← All posts

DSPT and AI: what GP practices need to know

13 June 2026 · 5 min read · written by a practising NHS GP

Every GP practice completes the Data Security and Protection Toolkit each year. It is a self-assessment: a written statement of how your practice actually handles personal data, mapped to the data security standards every organisation with access to NHS patient data is expected to meet. The toolkit is evolving — NHS data security assessment is moving towards the Cyber Assessment Framework — but the thing it is really asking has not changed: do you know where your data goes, who can reach it, and can you show it?

There is no box on the toolkit marked “AI”. That sounds like good news. It isn't, quite — because it means staff use of generative AI doesn't announce itself anywhere in your submission, while it can quietly make several of your existing answers inaccurate.

Why AI touches your DSPT even though it isn't named

The toolkit is built on a small number of true statements about your practice: you know what personal data you hold and where it flows, you only use systems you have assessed, your processors are accounted for, and your staff are trained. Generative AI cuts across all four.

When a staff member pastes a patient-identifiable letter into a consumer chatbot, your practice has just acquired a new data flow to a new processor, in an unknown jurisdiction, that no one assessed — and your DSPT answers, written in good faith, no longer describe what is actually happening. The toolkit assumes your answers are true. Shadow AI is the most common way they quietly stop being true.

The honest position: you don't need an exemption, you need to account for it

You do not have to declare anything AI-specific, and there is no special dispensation to chase. You simply have to be able to account for AI use the way you account for any other system that touches personal data. A practice that can do that has nothing to fear from the question; a practice that can't has a gap whether or not anyone asks. Here is what “able to account for it” looks like in practice.

Six things that make AI defensible in your toolkit

  1. A written AI policy with an approved-tools list. The toolkit rewards having a clear, current position. A short policy that names which tools are permitted — even if that list starts empty — turns “we hadn't thought about it” into a documented control.
  2. A DPIA for the AI use you allow. Generative AI on personal data is exactly the kind of new processing a Data Protection Impact Assessment exists for. One DPIA covering your approved use is the single most useful document you can attach to the conversation.
  3. The hard rule, written down: no patient-identifiable data into unassessed tools. This is the line that keeps an unapproved chatbot from ever becoming an unrecorded processor. It belongs in the policy and in staff induction.
  4. A record that names the tool and where it processes data. Your record of processing should be able to say where an approved AI tool runs and who could be compelled to hand data over. This is where sovereignty stops being a slogan and becomes a toolkit answer: a UK-owned tool running on UK hardware, outside US CLOUD Act reach, is a materially shorter answer to write than “a US-owned cloud service.”
  5. An audit trail you can actually produce. “We control it” is worth little if you can't show usage on request. A tool that exports a signed log of who used it for what is the difference between asserting a control and evidencing one.
  6. Staff awareness. The toolkit expects your people to be trained on data handling. A two-line brief — here is the approved tool, here is the rule on patient data — covers AI inside training you already do.

The point is the gap, not the paperwork

None of this is about generating documents to wave at an auditor. It is that the toolkit is a yearly moment to check whether your written account of your practice still matches reality — and AI is the fastest-moving reason the two drift apart. The practices in the strongest position are not the ones that banned AI; bans get ignored under time pressure and drive use underground, where it is least visible to your DSPT. They are the ones that gave staff one assessed, approved tool, wrote down the rule, and kept the receipts.

Free practice AI policy template + DPIA

The policy and DPIA above, in plain English, vendor-neutral, no sign-up to read — the two documents that turn AI use into a DSPT answer you can defend.

Get the templates Check a tool's exposure

Hush AI (hush-ai.uk) is a UK-sovereign AI assistant founded by a practising NHS GP. It drafts documents under clinician review — not an ambient scribe, not a medical device — on UK-owned hardware, outside US CLOUD Act jurisdiction, and never trains on your data. It gives a one-click signed audit export, and the policy and DPIA templates are free and vendor-neutral: useful whether or not your practice ever uses Hush. This article is general information, not regulatory or legal advice; your DSPT submission remains your practice's responsibility.