The Information Commissioner's Office today imposed a fine of £750,000 on a large NHS Foundation Trust in the North West for deploying an AI-powered radiology triage tool without conducting the mandatory Data Protection Impact Assessment under Article 35 of the UK GDPR. The decision is the ICO's first public enforcement action specifically framed around AI deployment governance rather than a downstream personal-data breach.
The tool — deployed across two hospital sites from late 2024 — classified chest X-rays as high/low priority before clinician review. An internal audit in Q4 2025 found the triage model had been trained on a non-representative dataset and under-prioritised radiographs from patients with darker skin pigmentation. The Trust had no record of bias testing, no DPIA, and no clinical safety case mapped against the Article 35 process.
The ICO's decision notice names three specific failures: (i) no DPIA before processing began, despite automated decisions affecting individuals' access to timely care; (ii) no documented lawful basis for the secondary profiling used in performance monitoring; (iii) retrofit paperwork produced under audit pressure that the Commissioner characterised as "backdated and internally inconsistent."
The £750,000 figure is understood to reflect a discount for cooperation during the investigation but is the largest AI-related fine the Commissioner has issued to date. The Trust has been given six months to demonstrate a compliant DPIA regime, bias-testing cadence, and a clinical-safety-case register covering all AI-assisted pathways, with independent audit reports due at month 3 and month 6.