When a UK health technology company quietly announced the launch of what it called a Sovereign Large Language Model trained on NHS primary care data, the press release was carefully worded, the language reassuring, and the implications enormous. OneAdvanced, a British software firm with deep roots in NHS administration, has become the first domestic company to release a commercially deployed LLM built specifically on the data that flows through GP surgeries, referral systems, and clinical workflows across England. The word "sovereign" was chosen deliberately it evokes national pride, post-Brexit independence, and a sense of protective custody over something precious. But for the 67 million patients whose information feeds these systems, the word raises more questions than it answers, and the answers that do exist are buried in procurement contracts most patients will never read.
The concept of NHS data ownership has always been murky, a grey zone where public trust collides with commercial appetite. Under UK law, NHS trusts and general practices are classified as data controllers, meaning they bear legal responsibility for how patient information is used. Patients themselves hold subject access rights under the UK GDPR, which allows them to request copies of their records and, in limited circumstances, object to processing. But these rights were designed for an era of static databases, not for the dynamic, inference-rich world of large language models. When an LLM is trained on your consultation notes, your medication history, your referral letters the model does not store your data in any retrievable form. It absorbs patterns, probabilities, statistical relationships. Your privacy is technically preserved, yet something derived from the most intimate details of your life now lives inside a commercial product. That distinction is not merely philosophical. It is the central legal and ethical ambiguity of the entire NHS AI era.
OneAdvanced's deployment sits within a broader and rapidly accelerating transformation of NHS technology infrastructure. NHS England is rolling out Microsoft 365 Copilot to 505,000 clinicians and support staff across its services a deployment at a scale that dwarfs any comparable AI rollout in European public healthcare. The justification is compelling on its face: a trial of the Microsoft AI tool found it saved an average of 43 minutes of administrative time per staff member per day. For a health service haemorrhaging staff hours to paperwork, appointment letters, referral summaries, and discharge documentation, that figure represents something close to a lifeline. Multiply 43 minutes by 505,000 people across 250 working days and you begin to approach numbers that suggest billions of hours of reclaimed clinical capacity. The political case writes itself. The question of what Microsoft learns from processing half a million NHS workers' daily communications is a quieter, slower-burning concern and quieter concerns have a habit of going unasked until they become unavoidable.
The political sensitivity around NHS data contracts with private companies has not gone unnoticed. The government's ongoing review of the NHS England contract with US data analytics giant Palantir has become something of a lightning rod for anxieties about the direction of travel. Palantir, whose technology underpins the NHS Federated Data Platform, has faced sustained criticism from civil society groups, clinicians' unions, and privacy campaigners who argue that the firm's history it was founded with seed funding from the CIA, and its technology has been used in US immigration enforcement makes it an inappropriate custodian of the UK's most sensitive health data. Ministers have defended the contract on grounds of technical capability and cost, but the review itself signals an acknowledgement that public confidence in these arrangements is fragile. The irony is that the OneAdvanced sovereign LLM is being positioned, at least implicitly, as a response to exactly this kind of concern. British company, British data, British servers. The framing is designed to neutralise the Palantir-shaped anxiety. Whether it succeeds depends entirely on what "sovereign" is actually being promised.
Sovereignty in the context of AI infrastructure is not a binary condition. A model can be trained and hosted entirely within the United Kingdom and still raise profound questions about who benefits commercially from the insights it generates. OneAdvanced is a private company. It has investors, revenue targets, and a commercial interest in the intellectual property represented by a model trained on millions of NHS clinical interactions. The data itself may never leave UK borders. But the patterns extracted from that data the statistical fingerprints of which symptoms correlate with which outcomes, which prescribing behaviours predict which patient trajectories, which demographics are underserved by which referral pathways these are extraordinarily valuable assets. Pharmaceutical companies, insurance underwriters, medical device manufacturers, and health policy consultancies would pay handsomely for access to inference capabilities built on this kind of training corpus. UK patients have no legal mechanism to prevent that kind of secondary commercial use, provided it is disclosed somewhere in a privacy policy that nobody reads.
