Skip to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. Hide this message

You are here: Home > About > Information Governance > Privacy notices > Artificial intelligence use across York and Scarborough Teaching Hospitals NHS Foundation Trust

About

In this section

Artificial intelligence use across York and Scarborough Teaching Hospitals NHS Foundation Trust

Our Trust is committed to being open about any Artificial Intelligence (AI) tools we use. AI is technology that uses data to spot patterns, make predictions, or support decision-making. It can help the Trust work more efficiently, improve patient care, and reduce manual workload for staff.

Below, we have listed each AI system along with a link to its Data Protection Impact Assessment (DPIA), which is the risk assessment we complete whenever personal data is involved. The list explains what the AI tool is, what it is used for, what personal data it processes, the lawful basis for using that data, how the AI makes decisions, any possible impacts, whether a human checks the decisions, and whether any data is transferred outside the UK. For more information about how we use personal data, please see our Privacy Notices.

The Trust is a ‘Data Controller’, which means that we determine the purposes for which, and the manner in which, your personal data is processed.

We have a responsibility to you and your personal data, and will only collect and use this in ways which are compliant with data protection legislation.

The Trust has appointed the Head of Information Governance to be its Data Protection Officer (DPO). The role of the DPO is to ensure that the Trust is compliant with Data Protection legislation and to oversee data protection procedures.
Contact the Data Protection Officer in writing to:

York and Scarborough Teaching Hospital NHS Foundation Trust
York Hospital
Wigginton Road
York
YO31 8HE

or by emailing yhs-tr.Information.Governance@nhs.net

Under GDPR, data subjects have the following rights in relation to the processing of their personal data:

  • to be informed about how we process your personal data - this notice fulfils this obligation
  • to request access to your personal data that we hold, and be provided with a copy of it
  • to request that your personal data is amended if inaccurate or incomplete
  • to request that your personal data is erased where there is no compelling reason for its continued processing
  • to request that the processing of your personal data is restricted
  • to object to your personal data being processed

If you have any concerns about the way we have handled your personal data or would like any further information, then please contact our DPO on the address provided above. To put in a Subject Access Request, please see our patient records requests page.

If we cannot resolve your concerns, you may also contact the Information Commissioner’s Office (the Data Protection Regulator) about the way in which the Trust has handled your personal data. You can do so by contacting:
First Contact Team
Information Commissioner’s Office
Wycliffe House Water
Lane Wilmslow
Cheshire
SK9 5AF

You can also email casework@ico.org.uk or call 0303 123 1113.

Artificial intelligence products:

DPIA Ref

AI Product Name

Purpose / Use

Personal Data

Lawful Basis

Logic / Decision-Making

Potential adverse impact

Human Oversight

Transfers

DPIA120

Rapid AI

Support diagnosis for acute stroke

Name, date of birth, NHS number, gender, images

Art. 6(1)(e), Art. 9(2)(h)

Uses images to identify haemorrhages in suspected stroke cases.

Augments clinician interpretation

Yes – clinician review

Stored on-premise

DPIA143

Microsoft 365 Copilot

Productivity enhancement, document drafting, summarisation

Emails, meeting notes, project docs, names, job titles

Art. 6(1)(e) Public Task

Uses prompts and tenant data to generate responses

May surface sensitive data inadvertently

Yes – staff review outputs

UK based

DPIA201

MD Brain

Radiology AI for diagnostic support

Imaging metadata, patient identifiers

Art. 6(1)(e), Art. 9(2)(h)

AI flags abnormalities in scans

Augments clinician interpretation

Yes – radiologist reviews

Stored on-premise

DPIA202

Dragon Medical One

Ambient voice AI for clinical documentation

Audio recordings, patient identifiers

Art. 6(1)(e), Art. 9(2)(h)

Transcribes consultations into notes

Risk of misinterpretation

Yes – clinician validates

Not progressing – DPIA closed

DPIA256

Gleamer BoneView

AI for fracture detection in radiographs

X-ray images, NHS number, DOB, sex

Art. 6(1)(e), Art. 9(2)(h)

Binary outcome with region of interest

Supports diagnosis, not replaces

Yes – full radiology report issued

Temporary cloud storage

DPIA276

Attensi Training

AI-based training simulations

Staff name, email, job title, performance stats

Art. 6(1)(e)

Simulates scenarios, tracks performance

Minimal impact – training only

Yes – staff review results

Cloud-based, EEA only

DPIA286

DeepHealth AI

Lung cancer screening support

CT scan images, patient identifiers

Art. 6(1)(e), Art. 9(2)(h)

AI interprets scans for early detection

Supports radiologist decisions

Yes – formal reporting by clinicians

UK-based

DPIA296

AI Box for CCTV

AI metadata overlays for CCTV

CCTV footage

Art. 6(1)(e)

AI overlays and analyses footage

Privacy risk if misused

Yes – staff trained

No transfer

DPIA298

Job Matching AI

AI-assisted HR job matching

Staff names, union affiliation

Art. 6(1)(e)

Matches roles to staff profiles

Risk of inappropriate disclosure

Yes – HR oversight

No transfer

DPIA299

CRC Pathway Optimisation

AI simulation for colorectal cancer pathway

Structured and unstructured patient data

Art. 6(1)(e), Art. 9(2)(h)

Simulates interventions via conversational interface

Potential reidentification risk

Yes – research oversight

UK based

DPIA306

Heidi AI (limited pilot)

Ambient AI scribe for clinical documentation

Audio, patient identifiers

Art. 6(1)(e), Art. 9(2)(h)

Transcribes and drafts clinical notes

Risk of misinterpretation

Yes – clinician validates

UK based

DPIA315

Liberty System

AI call routing via speech-to-text

Caller audio

Art. 6(1)(e)

Routes calls based on spoken input

Minimal impact

Yes – switchboard oversight

UK-based, Google sub processor

DPIA321

Tenancy Based

Robotic Process Automation (RPA) platform

Add and amend a position in ESR

Position title, Position number, team, contract type, banding, site

Art. 6(1)(e)

Automated process matches to ESR position and updated

Error in matching

minimal

UK based

DPIA322

Tenancy Based

Robotic Process Automation (RPA) platform

Review visa status for longlisting and shortlisting

Name, contact details, age, gender, language, criminal convictions, visa status

Art. 6(1)(e)

Automated process to check visa status and move to longlist or rejects applicant

Potential error in review, immigration rule change

minimal

UK based
Looking down a long bright hospital corridor with treatment rooms on the left and windows on the right. At the bottom of the corridor is one member of staff in a blue nursing uniform

Our Hospitals

Chinese Poland

View all languages >

Staff Benefits Hull York Medical School Y&S Hospitals Charity

Providing care together in York, Scarborough, Bridlington, Malton, Whitby, Selby and Easingwold communities

© 2026 York and Scarborough Teaching Hospitals NHS Foundation Trust | Accessibility | Site map | Cookies policy

Website by See Green

York and Scarborough Teaching Hospitals NHS Foundation Trust is registered, and therefore licensed to provide services, by the Care Quality Commission (Provider ID: 1-114394658). For more information, visit www.cqc.org.uk