AI note tools in therapy: the compliance rules that now apply

Heidi Health reported 50,000 clinical users across UK independent practice in June 2026. A significant number of those clinicians work in psychology and counselling settings. Most of them, if asked directly, cannot say whether their use of the tool meets the ICO's requirements for handling Special Category data — the legal category that covers everything disclosed in a therapy session.

That is not a criticism of those clinicians. The compliance framework that applies is genuinely complex: it spans four different regulatory bodies, references a data protection law updated in June 2025 (the Data (Use and Access) Act), and still lacks any central guidance written specifically for mental health settings. NHS England's ambient scribing guidance (published April 2025, updated to Version 2 in April 2026) covers the clinical note AI landscape in detail. It does not yet have a mental health supplement. That guidance is expected by September 2026. In the meantime, therapy practices are making compliance judgements without a clear template.

This piece sets out the framework that actually applies: what the law requires, what the ICO expects, what consent looks like in a therapy context, and what the Data (Use and Access) Act 2025 (which received Royal Assent on 19 June 2025) changes and does not change for practices handling patient data. The aim is to give you enough of a working understanding to assess your current position and know what to fix.

Why therapy data sits in a different legal category

UK GDPR distinguishes between ordinary personal data (your name, address, appointment time) and Special Category data. Special Category data is defined by its potential to cause harm if exposed: health data, mental health data, data about sexual life or orientation, religious belief, ethnicity, and a handful of other categories all qualify.

Everything disclosed in a therapy session is, by definition, Special Category data. Session notes do not just record clinical observations. They record disclosures about trauma history, family breakdown, suicidal ideation, substance use, abuse, and other information that could cause real and lasting harm to the patient if it reached the wrong hands. That is why the law treats it differently.

The practical consequence of this classification is that the standard lawful basis for data processing — legitimate interest — is not available for Special Category data. You need a more specific basis. In the healthcare context, that basis is typically Article 9(2)(h) of UK GDPR: processing necessary for the provision of health or social care services, subject to obligations of professional secrecy.

Why does this matter for AI note tools? Because the moment an AI tool ingests audio or text from a therapy session, it is processing Special Category data on your behalf. Your AI vendor becomes a Data Processor under UK GDPR, and the ICO's requirements for that processing relationship are considerably stricter than those for ordinary personal data. The requirements are manageable — but you need to have met them before you switch on the tool, not afterwards.

The DPIA: mandatory before you start

A Data Protection Impact Assessment — DPIA — is a structured analysis of the privacy risks created by a new data processing activity. Under UK GDPR Article 35, a DPIA is mandatory "prior to the processing" where the activity uses a new technology and is "likely to result in a high risk to the rights and freedoms of natural persons." Processing Special Category health data using AI is explicitly flagged in ICO guidance as an activity that triggers this requirement.

In plain terms: before you activate an AI note tool for use in therapy sessions, you need a completed DPIA on file. If you are already using one without having completed a DPIA, completing one now — before your next inspection or any data incident — is the first priority.

The ICO updated its AI guidance in 2026 to add specific requirements to what a DPIA for an AI system must address, beyond the standard risk assessment. You must cover:

Provenance of training data. How was the model trained, and on what data? Did the training dataset include sensitive health information? Was appropriate consent obtained? Some AI note tool vendors cannot answer these questions clearly. That is itself a governance risk.

Statistical accuracy and potential for bias. Is the tool equally accurate across accents, clinical vocabulary, and language patterns? Is there evidence of lower accuracy for certain patient populations? In a therapy note context, an inaccurate summary of what a patient disclosed is not a minor quality issue — it could affect clinical decisions.

Explainability. Can the vendor explain how the model produces its outputs? If a patient challenges the accuracy of an AI-generated note, can you audit the process that produced it?

Human oversight. What is the clinician review process before any AI-generated note is saved or shared? NHS England's guidance is clear: ambient scribing products produce a draft for clinician review, not a final document. That distinction matters for liability as well as data protection.

Data storage and retention. Where is the data held? In which country? For how long? Who within the vendor organisation can access it?

NHS England published a template DPIA for ambient scribing in March 2026, developed with input from the ICO and the National Data Guardian. For independent therapy practices, this template is a workable starting point — it covers the core risk areas. It does not yet address the specific risks of mental health settings, including the higher sensitivity of disclosures and the potential impact on the therapeutic relationship. Until the mental health supplement arrives in September 2026, practices will need to add a section addressing these gaps in their own assessment. An AI governance review as part of a structured audit can help you identify exactly what that section needs to contain.

Consent: what you must tell patients, and when

NHS England's ambient scribing guidance is explicit: patients must be informed at the beginning of the session if an AI note tool is running, and they must be able to decline without that refusal affecting their care. This is not a voluntary best-practice recommendation. It is a requirement under UK GDPR's transparency obligations, which apply regardless of the lawful basis you are using for processing.

In a therapy context, consent carries additional weight. The therapeutic relationship depends on the patient trusting that what is disclosed in the room stays under the clinician's control. An AI tool that transcribes, summarises, and stores a session — potentially on servers outside the UK — introduces a third party into that dynamic. Most patients, when asked clearly and given a genuine choice, will consent. The asking is not optional.

Practically, this means three things. First, a verbal statement at the start of each session when an AI tool is active: something like "I'm using an AI note tool to help me document today's session — you can ask me to turn it off at any time." Second, updated privacy documentation — your website privacy notice and your new patient information pack — that explains which tools you use, who processes the data, where it is stored, and how long it is retained. Third, a process for recording when patients decline, so you can demonstrate compliance if asked.

