Blog · Private GP

Is an AI phone agent safe for patient data? Data protection, CQC and information governance

Buy it as carefully as any other system that touches patient records. And be wary of anyone who tells you their AI makes you compliant.

The direct answer

Yes, an AI agent can handle a private GP practice's phone, email and messages within UK data protection law, but only if you buy it as carefully as you would buy any other system that touches patient records.

That means three things, and you should insist on all three from anyone you speak to, including us:

  1. A written data processing agreement, naming who is in charge of the data (you) and who is handling it on your behalf, what is handled, how long it is kept, and where it is stored.
  2. A firm limit on what it is allowed to do. The agent handles practice administration only. It never gives clinical advice, never assesses symptoms, and escalates anything clinical to a person under a rule you write.
  3. A full audit trail. Every conversation logged, reviewable, and attributable.

And one thing to be very clear about, because the industry is sloppy here: no software makes you CQC compliant. Anything that claims to is selling you something. What good software does is support the administration that CQC assesses you on, and give you a record of it.

What the law actually asks of you

Patient information gets the highest level of protection under UK data protection law. The law calls it special category data, and it means the bar is higher than for ordinary business data. In practice, for a private GP practice putting an agent on the phone, that means:

  • A lawful basis, documented.
  • A Data Protection Impact Assessment, the written risk assessment the law expects when new technology touches health data. Do one.
  • A written data processing agreement with the supplier, listing every other company they pass data to.
  • Data minimisation. The agent should collect what the job needs and nothing else.
  • Retention and deletion you control.
  • Role-based access and an audit log.
  • Subject access. If a patient asks what you hold, you must be able to answer, which means transcripts have to be findable.

The regulator's own guidance is the reference point: the Information Commissioner's Office.

Where CQC actually touches this

Private GP services in England are registered and inspected by the Care Quality Commission as independent doctor and clinic services.

Here is the part worth knowing. CQC looks at whether people can actually reach your service when they need it. It sits under a heading called Responsive, in a section called Equity in access, and the wording is:

"We make sure that everyone can access the care, support and treatment they need when they need it." And: "Services are designed to make them accessible and timely for people who are most likely to have difficulty accessing care. When there are barriers, they are removed." (Care Quality Commission, Equity in access)

A phone that nobody answers is a barrier to access. And at the moment, for most practices, it is an entirely undocumented one. You do not know how many people could not get through, and you cannot show anyone what happened to them.

So the honest framing is not "AI makes you compliant". It is:

  • Answering every contact removes a barrier that CQC explicitly cares about.
  • Logging every contact gives you evidence you currently do not have about your own access.

That is a stronger and more defensible claim than any compliance badge.

The safety question underneath the data question

Most practice managers ask about GDPR. Most owner GPs are actually asking something else: what if it says something clinical and gets it wrong?

The answer is that it does not do clinical, at all, by design.

  • It will not assess a symptom, however mild it sounds.
  • It will not say whether something is urgent.
  • It will not interpret a result or recommend a treatment.
  • It will not pretend to be a clinician. It says what it is.
  • If it is unsure about anything, it stops and passes the patient to a person, with a note of exactly what was asked.

This is not a disclaimer bolted on at the end. It is the scope, and it is the reason the thing is safe to put on a medical phone line at all. Clinical risk is excluded by scope and escalated, not "managed by the AI".

For the same reason, be careful with suppliers who wave around the NHS clinical safety standards (the ones with code numbers) as though they were a badge. Those matter when a product is making clinical decisions. The honest position for an admin agent is that it does not make any.

What about the NHS Data Security and Protection Toolkit?

You will see this mentioned a lot. It is a self-assessment NHS organisations complete on how they handle data.

Straight answer: it is not universally mandatory for a purely private clinic. It is required for organisations with access to NHS patient data or systems, and many private clinics complete it anyway because buyers ask for it. Plenty do not.

Do not let anyone imply they have completed it when they have not, and do not claim it yourself unless you have. (NHS Data Security and Protection Toolkit)

The questions to actually ask a supplier

Take this list to any vendor, including us.

  1. Where is the data stored, and in which country?
  2. Will you sign a data processing agreement, and will you show me every other company you pass our data to?
  3. Will you help me complete a Data Protection Impact Assessment, the written risk assessment for using new technology on health data?
  4. What exactly can the agent say, and who decides?
  5. What happens when it does not know the answer?
  6. How does a patient reach a human, immediately, if they want one?
  7. Can I read a transcript of every conversation?
  8. Can I change the wording after go-live, myself?
  9. What happens to our data if we leave you?

If a supplier gets vague on any of those, that is your answer.

Frequently asked

Does it record patient calls?

Conversations are logged and reviewable, which is what lets you audit it and answer a subject access request. You control retention.

Do patients know they are not talking to a person?

Yes. It says what it is. Nobody is deceived.

Does it make us CQC compliant?

No, and be wary of anyone who says it does. It supports the administration CQC assesses, and it gives you a record of your access.

Do we need a Data Protection Impact Assessment?

Assume yes. It is health data and it is new technology, which is exactly what that assessment is for.

Can we keep the clinical system we have?

Yes. It sits alongside your existing practice software. Nothing is ripped out.

CTA: Build your practice's agent, live → https://portal.healthcentre.ai/setup?product=3ad92dec-b0eb-490f-95bd-03e635310947

Put your practice's website address in, and hear it answer, built on your own fees, plans and clinicians.

Build your practice's agent, live