NHS 10-Year Health Plan: AI, Data & Digital Transformation

The UK government has this month (July 2025) published the NHS Fit For The Future: 10 Year Health Plan for England (“NHS Health Plan”), outlining a major shift towards digital healthcare. 

The NHS Health Plan identifies “5 transformative technologies” – data, artificial intelligence, genomics, wearables and robotics – as strategic priorities. It also outlines enhancements to existing systems, including a revamped NHS app, Single Patient Records (“SPRs”), and the adoption of ambient AI tools.

NHS organisations will also be required to redirect more funding towards innovation by reserving “at least 3% of annual spend for one-time investments in service transformation”, marking a reallocation of resources to enable this transition. 

The NHS Health Plan also signals a broader shift in care delivery from hospitals to the community, enabled by technology. An example of this in practice is virtual wards, where patients receive acute care at home supported by remote monitoring. This operational framework is already in use across several NHS Trusts. 

In this article, we explore some of the key legal considerations (largely from a data protection perspective) arising from the NHS’ use of data and artificial intelligence under the NHS Health Plan. For a broader overview of the NHS Health Plan, please see our article here. 

1. Data, Research and Innovation

Data is one of the fundamental resources that the NHS Health Plan promises to harness to both enhance patient care and create new revenue streams:

“In the next 10 years and beyond, industries and companies that do not harness data will be replaced by those that do. It is unthinkable for the NHS not to use its own data to transform healthcare for its patients today, and to drive its financial sustainability so it can meet the needs of its patients in the future.”

Single Patient Records: Medical records for each patient will be unified securely into a single authoritative record. Organisations contributing data must have appropriate data sharing or processing agreements in place, clearly defining roles (controller vs. processor), responsibilities for data accuracy, access, and security, and provisions for secondary data use. Compliance with the key data protection principles is essential - particularly around data minimisation, purpose limitation, and transparency. Where data is pooled across systems, transparency with data subjects becomes even more critical. Implementing a data access register (a public log of who accessed what data and why) is increasingly seen as best practice. Given the heightened risk of breaches involving consolidated medical records, organisations must ensure robust technical and organisational safeguards, regularly review security policies, and carry out Data Protection Impact Assessments (“DPIAs”) for new systems.

Wearables: Smart devices (wearables, biosensors) will become the standard by 2035 to collect data continuously and monitor patients in relation to chronic, preventative and post-acute treatment. These devices collect continuous streams of health data, which requires both a lawful basis under Article 6 and a special condition under Article 9(2) to process it lawfully. Transparency is critical: patients must be informed about what data is collected, how it’s used, and who it’s shared with. Data minimisation and purpose limitation principles must be taken account of, ensuring only necessary data is processed for clearly defined purposes. Given the volume and sensitivity of data, robust security measures and DPIAs are essential. Additionally, where data is shared with third parties or used for secondary purposes - such as research or insurance - organisations must have appropriate data sharing agreements and governance frameworks in place.

Genomic Sequencing: The genomes of 100,000 newborns will be sequenced, helping to build a database to inform the NHS’s understanding of health risks and support preventative measures. The NHS aims to make genomic sequencing at birth the norm in the long-run. Genomic data is classified as special category data under UK data protection laws requiring a lawful basis for processing under Article 6 and a specific condition under Article 9(2) - typically for healthcare provision or scientific research. Given its uniquely identifiable nature, even when pseudonymised, genomic data demands heightened safeguards.

Health Data Research Service:Previously announced in April 2025, the Health Data Research Service, which has £600 million in joint funding from the UK government and the Wellcome Trust, acts as a centralised database to collate large-scale anonymised health data to support medical research. Health data that is anonymised should follow ICO guidance, noting recommended anonymisation techniques, the accountability and governance measures required and the risk of re-identification through data linkage.

The NHS Health Plan also references the role of Health Innovation Networks (HINs), noting: “Our 15 Health Innovation Networks do important work; we will continue to fund and support them.” This is the first time HINs have been formally acknowledged in a national NHS strategy, highlighting their growing role in scaling innovation across regions.

2. Patient Rights

Alongside the greater interconnectivity of data, patient rights will be a key consideration for many NHS trusts and healthcare providers. 

Right to Access and Control Health Data: The NHS Health Plan sets out the intention to pass new legislation that requires health and care providers to provide patients with access to their own medical records. In addition:

“We will also legislate to give patients access to their SPR by default. Subject to parliamentary time, our ambition is that from 2028, patients will be able to view it, securely, on the NHS App. Over time, that data will include not only medical records, but also a personalised account of health risk, drawing from lifestyle, demographic and genomic data - to help personalise the NHS’ service offer and to support individual behaviour change.”

These measures build upon existing data subject rights under the UK GDPR and the Data Protection Act 2018, including the right of access (Article 15 UK GDPR), the right to rectification (Article 16 UK GDPR), the right to restriction of processing (Article 18 UK GDPR) and the right to data portability (Article 20 UK GDPR).

Right to Privacy and Confidentiality: The NHS Health Plan’s emphasis on data sharing and AI also raises concerns about data protection (as highlighted above) and confidentiality. Privacy notices should comply with transparency requirements (Articles 13 and 14 UK GDPR) to inform patients as to the nature and purpose of data collection, and their rights in relation to such data. Robust patient consent mechanisms will also be key, especially in relation to data transfers to third parties. An example of such transfers is health data or relevant patient medical records being shared with third-party apps, which will become more common as the NHS intends to create a HealthStore for NHS-approved health apps developed by third-party software developers. 