The regulatory gap between the UK and the European Union is becoming increasingly consequential as AI deployment in healthcare accelerates. The EU AI Act, which entered into force in August 2024 and is being implemented in stages, classifies AI systems used in healthcare as high-risk, imposing obligations around transparency, human oversight, technical documentation, and conformity assessments. AI tools that influence clinical decision-making must meet stringent standards before deployment. UK patients, post-Brexit, sit outside this framework. The UK government's approach to AI regulation has been characterised by a deliberate lightness of touch a "pro-innovation" stance that has drawn praise from the technology industry and criticism from patient advocates, ethicists, and clinicians who worry that the absence of binding rules creates a race to deploy before the regulatory environment hardens. The UK's AI Safety Institute monitors frontier model risks, but its remit is focused on catastrophic and systemic harms rather than the granular, everyday risks of AI-assisted triage, AI-generated discharge summaries, or LLM-drafted referral letters.
The question of legal liability for AI errors in clinical settings has emerged as one of the most contentious unresolved issues in UK healthcare AI regulation. The Medical Protection Society, which provides indemnity cover for thousands of UK doctors, has explicitly warned that UK law needs to be overhauled to clarify who is liable doctors, NHS trusts, or tech companies for mistakes made by AI tools in healthcare. This is not a theoretical concern. When a Microsoft Copilot-generated summary contains an error that leads a clinician to make an incorrect prescribing decision, the current legal framework provides no clear answer about where responsibility lies. The doctor who relied on the summary? The trust that deployed the tool without adequate training? The software company whose model produced the error? The NHS England team that approved the procurement? In the absence of legislative clarity, liability will be determined case by case through litigation, which is precisely the kind of expensive, slow, and patient-harmful process that proactive regulation is supposed to prevent.
Future predictions in this space must reckon with the pace of technological change outrunning both regulatory capacity and public understanding. Within three to five years, it is plausible that the majority of routine NHS administrative tasks appointment booking, referral drafting, discharge letters, prescription reviews will involve AI assistance of some kind. Within a decade, clinical decision support systems trained on NHS-scale data may be embedded in every GP consultation, A&E triage, and specialist outpatient appointment in England. The question of whether these tools are sovereign, transparent, accountable, and genuinely serving patient interests will not be settled by press releases about British servers. It will be settled by the legal frameworks that govern data use, the contractual terms that define commercial rights over model outputs, the independent audit mechanisms that verify compliance, and the political will to hold technology companies to standards that prioritise patient welfare over deployment speed.
Patients who wish to understand their position in this new landscape have limited but meaningful options. Under UK GDPR and the Data Protection Act 2018, individuals retain the right to access their personal data, to request correction of inaccuracies, and in some circumstances to object to processing on grounds of legitimate interests. NHS patients can also opt out of their data being used for purposes beyond their direct care through the National Data Opt-Out programme, which prevents identifiable data from being used in research and planning. However, this opt-out does not apply to data used for direct clinical care, nor does it clearly cover the training of AI models used to deliver that care. The boundary between "direct care" and "AI model training that enables direct care" is precisely the kind of definitional ambiguity that will require judicial or legislative resolution. In the meantime, the most effective thing a patient can do is ask. Ask your GP surgery whether AI tools are being used to process your records. Ask what tools they are. Ask who provides them. Ask where data is stored. NHS staff may not always have the answers, but the act of asking creates accountability, and accountability is the only force that has ever reliably constrained the appetite of technology companies for the data they regard as fuel.
The NHS is the most data-rich healthcare institution in the world. Decades of centralised record-keeping across a single-payer system have created a longitudinal dataset of extraordinary depth and clinical value. The ambition to harness that dataset for the benefit of patients to build AI tools that genuinely improve diagnostics, reduce waiting times, and support overwhelmed clinicians is not cynical. It is, in principle, a legitimate and potentially transformative public health goal. But the architecture of how that ambition is being pursued matters enormously. When the infrastructure is built by private companies, trained on publicly funded data, deployed under commercial contracts, and regulated by a framework that prioritises innovation over precaution, the public interest is not automatically served by the existence of good intentions. The word "sovereign" is doing a great deal of work in the current NHS AI narrative. It is time for patients, clinicians, regulators, and politicians to examine precisely what that word is and is not being made to mean.
Comments
Post a Comment