Question to the Department of Health and Social Care:

To ask His Majesty's Government what assessment they have made of the data protection and confidentiality risks of the deployment of generative AI workplace tools in public sector bodies; and what guidance they have issued regarding the use of those tools in environments handling sensitive or personal data, including NHS organisations.

The Government recognises that the deployment of generative artificial intelligence (AI) workplace tools across the public sector presents data protection, confidentiality, and security risks, particularly where these tools may process sensitive or personal data.

The Government has assessed these risks which are addressed within the Artificial Intelligence Playbook for the UK Government and the Generative AI Framework for UK Government, both published in February 2025.

The AI playbook makes clear that public sector organisations must comply with UK data protection law when using generative AI, including the UK General Data Protection Regulation and the Data Protection Act 2018. It emphasises the need for data protection impact assessments, clear accountability, human oversight, and restrictions on the use of generative AI tools in environments handling sensitive or personal data unless appropriate safeguards are in place. The generative AI framework provides detailed guidance on privacy, security, and information governance, including data minimisation, purpose limitation, and preventing the disclosure of personal or confidential information through prompts or outputs.

Specific guidance has also been issued for health and care settings. NHS England has published information governance guidance on the use of AI, which has been reviewed by the Health and Care Information Governance Working Group, including the Information Commissioner's Office and National Data Guardian. This guidance addresses confidentiality, lawful processing, consent, and human oversight, and applies to NHS organisations considering or deploying AI technologies, including generative AI tools. NHS bodies are expected to operate within established information governance frameworks and, where appropriate, adopt local AI governance and acceptable use policies consistent with national guidance.