no NHS data access doesn't need to complete it; a clinic holding NHS contracts, receiving NHS referrals with shared records, or accessing NHS systems does. Vendor-side, DSPT status is worth checking whenever your AI tool will touch NHS-origin data.

What certifications should I look for in an AI vendor?

In rough order of usefulness: ISO 27001 (ask for the certificate scope — organisation-wide vs a narrow slice), Cyber Essentials or Cyber Essentials Plus, DTAC evidence (for NHS-facing tools — TORTUS and Heidi, for example, publish DTAC positions), NHS DSPT status, and clinical-safety documentation (DCB0129) where the tool affects clinical workflows. Certifications are necessary-not-sufficient: pair them with the contractual answers — DPA, no-training commitment, residency, deletion — because a certificate doesn't bind behaviour; a contract does.

Can AI vendors train their models on our patient data?

Only if you let them — and you shouldn't. The question to put in writing: 'Is any patient data (audio, transcripts, notes, metadata) used to train or improve AI models, yours or your suppliers'?' The acceptable answer is an unqualified no, reflected in the DPA. Watch for soft language: 'we may use data to improve our services' can mean training. Among the tools we've reviewed, no-training commitments are published by several vendors (Motics included) — treat any ambiguity as a no-bid.

What should our privacy notice say about AI?

Plain-language additions covering: that the clinic uses AI tools for documentation/reception/administration, what they do (e.g. 'draft clinical notes from consultations for clinician review'), the consent process for any recording, where data is processed and stored, retention periods, the vendor's role as a processor, and patients' rights including how to decline recording. Keep it specific enough to be honest and short enough to be read — and update it when you add a new agent, not annually in arrears.

Do I need to tell my indemnity provider or insurer about AI tools?

Tell them — it's rarely required as a condition precedent, but it's cheap insurance against an awkward conversation after an incident. A one-paragraph notification ('we use an AI scribe with mandatory clinician review; consent and DPIA in place') typically draws either no objection or useful guidance. The same logic applies to CQC inspection prep: AI use you can explain, with controls on file, reads as well-led; AI use discovered ad hoc reads as the opposite.

Does using AI change who is responsible for the clinical record?

No — and every framework on this page assumes it. The clinician who files the note owns it: HCPC registrants' record-keeping duties apply to AI-drafted notes exactly as to typed ones, CQC's accurate-complete-contemporaneous standard doesn't care who drafted the first version, and 'the AI wrote it' is not a defence anywhere. That's why mandatory clinician review is a non-negotiable vendor requirement, and why documentation audit (sampling or 100%-coverage) matters more, not less, as AI drafts a growing share of the record.

Sources

  1. ICO — special category data (UK GDPR guidance)
  2. ICO — consent (UK GDPR guidance)
  3. Mental Capacity Act 2005 — legislation.gov.uk
  4. CQC — Regulation 17: Good governance
  5. NHS England — Digital Technology Assessment Criteria (DTAC)
  6. NHS Data Security and Protection Toolkit
  7. HCPC — Standards of conduct, performance and ethics (Standard 10: records)
  8. CSP — Record-keeping guidance
  9. TORTUS — compliance (example of NHS-facing vendor evidence)
  10. Heidi — UK compliance (example of published vendor evidence)
  11. Motics — security
Keep reading

Related guides

Guide

Clinical Documentation Audit for UK Clinics: How to Audit 100% of Notes (2026)

What CQC and HCPC actually expect of clinical records, why quarterly sampling audits cover almost nothing, and how AI audit moves clinics from 1% sampling to 100% coverage.

Buyer's guide

The Best AI Scribes for Physiotherapists in the UK (2026)

Six AI scribes compared for UK physios — verified GBP pricing, Cliniko/Nookal integration, SOAP note quality, consent workflows, and where your patient data actually lives.

Category guide

AI Tools for UK Private Practices in 2026: What Clinics Actually Use

The five categories of clinic AI mapped with survey data from 700+ UK clinic owners — what each automates, what it costs, which tools UK clinics use, and the governance checklist before you adopt any of them.

See Motics in action

Book a 20-minute walkthrough and see how UK clinics use Motics' AI agents for reception, notes, and admin.

Book consultationView all guides