AI in the NHS: Your Rights as a Patient When Algorithms Inform Your Care

The NHS is deploying AI in radiology, diagnostics, triage, and clinical decision support at scale. Patients have rights under UK GDPR, the NHS Constitution, and the MHRA regulatory framework when AI influences their care.

Key Takeaways

The NHS uses AI in chest X-ray analysis, diabetic eye screening, urgent care triage, and clinical decision support. Patients are often not explicitly notified when AI is involved in their care pathway.
Under UK GDPR Article 22 and the NHS Constitution, patients have the right to know if an automated system was solely responsible for a clinical decision with significant effects, to request human review, and to receive an explanation of the AI's assessment.
NHS trusts are required to have Data Protection Impact Assessments for AI systems that process patient data. Under the NHS Data Security and Protection Toolkit, AI tools must meet data security standards before deployment in clinical settings.
Clinical negligence law applies to AI-assisted care in the same way as human clinical decisions. The NHS Resolution scheme covers AI-related clinical negligence claims. The right to raise concerns under the NHS Constitution remains fully applicable.
Patients can request all personal data held by NHS trusts via subject access requests under UK GDPR — including data used in AI-assisted clinical decisions.
AI medical devices used in the NHS are regulated by the MHRA. Patients who experience harm from a defective AI diagnostic tool can report to the MHRA Yellow Card scheme and file negligence claims through standard NHS complaints procedures.

"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导，请咨询合格专家。"

Your rights as an NHS patient when AI is involved in your care

AI is now embedded across the NHS. The NHS Fit for the Future 10 Year Health Plan (July 2025) identifies AI as one of five "transformative technologies" alongside data, genomics, wearables, and robotics. The Federated Data Platform, Single Patient Record initiatives, the revamped NHS App, ambient scribing in GP consultations, and AI-driven diagnostics in radiology, pathology, and screening programmes are all in active deployment. As an NHS patient, you have specific rights under UK GDPR (as amended), the Data (Use and Access) Act 2025 (DUAA), the Medicines and Healthcare products Regulatory Agency framework, NHS Constitution commitments, and clinical professional duties.

UK GDPR and the new Articles 22A-D — automated decision-making

Health data is special category data under UK GDPR Article 9, requiring explicit consent or another Article 9 lawful basis (typically Article 9(2)(h) — provision of health or social care). On 5 February 2026, Section 80 of the DUAA came into force, replacing Article 22 of UK GDPR with new Articles 22A-D. This is the most material divergence from EU GDPR since Brexit.

The previous Article 22 operated as a near-prohibition on solely automated decision-making producing legal or significant effects, permitting it only under narrow exceptions. The new framework is more permissive for non-special-category data — but for health data (special category), the stricter regime is preserved. This means: when AI makes solely automated decisions about your healthcare that produce legal or significant effects on you, you retain the right to: not be subject to such decisions without lawful basis (explicit consent, contract, or law); be informed about the decision; obtain meaningful information about the logic involved; request human intervention; express your point of view; and contest the decision.

The CJEU's ruling in Dun & Bradstreet Austria (C-203/22, 27 February 2025) — which UK courts may consider for persuasive value despite Brexit — established that providing a complex algorithmic description alone does not constitute a concise and comprehensible explanation. You are entitled to a genuine explanation that a lay person can understand.

Consent for AI in your clinical care

You retain a right to know how your healthcare is being delivered. Where AI materially affects clinical decisions about you, this should be disclosed. NHS England guidance on ambient voice technology (April 2025) explicitly requires: explicit patient consent before any AI recording begins; patient information that an AI tool will be listening to and processing the consultation; the right to decline; human verification of all AI-generated outputs; and clear privacy documentation.

Patients in the UK have a right to assume that if they consent for medical treatment, the treatment will be delivered by a qualified practitioner. AI augmenting clinical decisions is acceptable — but AI replacing clinical judgement without disclosure raises consent issues. Where you have not been informed about AI use, you can raise this with the practitioner and request information about how the AI contributed to your care.