Digital Inclusion & Accessibility: New public-facing technology, including the revamped NHS App, will need to comply with the Equality Act 2010 to ensure non-discrimination and reasonable adjustments. The NHS Health Plan alludes to its intention to “contribute fully to the cross-government Digital inclusion Action Plan […] to improve access to and skills with technology among socially excluded groups.”

Data (Use and Access Act) 2025 (DUAA): Introduces a new statutory framework for use of patient data within the NHS and wider health system. DUAA expands on the definition of “legitimate interests” for processing, supports digital identity infrastructure, and reinforces interoperability standards. These reforms are expected to underpin the rollout of SPRs and federated data platforms, while also strengthening patient transparency and control.

3. AI, Liability & Intellectual Property 

The NHS Health Plan promises that artificial intelligence will drive down costs, reduce administrative burden (for example through ambient AI technology that generates a record of a patient-doctor consultation), support nurses and doctors in making medical decisions (such as analysing X-Rays and scans for signs of disease), provide on-demand guidance to the public via the NHS app (helping the app to give patients a “doctor in their pocket”), and run powerful analytics on health data both on an individual and societal level to feed into a predictive and preventative healthcare system. However, AI should exist within a structured governance framework with checks and balances. 

Clinical Accountability and Human Oversight: NHS Trusts should ensure that AI does not replace clinical judgement to mitigate the risk of clinical negligence – there should always be a “human in the loop” to check and verify AI-generated outputs. This is echoed by NHS AI guidance, which states that “Decisions will not be made by the AI system.”

Intellectual Property Rights: Where AI creates further software or content, it is important to establish intellectual property rights from the onset when the system is still in an early stage of development to adequately allocate ownership of existing background IP and future foreground IP. This is particularly important when the AI product is intended to be used commercially, as the IP rights will affect revenue distribution between parties. 

Governance Procedures: NHS organisations should implement AI governance frameworks which set out accountability (including ethical review boards for high-risk AI applications, audit trails, and incident reporting mechanisms) and ensure that AI is used operationally in a way that complies with the principles-based regulatory approach that the UK government has adopted, namely that AI regulation should focus on (1) safety, security and robustness, (2) appropriate transparency and explainability, (3) fairness, (4) accountability and governance, and (5) contestability and redress. 

4. Procurement, Commercial and Regulatory Opportunities

Tech Procurement: There will be a new framework procurement process introduced in 2026-2027 which will allow NHS organisations to adopt innovative technologies, including ambient AI. The NHS will also procure the development of a digital platform to connect community-based healthcare with centralised patient histories and care plans. Alongside the Procurement Act 2023 (which came into effect on 24 February 2025), the AI Opportunities Action Plan (which encouraged technology pilots to be launched and scaled nation-wide), and the National Audit Office’s report on “Government approach to technology suppliers” (which called for an overhaul of commercial frameworks to better tailor them to project-specific requirements), it is clear that technology suppliers should expect a shift towards greater volumes of public sector technology procurement.

Data Commercialisation: The NHS Health Plan explicitly supports the use of data to create a profitable product to bring in revenue: “In the longer-term, we will explore ways to derive commercial value from access to anonymous health data as well as from public assets like advanced analytics – which could include a mix of access charges and equity stakes.” This signals a shift toward monetising NHS data, raising several legal and ethical considerations including:

• Data ownership and control: while the NHS remains the custodian of patient data, questions arise around who holds rights to derivative products or insights.
• Revenue sharing: if commercial value is generated, frameworks will be needed to ensure fair distribution of returns - particularly where public data underpins private innovation.
• Intellectual property rights: clarifying IP rights in co-developed tools or analytics platforms will be essential, especially where NHS data is involved.

These issues will require careful governance, transparency, and potentially new legislation to balance innovation with public trust and accountability.

Regulatory Oversight: The National Institute for Health and Care Excellence (NICE) will streamline access to innovation, adopting a faster process for evaluating new treatments, particularly in diagnostics, digital apps and medical-grade wearables. NICE will also have expanded responsibilities “to identify which outdated technologies and therapies can be removed from the NHS to free up resources form investment in more effective ones”, suggesting a shift towards a forward-looking, pro-innovation NHS health system. 

Conclusion

The NHS Health Plan signals a transformative era for healthcare, driven by digital wearables, AI, and advanced data analytics. As these technologies become embedded in clinical pathways, NHS Trusts must prioritise robust data governance from the outset. This includes implementing clear data sharing agreements and safeguards - particularly where third parties such as app developers, wearable tech providers, and AI vendors are involved in large-scale processing of sensitive health data. In addition, intellectual property rights will be a key negotiating point for collaborations between NHS Trusts and software providers, especially as technology becomes more deeply embedded in day-to-day patient care. 

Next steps

Further guidance is expected later this year on implementation timelines for federated data platforms, NHS App upgrades and digital procurement frameworks. Stakeholders should monitor updates from NHS England and the Department of Health and Social Care to stay ahead of procurement and compliance developments.

For advice on how the NHS 10-Year Health Plan will impact you or your business, please contact Martin Cook, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Jenora Vaswani and Amanda Leiu.