AI governance in UK healthcare & nhs.
Healthcare AI in the UK is regulated at the intersection of medical device law (MHRA), data protection (UK GDPR and common law confidentiality), NHS governance requirements (DSPT, Evidence Standards Framework), and professional accountability (GMC, NMC, Royal Colleges). Clinical AI must have appropriate MHRA regulatory status before NHS deployment, and NHS trusts must demonstrate AI systems meet data security standards through annual DSPT assessments.
Regulatory obligations at a glance
Key frameworks applying to AI in UK healthcare & nhs.
AI used for diagnosis, treatment recommendation, or risk prediction is regulated as a Software as a Medical Device. UKCA marking is required before clinical deployment — using uncleared AI in clinical settings creates significant legal exposure.
HighNHS trusts must complete the Data Security and Protection Toolkit assessment covering AI tools processing patient data. AI systems must meet NHS data security standards before clinical deployment.
HighPatient data processed by AI systems requires a lawful basis, DPIA for high-risk processing, and compliance with the common law duty of confidentiality. Data Processing Agreements must be in place with AI vendors.
HighThe NHS Evidence Standards Framework for Digital Health Technologies sets the evidence required before AI adoption into NHS clinical pathways — from analytical validity to clinical effectiveness depending on risk level.
HighCQC inspects how care providers use technology including AI in patient care. AI governance including risk assessment, staff training, and incident processes is increasingly examined in inspections.
MediumClinicians retain professional responsibility for AI-assisted decisions. Reliance on AI without understanding its limitations and failure modes may breach the professional duty of care.
High