We are implementing the use of auto-transcription software, which will allow our Doctors to focus on patient care and will accurately and thoroughly record the consultation, we have produced a date protection Impact Assessment which is published below for your information. If you do not wish for this software to be utilised in your consultation please advise your Doctor of this at the beginning of your appointment.
Data Protection Impact Assessment (DPIA) for Hill Brow Partnership: Heidi and KiwiPen AI Transcription Service
1. Introduction Hill Brow Partnership intends to implement Heidi and KiwiPen AI for transcription of patient consultations, dictation, and creation of letters. This DPIA outlines potential data protection risks and mitigation strategies.
2. Description of Processing
· Purpose: To enhance efficiency in clinical documentation through AI-powered transcription.
· Data Processed: Patient names, dates of birth, medical histories, and consultation details.
· Processing Activities: Recording, transcription, storage, and integration into the patient record system.
3. Lawful Basis for Processing
· Article 6(1)(e) GDPR (Public Task): Processing is necessary for healthcare delivery.
· Article 9(2)(h) GDPR: Processing is necessary for the management of health or social care services.
4. Data Flow Overview
· Audio recordings from consultations are transcribed by Heidi and KiwiPen AI.
· Transcriptions are stored securely and integrated into the patient record system.
· Data is encrypted during transmission and storage.
5. Risk Assessment and Mitigations
Risk Impact Likelihood Mitigation Measures
Unauthorised access to
patient data High Medium End-to-end encryption; Role-based access controls
Inaccurate transcription
leading to clinical errors High Medium Human review process before adding to records; Continuous AI training
Data breaches during
transmission High Low Encrypted data transfers (TLS 1.2+)
Loss of data integrity Medium Low Regular backups and audit logs
6. Data Retention and Storage
· Audio files are deleted immediately after transcription.
· Transcription records are retained in accordance with NHS data retention policies.
7. Data Subject Rights
· Patients retain rights to access, rectify, or erase their records.
· Information on AI use will be included in privacy notices.
8. Third-Party Processors
· Heidi and KiwiPen providers are GDPR-compliant with contracts ensuring data protection obligations.
9. Consultation and Approval
· DPO Consultation Date: 6th March 2025
· Staff Consultation: Conducted with GPs Hogg, Sandica, Levett and Practice Manager
· DPIA Approved By: Dr Levett and Sandica with Practice Manager Fiona Bankes
· Date: 6th March 2025