A quarter of GPs use generative AI at work. Here's what your practice should do about it.

12 June 2026 · 7 min read · written by a practising NHS GP

In January 2025, researchers surveyed 1,005 UK GPs about their use of generative AI. One in four — 25% — said they were already using tools like ChatGPT in their clinical work (Blease et al., Digital Health, survey fielded 7–26 January 2025). A year earlier, the same team's survey in BMJ Health & Care Informatics had put the figure at 20%.

The trend has not slowed. In December 2025 the Royal College of General Practitioners and the Nuffield Trust published the largest survey yet: of 2,108 GPs, 28% currently use AI tools in clinical practice — and more than half of those users had obtained at least some of their tools themselves, rather than through their practice.

If your practice has eight clinicians, the realistic assumption is that two or three of them use generative AI in their clinical work. The question is no longer whether your practice uses AI. It is whether anyone is in charge of how.

The shadow-AI reality

"Shadow AI" is the use of AI tools at work without the organisation's knowledge, approval or oversight. In general practice it rarely looks like recklessness. It looks like a GP at 7pm with eleven letters still to write, pasting a clinical summary into a free chatbot because it turns a ten-minute job into a one-minute one.

The surveys bear this out. The most common clinical use is generating documentation after appointments — 35% of users in the January 2025 survey; 57% in the RCGP study cite documentation and note-taking.

What is missing is any organisational scaffolding around that use. In the January 2025 survey, 95% of GPs said they had received no employer-provided training on generative AI; only 11% said their employer encouraged its use, and just 3% said it was prohibited. The dominant employer position is silence. Silence is not a policy, but staff will read it as permission.

The information governance gap

Your practice is the data controller for its patients' information. When a member of staff types patient details into a consumer AI tool on a personal account, that is a processing activity your practice is accountable for — and in most cases it is one that:

appears in no data protection impact assessment;
is covered by no processing agreement between the practice and the AI provider;
sits in no record of processing activities;
and has retention, storage location and reuse terms that nobody in the practice has read.

GPs themselves see the problem clearly: in the RCGP survey, 82% of non-users named patient privacy and data security among their concerns about AI in general practice.

National guidance is arriving, but unevenly. NHS England published formal guidance for AI ambient scribing products in April 2025, requiring a DPIA, a clinical safety case and clear organisational accountability before deployment. For general-purpose generative AI there is no equivalent national rulebook: the RCGP and Nuffield Trust found implementation depends heavily on local policies, and recommend that practices develop their own interim protocols covering patient consent, approved tools and the reporting of adverse events.

One further point that DPOs increasingly raise: where your data is stored is not the same as who can be compelled to hand it over. Under the US CLOUD Act, a US provider must disclose data in its possession, custody or control when lawfully required, regardless of whether that data is stored inside or outside the United States. That is not a claim that US providers routinely hand over NHS data; it is a statement about where legal control sits. "UK data residency" from a US-owned company answers a different question from "UK jurisdiction", and a careful assessment asks both. (Our two-minute CLOUD Act exposure checker walks you through it for your current tools — no email, no tracking.)

Three things your practice should do this month

1. Put a written AI policy in place

Not next quarter — this month, because the use is happening now. A workable policy fits on a few pages and covers:

which tools are approved, and that no patient-identifiable data goes into anything else;
who may use AI, for which categories of task, and that every output is checked by the responsible clinician before it goes anywhere;
how patients are informed where relevant;
how staff report problems or near-misses with an AI output;
a named owner and a review date.

This is exactly the interim local protocol the RCGP and Nuffield Trust recommend. The worst position is the current default: staff using AI anyway, while nobody can say what is allowed.

2. Approve one tool — and make the approved route easier than the shadow route

Prohibition has not worked: usage grew from 20% to 25% in under a year on the same survey series, and the broader RCGP study now puts AI-tool use at 28% — while almost no employer encouraged it, because the time savings are real. The practical move is to give staff one approved tool that your IG lead has actually assessed, so the compliant route is also the convenient one.

Questions worth putting in writing to any supplier — including us:

Where is the data processed, and on whose hardware?
Who owns the company, and under which country's jurisdiction does it fall?
Is our content ever used to train models?
How long is data retained, and can we delete it ourselves?
Will you support our DPIA with honest, written answers?
Can we export an audit trail of usage that belongs to us?
Does it work alongside EMIS or SystmOne without any integration project?

A supplier who answers all seven plainly, including the uncomfortable ones, is telling you something useful about how they will behave mid-contract.

3. Keep an audit trail

If a patient complains, or the ICO or CQC asks questions, "we have a policy" is a weak answer on its own. You want evidence: who used which tool, for what category of task, and when. At minimum that can be a simple usage log; better, choose a tool that produces an exportable audit trail automatically, so the evidence assembles itself and remains the practice's property.

Together, these three steps — policy, approved tool, audit trail — turn anxious, invisible AI use into something your practice controls and can defend in writing.

A policy template you can adapt this week

We have written a practice AI policy template for English general practice — plain language, aligned with the points above, adaptable in an afternoon — plus a matching DPIA template your practice adopts as its own. Free, instant, no obligation.

Get the templates →

If your practice then wants to evaluate an approved tool, our Founding Practice pilot is a free 14-day trial run entirely in writing: no card, no calls, up to five logins, capped at five practices at a time because our hardware is finite and we would rather say so. Details on the GP page.

About Hush AI: Hush AI (hush-ai.uk) is a UK-sovereign AI gateway founded by a practising NHS GP. It runs on UK-owned NVIDIA hardware in England, operated by a UK-owned company — which is a question of jurisdiction, not just data residency. It is not an ambient scribe and not a medical device: it drafts documents under clinician review, and works alongside EMIS and SystmOne with no integration required. Conversation history is stored encrypted on UK hardware until you delete it, and is never used for training. Our NHS Data Security and Protection Toolkit self-assessment is in progress; we publish our certification status, including what we do not yet hold, and will answer the seven questions above in writing for any practice that asks.