Are AI Dental Scribes GDPR-Compliant? Recording, Consent & Privacy Risks (UK)

Audio AI scribe vs structured (no-audio) notes app: what each one processes

The single biggest privacy variable is whether the product records the patient at all. That one design choice drives almost every downstream obligation.

The takeaway: an audio scribe is a recording device plus an AI pipeline. A structured notes tool is closer to a faster way of typing. Both can be run lawfully — but they are not the same compliance project.

How an audio AI scribe works end-to-end (and where the data goes)

To assess the risk you have to follow the data. A typical ambient/voice AI scribe runs roughly like this:

1. Capture. The microphone records the live consultation — both clinician and patient. This audio is special-category data the moment it contains health information, which is immediately.
2. Transmission. The audio (or a stream of it) is sent to the vendor’s servers, often via a third-party cloud provider.
3. Transcription. A speech-to-text engine converts the audio to text. This may be the vendor’s own model or a third-party sub-processor.
4. Summarisation. A large language model (LLM) turns the transcript into a structured clinical note. This is frequently a third-party foundation model accessed via API.
5. Storage. The transcript, the generated note, and sometimes the original audio are stored — for how long depends entirely on the contract.
6. Review. The clinician edits and saves the note into the practice management system (PMS).

Every numbered step is a point where special-category data is created, moved, processed or retained. Each one needs a lawful basis, a contract, and a security and retention answer. The more parties in the chain — cloud host, transcription provider, LLM provider — the more sub-processors you are accountable for.

The UK GDPR basics: Article 6, Article 9 and ICO expectations

Health data is special-category data under UK GDPR Article 9(1). Processing it lawfully requires two things, not one:

• An Article 6 lawful basis — for clinical care this is commonly "legitimate interests" in the private sector or "public task" for NHS work. (Relying on consent as your Article 6 basis is usually discouraged for care delivery, because GDPR consent must be freely given and freely withdrawable.)
• An Article 9 condition — for healthcare the usual route is Article 9(2)(h), "provision of health or social care," which in the UK also requires you to meet a condition in Schedule 1 of the Data Protection Act 2018.

A crucial distinction for clinicians: GDPR consent (a lawful basis) is not the same as clinical consent to treatment. You can have valid clinical consent and still need a separate, correctly chosen data-protection lawful basis for recording and processing the consultation.

The Information Commissioner’s Office (ICO) is the UK regulator. Its published guidance on AI and data protection sets the expectations buyers should test against: meaningful transparency, a lawful basis identified before processing, data minimisation, accuracy, security, and a DPIA for high-risk processing. Using a new AI technology to process special-category data at scale is the textbook trigger for a DPIA.

Do you have to tell patients they are being recorded?

Yes. Transparency is a core UK GDPR principle (Article 5(1)(a)), and Articles 13–14 require you to tell people what data you collect and why. If an AI scribe records the consultation, patients should be informed — in your privacy notice and, in practice, before recording starts. Covert recording of patients would breach the transparency principle and sits uneasily with professional standards on honesty and trust.

Whether you also need explicit GDPR consent depends on the Article 6 / Article 9 route you choose; many providers rely on Article 9(2)(h) rather than consent. But informing patients is not optional regardless of the lawful basis. Patients can also object, and you need a workable answer for the patient who says "please don’t record me."

A no-audio tool sidesteps this conversation entirely: if nothing is recorded, there is no recording to disclose or justify. The note is generated from the clinician’s own shorthand, exactly as a typed note always has been.

The five privacy risks buyers most often miss

Audio AI scribes are not inherently unsafe, but these are the issues that turn up in a serious due-diligence review.

1. Third-party sub-processors. Your patients’ data may pass through a cloud host, a transcription provider and a separate LLM provider. You are accountable for all of them, and you need each named in the contract.
2. "Training on your data" clauses. Some AI terms permit the provider to use submitted content to improve or train models. For patient data this is a serious red flag. Look for an explicit no-training commitment in writing, and ask how long inputs and outputs are retained and for what purpose.
3. Cross-border transfers. Many AI providers are US-based. Sending UK patient data to the US engages UK GDPR Chapter V and needs a valid transfer mechanism — the UK Extension to the EU–US Data Privacy Framework where the recipient is certified, or an International Data Transfer Agreement (IDTA) / the UK Addendum to the EU SCCs, supported by a transfer risk assessment.
4. Retention. How long are the audio, the transcript and the note kept? Indefinite retention of consultation audio multiplies your breach exposure. The principle is storage limitation: keep it no longer than necessary.
5. Recordings as disclosable records. A retained recording or transcript can become part of the clinical record — disclosable in a subject access request, a complaint, or litigation. That raises the stakes on accuracy, security and retention of every audio file you create.