The BACP called for clearer regulatory distinction between AI used for administrative purposes and AI used in clinical care in February 2026. That distinction is worth holding in mind. An AI tool that transcribes session audio and generates a clinical note summary is performing a clinical function, not an administrative one. It sits closer to a medical device than to a scheduling system, and should be treated with corresponding seriousness in your consent and governance processes.

Data Processing Agreements: the contract you must have

Under UK GDPR, when a third party processes personal data on your behalf — which is exactly what an AI note vendor does — they are a Data Processor. You are the Data Controller. The law requires a written Data Processing Agreement (DPA) between you before processing begins. This is not satisfied by clicking "I agree" on the vendor's terms of service. A DPA is a specific document with specific required content.

A compliant DPA must cover: the nature and purpose of the processing; the categories of data being processed; the technical and organisational security measures in place; how the vendor handles data subject rights including access requests, correction requests, and deletion; data retention periods and deletion processes; and whether the vendor uses sub-processors and who they are.

For therapy practices, two clauses in the DPA deserve particular attention. First: sub-processors and their locations. Most AI note tools rely on third-party infrastructure — speech recognition models, large language model APIs, cloud storage — that is often based in the United States. UK GDPR requires that transfers of Special Category data to countries outside the UK are only made where the ICO considers those countries to provide adequate protection, or where appropriate safeguards (such as Standard Contractual Clauses) are in place. Your DPA should name each sub-processor and confirm the transfer mechanism.

Second: model training. Some AI note tools use customer data — including session transcripts — to improve their models. For a therapy practice, this should be explicitly prohibited in your DPA unless patients have been specifically informed of this use and consented to it. If the DPA does not address model training, ask the vendor directly. If they won't contractually prohibit it, that is a vendor you should not be using for Special Category data.

If your current AI tool does not have a signed DPA in place, you are not compliant with UK GDPR. The ICO has issued fines to health providers for exactly this gap — not for using AI tools, but for using them without the correct data processing governance. A 20-minute discovery call can help you assess what needs to be in place before your next inspection.

What the Data Act changed — and what it didn't

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. It introduced targeted changes to the UK data protection framework, with a stated aim of making it easier to use data for research and public interest purposes while maintaining core privacy protections.

For independent therapy practices using AI note tools, the key question is simple: did anything change that affects your compliance obligations?

The answer, for everything that matters in this context, is no. Special Category data rules under UK GDPR are fully preserved. The requirement for a DPIA before processing Special Category data is unchanged. The requirement for a signed DPA with any data processor is unchanged. The ICO's transparency obligations, data minimisation principle, purpose limitation, and storage limitation principles are all unchanged. The Act does not relax any of the requirements described in this article.

What the Act did introduce is greater flexibility for secondary and research uses of health data — making it somewhat easier for NHS-approved research programmes to access de-identified datasets. This is largely irrelevant to how an independent psychology group manages its day-to-day clinical notes. It does not change your patients' rights, your obligations as a data controller, or your vendor's obligations as a data processor.

The practical upshot: if anyone tells you the Data Act simplified your AI compliance obligations, ask them specifically which obligation they believe changed. The core framework remains as it was.

CQC — why your governance documentation now matters

The CQC published an update on its AI expectations in May 2026. From October 2026, registered providers using AI-assisted clinical tools are expected to have documented AI governance as part of their well-led evidence. The well-led domain now includes specific questions around how practices identify and manage the risks of AI tools, how staff are trained to use them appropriately, and how patient rights in relation to AI are protected.

In practice, an inspection team asking about your AI note tool may ask for: your DPIA, your DPA with the vendor, your consent process documentation, evidence of staff training, and a record of any patient concerns or opt-outs. Most independent psychology practices do not currently have this documentation in place. That becomes a material risk once inspectors start asking for it systematically, which the October 2026 deadline suggests they will.

The good news is that none of this documentation is elaborate. A clear DPIA adapted from the NHS England template, a signed DPA, a one-page consent process document, and a brief staff training record covers the material inspectors are likely to want to see. The AI Readiness Score for most independent practices currently sits at 41 out of 100 on governance — building this documentation moves that number meaningfully.

What this means for your practice

If you are already using an AI note tool in therapy sessions, there are four things to address in order of priority.

First, obtain and sign a Data Processing Agreement with your AI vendor. Contact them today and ask for their standard DPA. Review it against the checklist above, paying particular attention to sub-processors and model training. If they do not have one, or won't provide one in written form, find a vendor who will — there are compliant options available at comparable price points.

Second, complete a DPIA. Use NHS England's March 2026 template as a starting point. Add a section addressing the specific risks of your mental health setting: disclosure sensitivity, therapeutic relationship implications, and your process for handling patient data access requests. File it. Date it. Review it annually or when you change tools.

Third, update your patient communication. Your privacy notice should explain that you use an AI note tool, what it captures, who processes that data, and how to request that it not be used. Your verbal consent at the session start should be consistent and documented.

Fourth, build your governance file now, before October. A DPIA, a DPA, your consent process documentation, and a brief training log. This does not need to be elaborate — it needs to exist and to reflect your actual practice.

If you would rather have an independent review map the compliance gaps and produce the documentation against your specific practice structure, the AI Opportunity & Growth Assessment™ includes a data governance review as a core component. It takes two weeks and costs considerably less than the ICO's fine threshold for non-compliant Special Category data processing — which currently sits at £17.5 million or 4% of global turnover, whichever is higher. For an independent practice, the risk is not at that ceiling. But the principle is the same: the cost of getting governance right is a fraction of the cost of getting it wrong.

The tools themselves are worth using. An NHS England-sponsored study published in April 2026 found that ambient scribing products increased direct patient interaction time by 23.5% and reduced overall appointment length by 8.2%. In a therapy context, that is a meaningful clinical gain. Getting the governance right is what allows you to realise it.