DPIA for AI in healthcare: when you need one

In short: A Data Protection Impact Assessment (DPIA) is required under UK GDPR whenever processing is likely to be high risk — which includes large-scale use of health data and most innovative AI. For health AI, assume a DPIA is needed, and complete it before processing begins.

Why health AI almost always needs a DPIA

Health data is special-category data under UK GDPR, and AI systems often involve large-scale processing, automated analysis, and novel uses of that data. The Information Commissioner's Office (ICO) treats these as high-risk indicators — so for most health-AI projects, a DPIA is not optional.

What a good DPIA covers

• The processing — what data, from whom, for what purpose, and the data flows.
• Lawful basis — an Article 6 basis plus an Article 9 condition for the health data.
• Necessity and proportionality — is the processing justified and minimised?
• Risks to individuals — including bias, inaccuracy, and loss of confidentiality.
• Mitigations — security, minimisation, transparency, and human oversight.

AI-specific considerations

Beyond standard data-protection points, a health-AI DPIA should address data quality and representativeness, the risk of bias across patient groups, model transparency and explainability, and the human oversight that keeps a clinician in control of decisions. These link directly to clinical safety and governance.

When in the project should you do it?

Before processing begins — and ideally at the design stage. The ICO frames the DPIA as a tool to identify and reduce risk by design, not a document you write to justify a decision already made. Starting early means privacy-protective choices (minimisation, pseudonymisation, access controls) can be built in rather than retrofitted, and it avoids the costly discovery, mid-deployment, that the lawful basis or safeguards don't hold up.

Who is responsible, and who signs off

The data controller is accountable for the DPIA, usually with input from a Data Protection Officer (DPO). For an NHS deployment that is typically the deploying organisation, with the supplier providing clear information about the product's data flows. Suppliers who hand over a well-structured DPIA input dramatically speed up the buyer's own assessment — it is one of the most practical ways to accelerate a deal.

Common pitfalls

• Treating it as paperwork — a DPIA that doesn't actually change any design decision has missed the point.
• Vague lawful basis — naming a basis without the Article 9 condition for health data leaves a gap.
• Ignoring AI-specific risk — bias, drift, transparency and the conditions for safe human oversight all belong in a health-AI DPIA.
• Set-and-forget — a DPIA should be revisited when the processing, model or context changes materially.

How the DPIA fits the wider assurance picture

A DPIA is one pillar of DTAC readiness, sitting alongside clinical safety (DCB0129/0160), DSP Toolkit data-security assurance and security testing. Done well, it is reusable evidence that speeds up procurement rather than a one-off hurdle. See also How the NHS buys digital health.