GDPR Article 9 + NHS DSP Toolkit
Patient data is the most protected there is. It's ending up in ChatGPT.
Clinicians paste discharge notes; researchers paste trial data. Under GDPR Article 9 and the NHS DSP Toolkit that's an impermissible disclosure of special-category data. AIovert blocks it on-device. Pseudonymising isn't enough.
This paste contains patient health data (special-category under GDPR Article 9). Sending it to ChatGPT is an impermissible disclosure. It never left the browser.
The exposure
What Healthcare pastes into AI, and why it's a problem.
- Clinical notes: discharge summaries and referral letters pasted into an LLM to rewrite or simplify.
- Research data: trial datasets and participant records dropped into AI for analysis or drafting.
- “De-identified” isn't safe: removing the name leaves dates, conditions, and rare combinations that re-identify. Still Article 9 data.
Regulatory mapping
The rules that apply, and where the risk sits.
Special-category data
Health data needs an explicit Art. 9 condition; a paste into a public AI model has no lawful basis.
Data security standards
Sending PHI to unapproved tools fails the Toolkit's data-security and confidentiality standards.
Security & breach
An uncontrolled disclosure of PHI is a security failure and can start the 72-hour breach clock.
Informational mapping, not legal advice. See our compliance overview for the full framework.
How AIovert helps
Block the leak. Log the proof.
- Block PHI on-device: sensitive clinical content is caught in the browser and never reaches the AI tool.
- Privacy by design: classification runs locally. AIovert never sees the raw note, only the classification and the domain.
- Toolkit-ready evidence: every attempt is logged for your DPO and IG team, exportable as audit evidence.