Your DPIA and data-controller obligations

In nearly all cases the dental practice is the data controller and the AI vendor is a processor. That allocation matters because the accountability — and the regulatory liability — sits with the controller. Your core obligations:

• Run a DPIA before you start (Article 35) where processing is high-risk — which large-scale processing of special-category data using new AI technology generally is. The DPIA documents the data flows, the risks and your mitigations.
• Have a written processor contract / Data Processing Agreement (Article 28) that names sub-processors, restricts processing to your instructions, and sets security and deletion terms.
• Maintain your record of processing activities (Article 30) and update your privacy notice.
• Confirm the transfer mechanism for any data leaving the UK (see above).
• Be able to honour data-subject rights — access, rectification, erasure, objection — including for any retained recordings.

We have deliberately kept this generic. Vendors differ, terms change, and you should verify each provider’s current contract rather than rely on any third-party summary — including this one. For a deeper UK-specific walkthrough, see our guide to GDPR compliance for dental software in the UK (linked under Related guides below).

The lower-risk alternative: structured capture with no audio

The reason audio scribes carry so much compliance weight is that they record people. Remove the recording and most of the heavy lifting falls away.

Nosht is built on this principle. It is a structured clinical-notes tool, not a voice scribe:

• No audio in this workflow. Nosht’s structured-notes workflow does not record audio — you type shorthand; there is no voice capture in this workflow. The app structures the shorthand you type.
• Optional, clinician-reviewed AI. Nosht uses one AI model — Anthropic’s Claude Haiku 4.5 — for three optional, text-only AI features: shorthand pre-fill (turning your typed shorthand into structured template fields), an advisory note-completeness check (Bulletproof Mode), and a mobile typed-shorthand scribe. Every field the AI fills is a suggestion you review and can edit before saving. The clinician confirms every field and remains responsible for the record.
• A deterministic core. Most of the work is done by deterministic rules — pattern-matching and lookup tables, plus defaults learned from your own previous choices — not by a generative model. For shorthand pre-fill, only your typed shorthand is sent, constrained to the active template’s allowed values. The optional completeness check (Bulletproof Mode) sends the drafted note text you have written for an advisory review — still text only, no audio, designed to exclude patient identifiers, and not logged by Nosht.
• Designed to exclude patient identifiers. Nosht’s clinical notes hold clinical descriptors, not names, dates of birth or NHS numbers, and the shorthand sent to the AI is designed to exclude patient identifiers.
• No training on your data. The AI is Anthropic’s model accessed via API — inputs and outputs are not used to train Anthropic’s models, and under Anthropic’s standard commercial API terms are retained only for a limited period (up to 30 days) for trust, safety and abuse-monitoring purposes, then deleted, except where Anthropic is required to retain them for longer to meet legal or safety obligations. It is not a "Nosht-built" or fine-tuned model.

The honest differentiator is not "no AI" — Nosht does use optional AI. It is no audio in this workflow, no patient recording, and you confirm every field. That is a materially smaller data-protection footprint than an ambient scribe. The full technical and security detail, including the sub-processor list and hosting, is on our security page.

Buyer due-diligence checklist: questions to ask any AI dental vendor

Send this to any vendor — audio or not — and keep the answers on file with your DPIA.

How this differs from a feature comparison

This is the law-and-privacy view, deliberately separate from the workflow question of which tool writes better notes faster. If you are weighing capability, speed and note quality — voice scribe versus structured templates — read our AI dental scribe vs structured templates comparison (linked under Related guides below). Use both together: the comparison tells you which workflow fits your surgery; this page tells you what you must put in place before any of them touches patient data.

Next steps

If "no patient recording, you confirm every field" is the risk profile you want, see how Nosht’s structured dental notes work, or compare the alternatives to AI voice scribes before you commit. Whatever you choose, complete your DPIA and DPA first — the obligation is the controller’s, and that is you.

This article is general information about UK data protection, not legal advice, and does not establish a controller–processor relationship. Verify each vendor’s current terms and take professional advice on your own setup. Last reviewed: June 2026.

Are AI dental scribes GDPR-compliant?

They can be, but not automatically. An AI scribe that records patients processes special-category data, so compliance depends on having an Article 6 lawful basis and an Article 9 condition, a transparent privacy notice, a written Data Processing Agreement, a valid mechanism for any data leaving the UK, defined retention, and usually a DPIA completed before you go live. The practice is the data controller and is accountable for getting this right.

Do I need patient consent to use an AI scribe?

You must at minimum tell patients if you are recording them — transparency is required under UK GDPR. Whether you also need explicit GDPR consent depends on the lawful basis you rely on; many healthcare providers use Article 9(2)(h) (provision of health care) rather than consent. Note that GDPR consent as a lawful basis is separate from clinical consent to treatment. Take your own advice on which basis fits your practice.

Is there a dental notes app that doesn’t record patients?

Yes. Nosht is a structured clinical-notes app with no voice recording, no ambient listening and no speech-to-text in the web app. You type shorthand and the app structures it into GDC/FGDP(UK)-aligned template fields you review. Optional AI (Anthropic Claude Haiku 4.5) helps fill fields from your typed shorthand and runs an advisory completeness check — it is not trained on your notes, and the shorthand is designed to exclude patient identifiers.