Copilot has arrived in the NHS — But no one told us how to fly it!

Summary

This blog highlights confusion and anxiety among NHS staff following the rollout of Microsoft Copilot, which many learned about only after gaining access. In the first part, a Patient Safety Manager describes their panic on discovering that Copilot could see confidential files, with little guidance provided to them on what is safe or permitted. They felt NHS advice was vague and risk-shifting, leaving staff uncertain and exposed.

Patient Safety Learning's Chief Digital Officer, Clive Flashman invited wider engagement on the issue, revealing inconsistent rollouts across Trusts and a lack of clear, practical support. A LinkedIn discussion drew major attention, prompting resource sharing and calls for stronger national coordination, clearer rules, and better training to ensure safe, confident use of AI tools. In the second part of this blog, Clive offers his insights on these issues, reflects on the wider response and shares some useful links.

Content

The senior patient safety manager who shared their concerns with Patient Safety Learning has chosen to remain anonymous, but has given their permission for us to publish their first person reflections.

Last week, an email landed in my inbox from “the NHS” announcing that Copilot had officially launched — and that it was free for all NHS staff to use. I’ll admit, I was curious and a bit excited. We hear a lot about AI transforming healthcare, and if there’s something that could make our paperwork lighter and free up more time for patients, I’m all for it.

But then reality set in.

I clicked the link, logged in with my NHS email, and suddenly there it was: everything. Our shared documents, HR folders, Duty of Candour letters, meeting notes, even files that contained sensitive patient information. My first reaction wasn’t amazement — it was panic. Had I just exposed confidential NHS data to the internet? Was this even allowed? I shut it down immediately and emailed our Information Governance (IG) team.

The response I received said:

“The NHS uses Copilot for administrative and support tasks, such as drafting emails, summarising meetings, and creating documents in Microsoft 365 applications, to free up staff time for patient care. No patient or staff data should ever be included in Copilot. Staff will be responsible if they choose to input patient or staff information into Copilot.”

Reading that, it almost sounded as if the reply had been written by Copilot itself — formal, factual, but not particularly helpful. I still didn’t know what I could safely do on it, or how it might genuinely help me in my day-to-day work.

From a front-line perspective, this rollout has felt confusing. We’re constantly reminded about data security and confidentiality — now we’re being handed a tool that seems to see everything, with no real explanation of how it works, what’s off-limits, or how to use it effectively.

I can see the potential. If Copilot can really help summarise meetings, draft letters, or tidy up reports, that could save precious hours. But right now, without clear NHS-specific training or guidance, it feels risky to experiment.

What staff like me need is practical direction, not just reassurances. We need:

• Clear, accessible rules about what can and can’t be entered.
• Examples of everyday, safe tasks Copilot can genuinely help with.
• Transparency about where the data lives and how it’s protected.
• Real-world demos showing how it supports our roles — clinical, admin, or managerial.

Until then, many of us will continue to tread carefully — not because we fear new technology, but because we understand how critical it is to protect patient data.

Feeling alone and uncertain about where to turn, I reached out to Patient Safety Learning — an organisation I trust to listen and take my concerns seriously.

If Copilot is meant to help us fly, someone needs to show us where the cockpit is.

Patient Safety Learning's response (Clive Flashman, Chief Digital Officer)

The first thing I did was reach out to some other NHS frontline staff at other organisations to ask how the rollout of CoPilot had been done at their organisations. Every rollout described was from my perspective, ‘sub-optimal’.

My response to the Patient Safety Manager was along the lines of “essentially, your documents are all held in the MS cloud (Azure) and CoPilot is a search/ assistant tool residing in the same space. No information is leaving the MS cloud and it shouldn’t change the role-based access controls that determine what you and others can and can’t see within it.”

So, I was able to reassure the Patient Safety Manager that there shouldn’t be an Information Governance issue that should be of concern to them. However, what about the clinical data that CoPilot enables the manager to review? This could include legitimate folders and documents containing things like:

• complete and draft investigations and reviews into patient safety incidents
• complaints correspondence and reports
• coroner’s inquest investigations and submissions to court
• reports to Trust Quality & Safety Committees and Board reports

Many, if not all of these, would contain sensitive patient and staff information.

This was at odds with the Trust’s response of "no patient or staff data should ever be included in Copilot. Staff will be responsible if they choose to input patient or staff information into Copilot."

Understandably the Patient Safety Manager was concerned that they hadn’t been given any guidance on the use of such data. They felt concerned and vulnerable that using CoPilot to help with administrative efficiency for their role could be personally compromising. This felt a very blaming approach, ‘you get it wrong, and you’re culpable.’

I wasn’t sure who would be able to guide me best on this, so we decided that we’d connect with the NHS hive mind and I wrote a LinkedIn post about this. The post  highlighted that more needed to be done to support NHS staff in understanding and using CoPilot – and also understanding what it should not be used for. I asked what others were doing and for their advice. The interest in that post was electric. So far it has had just over 40,000 views and hundreds of reactions and comments. The lead person for CoPilot rollout in NHS England became involved in the conversation, as did people from Microsoft.

There were differing views on how the rollouts had been handled, and given the fact that this was all done locally, that’s not surprising. The NHS England had done a significant amount of work with the initial proof of concept (30,000 users) and writing use cases and benefits models (as well as apparently a DCB0129 – where is that?). However, I think the fact that the implementation was largely left to local NHS organisations was a mistake, given the uncertainty and variability in responses we’ve seen.

I think that communication briefings should have been handled locally, by arranging webinars, training sessions, FAQ lists etc. It would have been helpful for resource packs to have been developed centrally and informed by the pilot. If this id happen, many frontline staff haven’t seen these resources or made use of them.

I updated the LinkedIn post to capture the resources that had been shared in the comments (and in some direct messages to me). If other people have useful resources they’d like to share, please do comment below with the links, or you can email our team at [email protected].

Thank you to all those that shared their experiences, helpful resources and their commitment to ensure every staff member is secure in how they use and benefit from CoPilot.

• Sherwood Forest Hospitals have a 'Responsible use of M365 Copilot for NHS.net Connect' Guide: https://www.sfh-tr.nhs.uk/media/sajavs1n/co-pilot-responsible-use-of-co-pilot.pdf
• Resources from Microsoft: https://adoption.microsoft.com/en-gb/copilot/
• Staff training resources: https://livesend.microsoft.com/ls/1a365ac1-986b-4ff7-9be0-b9e3a7309501/MQEQhnztYeaVOYy6#/
• Microsoft end user self-paced learning: https://support.microsoft.com/en-gb/microsoft-365-copilot
• An example of role-based training provided by Microsoft (this one is for Clinical Administrators): https://msit.events.teams.microsoft.com/event/3c0b9862-fcc4-4994-b6ce-4d8024900191@72f988bf-86f1-41af-91ab-2d7cd011db47
• M365 Copilot and M365 Copilot Chat (Web) Acceptable Use Policy: https://comms-mat.s3.eu-west-1.amazonaws.com/Comms-Archive/M365+Copilot+Acceptable+Use+Policy+v1.1.pdf
• Data Protection Impact Assessment - NHS.net  Connect (formerly NHSmail) M365 Copilot : https://comms-mat.s3.eu-west-1.amazonaws.com/Comms-Archive/NHS.net+Connect+Microsoft+365+Copilot+DPIA+v2.0+(GA).pdf

We hope that you find this blog of interest, and it might help the NHS reflect on the balance of directing and supporting Trusts in future AI and technology rollouts. And with so much more promised in the 10 Year Plan, let’s all consider how we can support front line staff to optimise the opportunities for productivity improvement.