A patient asks the receptionist whether the consultation was recorded. Or whether the letter was written by ChatGPT. Or where the transcript went afterwards.
The clinician gives one answer. The practice manager gives another. Nobody can point to a document.
That is not a public relations problem. It is a governance evidence gap, and the same gap that fails a patient question will fail a DPO evidence request, an insurer renewal questionnaire and a CQC inspection, because all four are asking the same thing in different words: what AI is in use, what patient data it touches, who approved it, and who checked the output.
What a clinic needs to be able to show
Six documents answer most of what anyone will ask.
An AI tool and use case inventory.
Declared and undeclared use across clinical, admin and marketing workflows. Not a policy. A list, with names on it.
A patient-data exposure position.
Which tools touch consultation audio, notes, images, correspondence or identifiers, and which do not.
A DPIA readiness position.
Where a DPIA is likely required or strongly indicated, and what your DPO needs in order to make that call. ELSA AI does not make it for them.
Vendor evidence.
Data processing agreement, hosting and residency, retention and deletion, sub-processors, model-training position. Held centrally, not in one clinician's inbox.
A human-review workflow.
Written down. Who reads the AI-generated note before it reaches the record, and what they do when it is wrong.
Patient transparency wording.
The same explanation from every clinician, at every site, on every day.
Where the gaps usually are
Free-tier tools on personal devices. A scribe live before the DPIA was screened. Vendor terms nobody has read. Marketing automation with no boundary between marketing data and clinical data. An incident process that covers needlestick injuries but not a hallucinated allergy in a discharge letter.
None of this means a breach has occurred. It means the clinic cannot currently evidence its position, and that is a fixable problem.