Your data being used to train AI — the Foresight controversy

You have specific rights regarding use of your NHS data for AI training. The Foresight AI model controversy crystallised these rights. In June 2025, doctors referred NHS England to the Information Commissioner's Office over concerns that patient data gathered during the COVID-19 pandemic was being used to train the Foresight AI model without patient consent. As of 24 March 2026, the British Medical Association is considering collective action around patient data sharing.

Under UK GDPR, your special category data may not be used for AI training without an Article 9 lawful basis — typically explicit consent unless covered by a specific exemption such as research. The National Data Opt-Out gives you the right to opt out of your confidential patient information being used for research and planning purposes beyond your individual care. If you are concerned about AI training on your data, you can: check your National Data Opt-Out status via the NHS website; request a Subject Access Request to NHS England or your trust to see what data is held; raise a concern with the ICO; engage with your local Healthwatch.

NHS England guidance and trust-level governance

NHS England has issued specific guidance on AI information governance via its Information Governance Framework. Trust-level deployment of AI requires: Data Security and Protection Toolkit (DSPT) compliance; clinical safety case (DCB0129/DCB0160 standards) for any clinical AI; information governance approval before live deployment; and Data Protection Impact Assessment (DPIA) for high-risk processing.

If you have concerns about AI use in your local NHS trust, you have multiple escalation routes: the trust's Caldicott Guardian (responsible for patient data confidentiality); the trust's Data Protection Officer; the Patient Advice and Liaison Service (PALS); the ICO for data protection breaches; the trust's Chief Clinical Information Officer.

MHRA and AI medical devices

AI used as a medical device in your care must be UKCA marked (or CE marked under transitional arrangements). The MHRA regulates AI as Medical Device (AIaMD) and Software as Medical Device (SaMD). MHRA's Software and AI as a Medical Device Change Programme has issued progressive guidance through 2021-2026. On 18 December 2025, the MHRA launched a call for evidence to inform the National Commission into the Regulation of AI in Healthcare, which closed 2 February 2026.

If you experience an adverse event from AI-based clinical care, report it through the MHRA Yellow Card scheme (online or via the Yellow Card mobile app). Yellow Card reporting feeds into MHRA post-market surveillance and can prompt regulatory action against unsafe AI medical devices.

Clinical professional duties

Your clinician remains responsible for clinical decisions about your care, even when AI is used. The General Medical Council's Good Medical Practice expects: clinicians to maintain appropriate competency in AI tools they use; document AI's role in clinical decisions in your medical records; explain AI use to you where it materially affects your care; report AI errors or adverse events.

The doctor or nurse cannot defer responsibility to the AI. If an AI tool led to an error in your care, the clinician's accountability remains — and you can raise concerns through the usual complaint pathways (formal NHS complaint, Health Service Ombudsman, GMC/NMC complaint where professional misconduct is alleged).

The DUAA framework for NHS data

The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025) introduced significant reforms relevant to NHS AI: mandatory information standards for health and social care IT systems (interoperability); a statutory framework for smart data sharing schemes; a trust framework for digital identity verification services; broadened definition of scientific research (potentially allowing more flexibility in AI research uses of patient data); revised automated decision-making rules under Articles 22A-D (Section 80, in force 5 February 2026). The DUAA's reforms are intended to enable NHS digital transformation while maintaining patient protections.

Practical steps if you have concerns

Ask your clinician how AI was used in decisions about your care. If concerned, request access to your records via Subject Access Request. Check your National Data Opt-Out status — you can change it at any time. Raise concerns with your trust's PALS service or Caldicott Guardian for confidentiality concerns. Complain through the formal NHS complaint pathway (Patient Advice and Liaison Service then Parliamentary and Health Service Ombudsman) for unresolved issues. Report to the ICO at ico.org.uk for data protection breaches. Report adverse AI medical device events via MHRA Yellow Card. For systemic concerns, engage with Healthwatch and patient advocacy groups including the Patients Association and Doctors Association UK.

Primary sources: NHS England — AI Information Governance · ICO — Automated Decision-Making Rights · Data (Use and Access) Act 2025