Privacy Notice – Use of Artificial Intelligence

Introduction

At The Village Practice we have a legal duty to explain how we use any personal information we collect about you at the organisation.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you and is aligned to the Practice Privacy Notice. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer via the practice.

The main things the law says we must tell you about what we do with your personal data are:

  • We must let you know why we collect personal and healthcare information about you
  • We must let you know how we use any personal and/or healthcare information we hold about you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why
  • We need to let you know how long we can keep it for

The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.

For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).

Lawful basis

The lawful basis to process your personal data does not change because we use Artificial Intelligence (AI). This notice is in addition to our Practice Privacy Notice which can be viewed on our website.

Which AI Tools will we use?

This organisation uses AI tools to give us the ability to create human-like text and context and answer questions in a conversational manner. These AI tools are used to simplify processes to improve the efficiency, quality and speed of our business processes so valuable clinical staff time can be better used in delivering patient care.

As time progresses, it is likely that we will expand the use of AI, but each use case will be subject to the same high level of scrutiny.

At The Village Practice the following AI tools are used:

How do we use AI?

The use of AI is the biggest and fastest moving change to computing in recent years. It is a new technology that requires careful governance to ensure its use is safe and does not expose personal data about our service users and staff to unnecessary risk.

Examples of its use include:

  • Internal business meeting notes and any action points
  • Summaries of multi-disciplinary team meetings where our service users and patients cases are discussed
  • To support both the compiling and documenting of a patient’s clinical record
  • Data gathering for research purposes

Should you not wish the clinician to use any AI during your consultation, please make them aware of this.

Governance of AI

We are aware of the risks when using AI. It is totally dependent upon development and training so we must be mindful of some key risks when it can:

  • Get things wrong and present incorrect statements as facts (a flaw known as ‘AI hallucination’)
  • Be biased and often gullible when responding to leading questions
  • Be coaxed into creating toxic content as it is prone to ‘prompt injection attacks’
  • Be corrupted by manipulating the data used to train the model (a technique known as ‘data poisoning’)

Before their use is approved, AI tools are subject to enhanced Data Protection Impact Assessments for the specific use case requested. These are considered by the Information Governance Lead and Data Protection Officer to decide if they are fit for use.

At this organisation, we see AI as a tool to support our work. However, ownership and accountability will always remain with our staff members who use and double check the product generated by AI, e.g., the accuracy of a clinical note.

We are required by law to provide you with the following information about how we handle your information:

Data ControllerDr Vinesh Sobha contact via the practice.
Data Protection OfficerPete Kelly and Asmin Patel contact via the practice.
Purpose of the processingIn support of direct health or social care to individual patients.   The main types of personal data that will be processed during a consultation or multi-disciplinary meeting would be the patient’s name, contact details, medical history, diagnosis, treatment information, and any other information shared during consultations or the meeting.   This may also include an audio recording of the clinician(s), although this is to detail their professional identifiers such as name and title.   To check and review the quality of the AI use which is called audit and clinical governance.  
Lawful basis for processingThese purposes are supported under the following sections of the GDPR:   Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation’   Article 6(1)(e)processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’   Should information be gathered by AI for medical research purposes, then there are Article 9 conditions:   Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’   Article 9(2)(i)processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’   Article 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’   Furthermore, the Data Protection Act 2018, Schedule 1: Part 1 describes conditions for processing personal data for health, public health, social care and research purposes. Part 2 sets out the conditions for processing personal data on the grounds of substantial public interest   Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.  
Recipient or categories of recipients of the processed data  The data will be shared with:   AI specialised data centre as detailed within the Data Protection Impact Assessment (DPIAHealthcare professionals and staff at this organisation For medical research, the data will be shared with National Institute of Heath and Care Research  
Right to access and correctYou have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our Access to Medical Records Policy.   We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.  
Retention periodRecords will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice
Right to complain  In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).   Further details, visit https://ico.org.uk/for-the-public/ and select “Make a complaint” or telephone: 0303 123 1113.  

Updated 29 December 2025