The honest answer is that it depends which ChatGPT you mean, and the version almost all of us are actually using is the wrong one. If you are typing client material into the free plan or into ChatGPT Plus, then by default that material can be used to train OpenAI's models, you have no contract that covers patient data, and the information is processed outside the UK. There are enterprise tiers that close some of those gaps, and as of this year there is even a healthcare product with the right paperwork, but none of them are built for a solo or small-practice psychologist, and none of them change the one thing that matters most clinically, which is that you remain the author of every record that goes in the file. So the short version is no, not as most of us are using it, and the longer version is worth your time because the detail is where the defensible position lives.
I want to be fair to the tool here, because the reason so many of us reach for it is sound. ChatGPT is genuinely good at turning a rough paragraph into a readable letter, at softening the tone of a difficult report, and at giving you a first draft when the diary is full and the writing is the thing standing between you and the end of the day. The clinical instinct behind that, which is to spend less time on admin and more time thinking about the person in front of you, is the right instinct. The problem is not the instinct. The problem is that the ubiquity of the tool reads as safety, when in fact the version of it that sits one tab away from your notes is the least suitable version for clinical work that OpenAI makes.
The part that catches most of us
It feels safe because everyone is using it, because it is free or nearly free, and because nothing visibly bad happens when you paste a paragraph in. There is no warning, no friction, no sense that anything has left the room. But something has left the room. The text has gone to servers you do not control, in a jurisdiction that is not yours, run by a company you have no agreement with, and on the consumer plans it has gone into a pool that can be used to improve the model unless you have found and changed a setting that is off the main path. The absence of a visible consequence is not the same as the absence of a risk, and in data protection terms the two are easy to confuse.
Not all ChatGPT is the same tool
This is the part nobody on the regulated side seems to lay out plainly, so here it is. OpenAI sells several different products under the ChatGPT name, and they sit in genuinely different places on the question that matters to us.
| Tier | Trains on your input by default | A contract you can sign for patient data | UK data residency | Built for a solo practitioner |
|---|---|---|---|---|
| Free / Plus / Go | Yes, unless you opt out in settings | No | No | This is what most clinicians use |
| Team / Business | No | Data processing agreement available | No (residency does not cover Business) | Aimed at companies, not sole traders |
| Enterprise / Edu | No | Data processing agreement available | Yes, UK residency offered | Aimed at large organisations |
| ChatGPT for Healthcare | No | Business associate agreement available | Residency options | Aimed at hospitals and health systems |
Read down that first column and you can see the shape of the trap. The tiers that protect you are the tiers that are not built for you, and the tier that is built for everyone is the one that protects you least. ChatGPT for Healthcare launched at the start of this year and is a serious piece of work, with no training on your content, audit logs, residency options, and a business associate agreement available, but it is sold to hospitals and health systems rather than to a psychologist running a private practice from a consulting room, and its compliance framing is built around the American HIPAA regime rather than around the UK GDPR processor relationship that you actually need. The enterprise and education tiers will sign a data processing agreement and now offer UK data residency, which is real progress, but you are unlikely to be buying an enterprise seat for a single-clinician practice, and even if you did, you would still be doing the rest of the compliance work yourself.
So when someone tells you that ChatGPT is fine because OpenAI has a data processing agreement and offers UK hosting, they are not wrong about the company, they are wrong about the product, because the agreement and the hosting belong to a tier you are almost certainly not on.
What the law is actually asking of you
The reason any of this matters is not the tool, it is your position as a clinician. Under the UK GDPR you are the controller of your clients' data, which means you are the one legally responsible for it, and any tool you use is your processor, handling that data on your instructions. Health information is special category data, which the law protects more strictly than ordinary personal data, so the bar for handling it well is higher, not lower. To use any AI tool defensibly you need a lawful basis and a special category condition, a clear picture of where the data goes and who else touches it along the way, and a processor you can actually contract with so that the responsibilities between you are written down rather than assumed.
On the consumer plans, that last piece simply is not available. There is no data processing agreement on offer to an individual on the free plan or on Plus, which means there is no document that makes OpenAI your processor in the way the law expects, which means the chain of accountability that the UK GDPR asks you to be able to describe has a broken link right at the point where your client's words leave your screen. None of that is fixed by reading the privacy policy carefully or by turning off the training toggle, helpful as the toggle is. The structural relationship is missing, and you cannot supply it from your end.
The point about deletion, made carefully
There is one more thing worth understanding, because it tends to surprise clinicians, and it is the way that litigation can override a delete button. Through 2025 a court in the United States required OpenAI to preserve large volumes of user conversations as part of a copyright case, including chats that users believed they had deleted, and although the broadest version of that preservation order has since been narrowed, a sample of around twenty million conversations was still ordered to be produced, and logs tied to certain flagged accounts are still being retained. The specifics of that case will keep moving, and the details will be different by the time you read this. The general lesson will not. When you use a consumer tool at the scale of ChatGPT, your ability to delete your data is only ever as strong as the legal pressures acting on the company that holds it, and those pressures are entirely outside your control and your clients' knowledge. For ordinary personal information that is an abstract risk. For a therapy transcript it is not.
What a compliant alternative has to look like
None of this is an argument against using AI in clinical work, which I do every day, and think most of us reasonably will. It is an argument for using the right kind of tool, and the test is not complicated. A tool you can stand behind processes data in the UK rather than wherever the company happens to host it, never uses your clients' material to train a model under any tier or default, and will sign a UK GDPR data processing agreement with you as an individual practitioner rather than only with a hospital procurement team. It strips identifying detail out before anything leaves your browser, so that the sensitive content and the names are never travelling together, and it treats you as the author of record, where the output is a first draft you actively review and make your own rather than a finished note you wave through. Those are the properties that turn AI from a quiet liability into a defensible part of practice, and they are exactly the properties that the consumer version of ChatGPT, for all that it is good at the writing itself, does not have.
That gap is the reason I built Cogent Clinic, a clinical documentation and formulation tool made specifically for UK private practice psychologists, with UK processing, no training on client data, a processor agreement written for individual clinicians, and in-browser de-identification so that names never leave your machine. If you want the fuller treatment of the compliance picture, including a vendor questionnaire you can send to any tool before you trust it with client data, our working guide to UK GDPR and AI in psychological practice goes through it step by step.
Dr Aisha Tariq is an HCPC-registered Clinical Psychologist and the Clinical Director of Illuminated Thinking, a private clinical psychology practice in Glasgow. She founded Cogent Clinic to give UK practitioner psychologists clinical documentation tools they can stand behind.