Scenario

DPO Requesting Evidence

What your DPO needs and when

When a DPO asks about AI, it is not a casual enquiry.

They are checking whether the clinic can evidence its data protection position for AI use, especially where high-risk processing may be involved.

Without the right evidence, the DPO may be unable to complete or support the required review.

The scenario

Your DPO has been made aware that an ambient scribe is in use and that staff may be using ChatGPT for clinical correspondence.

They request DPIA screening records, vendor data processing agreements, Records of Processing Activities entries, privacy notice updates and evidence of staff training.

Some evidence may exist, but it is not yet complete, consistent or reviewable.

What a DPO will typically request for AI use

  • DPIA covering purpose, lawful basis, Article 9 condition, risks and mitigations for each AI use case
  • Records of Processing Activities updated to reflect AI tools and data flows
  • Controller-processor mapping and data processing agreements with AI vendors
  • Data transfer assessments and safeguards for any international data flows
  • Technical and organisational measures, such as access control, encryption and logging
  • AI governance policy, staff training records and incident logs involving AI
  • For tools that influence clinical care, links to DCB0129/0160 and DTAC evidence where relevant

What ELSA AI does

  • Carries out DPIA screening across identified AI tools and produces a DPIA Readiness and Patient Data Exposure Note for DPO review
  • Identifies where a DPIA is likely required or strongly indicated for DPO/legal review, including where special category health data, new technology, voice/audio processing or automated evaluation may be involved
  • Produces a Vendor Data Position and Evidence Tracker covering DPAs, data residency, sub-processors and transfer safeguards
  • Assembles a DPIA readiness workpack through the Launchpad, structured for DPO review and adoption

ELSA AI does not provide legal advice, DPIA sign-off or final legal compliance determinations. Final DPIA conclusions, legal interpretation and sign-off remain with the clinic’s DPO or legal adviser.

Does ELSA AI complete and sign off the DPIA?

No. ELSA AI does not provide legal advice or DPIA sign-off.

We help identify whether a DPIA is likely required or strongly indicated, organise the evidence needed for DPO review, and produce a DPIA Readiness and Patient Data Exposure Note.

Final DPIA conclusions, legal interpretation and sign-off remain with the clinic's DPO or legal adviser.

Advisory governance support only. Not legal advice, DPIA sign-off, insurer coverage advice, CQC certification or clinical safety case sign-off.