All Posts

The EHR is not a personal health record, it is a professional record containing personal data We have noticed a big increase in requests to amend, remove or add information to clinical records since the expansion of patient access to online medical records, and while some requests relate to genuine inaccuracies and should be corrected, others are not appropriate and can be tricky to manage for customers. Practices report patients asking for large sections of narrative to be a

Being someone's spouse, child, relative or next of kin does NOT automatically give them the right to access a deceased patient's medical records. We often get asked.. ✓ Who can legally request deceased patient records ✓ What "intestate" means ✓ When records can be released to family members ✓ How to handle contested will requests ✓ When discretionary disclosure may be appropriate ✓ Common mistakes to avoid Probably, one of the most common questions we receive from practices

Organisations should not dismiss or treat requests differently because AI may have been involved. Anyone who knows me knows that I am super passionate about information rights and the role they play in protecting people. At their core, both FOIs and SARs are about empowerment. They are intended to give people the ability to understand decisions, challenge organisations, access their own information, and hold public bodies to account - often where there is a pronounced power i

One of the things that has become really obvious while building LENS is that AI governance cannot realistically sit with one person. We’ve spent the last few months talking to Clinical Safety Officers, DPOs, digital leads, GP practices and suppliers, and the recurring theme that keeps coming up is that the amount of coordination involved is huge. People are trying to pull together supplier information, governance concerns, workflow understanding, technical limitations, clinic

“Are we still creating the conditions through which experience and judgement are formed?” A recent Deloitte article on the growing “experience gap” really fascinated me. It discussed what happens when organisations automate the very work people once learned from. For decades, most careers followed a predictable structure. Entry-level roles provided exposure, repetition, and low-risk responsibility. People learned by doing. They made mistakes in contained environments, gradual

After more than a year of development, testing, discussion, and redesign, we’re now approaching go live for our NHS pilot of LENS (previously CleanAI), a platform designed to support practical AI governance and clinical safety oversight in healthcare settings. LENS stands for Lawful, Explainable, Necessary and Safe. The pilot is focused on a question that feels increasingly important across healthcare: How do organisations safely understand, assess, and oversee AI systems in

We’re launching a new quarterly forum for our Kafico DPO+ customers, designed to support GP practices with the real-world challenges of data protection, digital tools, and risk management. Each session will bring together practices from across our network to explore practical, relevant topics in a structured and accessible way. A simple format that works Every forum follows the same three core themes: 💻 Tech – the tools and systems you’re using (including AI) ✊🏼 Rights –

Over the past few months, I’ve been looking more closely at something that raises concerns for me. How much real, practical control organisations retain when their IT service is delivered by an external provider. The relationship may be great and the SLA met, but three patterns keep surfacing: Concentrated privileged access (single points of failure) Remote access to sensitive data without meaningful friction Customers being charged for access to their own governance informat

Achieving ISO 27001 certification is a significant step for any organisation aiming to strengthen its information security management system (ISMS). However, one of the most common questions businesses ask is: how much does ISO 27001 cost? The answer is not straightforward because the total cost depends on various factors including the size of the organisation, the scope of certification, and the existing security posture. This post breaks down the different cost components

Handling complaints lawfully and compassionately Complaints about health or social care are often raised by relatives when the person who received the care is no longer able to complain themselves. This may be because the person has died, is unconscious, or otherwise lacks capacity due to illness or detention. In these cases, our customers can be unsure how much health information they can lawfully share when responding to the complaint. The key point is this: a complaint doe

Hello again! I’m writing to share a recent development that has quietly reignited an important conversation about cloud security, encryption, and something we don’t talk about enough, that is, who actually controls your data in practice. This isn’t a “cloud is bad” piece, and it’s certainly not panic-inducing. But it is a timely reminder that your risk appetite and the sensitivity of your information should directly influence how much control you retain over encryption keys.

We’re excited to share a first look at our new portal for GP practices, designed to make data protection support simpler, clearer, and more practical day to day. The portal brings everything together in one place, allowing practices to: Obtain disclosure advice when it’s needed Watch on-demand training videos Complete key compliance tasks, including policies, ROPA and audits View and follow the DPIA process step by step Raise a new DPIA directly through the system Book meetin

Recent research into conversational AI has prompted renewed discussion about how these systems interact with users, and why this matters in health and social care contexts. A Harvard study examined how some chatbots respond when users attempt to end a conversation. The researchers were not assessing clinical tools, nor were they evaluating mental health outcomes. Instead, they focused on interaction design: specifically, how systems behave at the point of disengagement. What

From my daily work supporting Caldicott Guardians, it is clear that Artificial intelligence is increasingly embedded in NHS systems, under labels such as “decision support”, “productivity tools” or “safety analytics”. While much attention has focused on where patient data flows, the Information Commissioner’s Office (ICO) has highlighted a different and growing risk: processing that generates new data about individuals without their active awareness or understanding. The ICO

As the NHS continues to restructure and Integrated Care Boards (ICBs) take on broader system leadership roles, it’s increasingly common to see ICBs offering shared or centralised Data Protection Officer (DPO) services to GP practices. On the face of it, this makes sense: consistency, efficiency, shared expertise, and reduced burden on already stretched practices. But there is a governance issue sitting underneath this approach that deserves some careful attention, particularl

Deepfakes are being used to drive financial gain through deception. Artificial intelligence has unlocked amazing capabilities, from enhancing video calls to creating convincing virtual actors. But as with all powerful technologies, it has a dark side. Deepfakes , AI-generated images, videos, or audio that convincingly imitate real people — are no longer fringe curiosities. They are increasingly being used to misinform, manipulate and, in some cases, make money off deception.

In my work with general practice, it’s not unusual to see parents who are separated; sometimes amicably, sometimes anything but. A pattern many of my practice customers describe is that: a child’s care or the practice themselves become a stick to beat one another with. The practice is asked to “take a view,” restrict access, validate a diagnosis narrative, or produce a letter that helps one parent “win” against the other. If you’ve felt that pressure, you’re not alone. And it

A few weeks ago, one of my customers asked me what I thought about bossware . Then, almost immediately, the same theme started cropping up in my legal journals. Articles on workplace monitoring, algorithmic oversight, “productivity” tooling reframed as compliance. But this isn’t a new problem as COVID was the turning point. The sudden shift to remote work came with an equally sudden expansion of digital monitoring. In the moment, it felt quite different. But remote and hybrid

When something goes wrong, most of us would rather over-report than under-report. It feels safer, especially in high risk domains where trust is fragile and the impact can be significant. But the ICO is clear: defensive reporting isn’t good practice , and defensive notification to individuals can cause real harm. This post is about staying inside the legal thresholds, and staying confident in our decisions. A practical lens for assessing harm Before we get into thresholds, it

In healthcare, “being open with patients” can mean more than one legal obligation. Two common ones are the statutory Duty of Candour and patient notification after a personal data breach. They can feel similar because they both involve openness, apology, and clear communication, but they come from different laws and apply in different situations. Sometimes only one applies; occasionally both apply together. Understanding the difference helps practices respond confidently and