When a healthcare AI plan says a dataset will be “privacy-safe” because it is synthetic, the next question should not be whether the phrase sounds reassuring. It should be who is prepared to sign the decision that the remaining disclosure risk is low enough. The privacy question is not settled by the label on the dataset. It depends on how the data was generated, what the output preserves from the source records, who will use it, and what consequences follow if the assumption is wrong.

The distinction matters most in health data because synthetic generation usually begins with real patient records. Under GDPR and UK GDPR analysis by the PHG Foundation and the UK Medicines and Healthcare products Regulatory Agency, training a synthetic data generation model on personal health data is itself processing of personal data. The synthetic output may fall outside personal-data scope only if residual re-identification risk is very low; it does not become non-personal merely because the rows are artificial. [1]

That is the useful but awkward starting point. Synthetic health data can reduce the need to move raw patient records around. It can make some research and AI development projects more feasible when direct access to identifiable or pseudonymized clinical data would be disproportionate. But reduced risk is not the same as no risk, and the difference is exactly where governance work begins.

Clinical data streams shaped into medical symbols with fragmented human silhouettes and warning cracks

A common governance error is to evaluate only the dataset that comes out of the generator. In a hospital, research institute, or AI vendor process, the earlier step is often the more clearly regulated one: source records are selected, cleaned, transformed, and used to train or calibrate a model. If those records are personal data, the organization still needs a lawful basis, purpose definition, access controls, and documentation for that processing.

The PHG Foundation/MHRA analysis is important because it resists a shortcut that appears in many project proposals. It does not say synthetic health data is always personal data. It says the answer depends on residual risk, assessed in context. A synthetic dataset that preserves unusual combinations of clinical features, dates, demographics, or rare diagnoses may carry different risk from one that has been generated with stronger privacy protections and released under tighter access conditions. [1]

For the person asked to approve release, “context” is not a soft word. It means the decision depends on who can access the data, what other data they may hold, whether the population includes rare or stigmatizing conditions, whether the dataset will be public or controlled, and whether the data will inform decisions about patients. A public benchmark dataset, an internal model-development sandbox, and a controlled research enclave are not the same privacy decision.

What the UK, Singapore, and South Korea guidance actually converge on

The most useful recent comparison is not a vendor claim or a general AI ethics statement, but the regulatory comparison of the UK Information Commissioner’s Office, Singapore’s Personal Data Protection Commission, and South Korea’s Personal Information Protection Commission. These three published synthetic data guidance documents differ in emphasis, but they meet at the same uncomfortable point: residual disclosure risk remains, and none supplies a numerical threshold for when that risk is safe enough. [2]

Triptych of UK, Singapore, and South Korea regulatory approaches to synthetic health data
Guidance approachWhat receives emphasisWhat it does not settle
UK ICOResidual disclosure risk, governance of synthetic data generation, and bias detection where synthetic data informs decisions with health consequencesNo quantitative threshold for when residual risk is sufficiently low
Singapore PDPCOrganizational accountability for the synthetic data process and the controls surrounding useNo numerical safe-harbor threshold for residual re-identification risk
South Korea PIPCPurpose limitation and alignment between the intended use and the generated datasetNo fixed metric that converts synthetic status into privacy safety

The UK position deserves particular attention in healthcare AI because it does not treat privacy as the only governance question. In the regulatory comparison, the ICO approach includes mandatory bias detection when synthetic data is used to inform decisions with health consequences. [2] That requirement changes the practical review. A dataset can be less disclosive than raw records and still be dangerous if it distorts subgroup patterns that matter for triage, diagnosis, eligibility, or treatment recommendations.

This is where health data differs from many lower-stakes synthetic data uses. A biased synthetic dataset does not merely create an abstract model-quality problem. It can teach an AI system to underrepresent a population, smooth away rare but clinically important cases, or reproduce measurement gaps from the original data. The privacy review and the clinical-impact review therefore cannot be cleanly separated when the data may shape health-impact decisions.

Singapore’s PDPC emphasis points to a different but equally practical concern: accountability. The organization using or disclosing synthetic data remains responsible for the process it chose, the controls it applied, and the risk assessment it accepted. [2] That matters when a project has several hands on the file: a hospital data team prepares the source extract, a vendor generates the synthetic version, an academic group evaluates utility, and an AI team treats the result as approved because it is no longer raw data. Accountability should not evaporate across that chain.

South Korea’s PIPC guidance, as described in the same comparison, puts more weight on purpose limitation. [2] That is not a bureaucratic nicety. A synthetic dataset generated for one bounded research purpose may not be appropriate for a broader model-development program, especially if broader use increases linkage opportunities or encourages users to treat the file as general-purpose clinical infrastructure.

The difference among the three approaches is meaningful, but it should not obscure the shared message. The guidance does not give a compliance officer a number to plug into an approval form. It does not say that a membership inference score below a particular value, a similarity metric below a particular value, or a privacy test result above a particular level makes synthetic data categorically safe. [2] The decision remains a documented judgment.

Why residual disclosure risk survives synthesis

The reason regulators remain cautious is not that they misunderstand synthetic data. It is that useful synthetic health data must preserve patterns from the source data. If it preserved nothing, it would be private but clinically useless. The privacy problem lives in the narrow corridor between retaining enough statistical structure to support research and retaining so much that individuals or sensitive attributes can be inferred.

Three residual pathways are especially relevant in healthcare settings. Membership inference asks whether an attacker can determine that a particular patient was in the training data. Attribute disclosure asks whether sensitive information about a person can be inferred from the synthetic output and other information. Model inversion asks whether aspects of the original data can be reconstructed from the model or generated records. Peer-reviewed healthcare synthetic data literature has discussed these vulnerabilities rather than treating synthetic generation as a complete privacy break from the source data. [2][3]

Conceptual attack pathways against synthetic health data including membership inference, attribute disclosure, and reconstruction

In a healthcare context, these risks are not limited to celebrity patients or deliberately malicious outsiders. Small cohorts, rare diseases, unusual treatment sequences, geographic specificity, and combinations of demographic and clinical features can make records distinctive. A dataset that appears anonymous at row level may still leak information if it reproduces rare patterns too faithfully.

The harder point is that privacy and utility are usually evaluated together. A generator can be tuned to reduce similarity to source records, but that may also reduce the fidelity needed for model training or statistical analysis. A comprehensive healthcare synthetic data review describes both the promise of synthetic data for medical research and the privacy concerns that remain around disclosure and re-identification. [3] The question for governance is therefore not whether synthetic data is useful. It often is. The question is whether the claimed use requires a level of fidelity that brings disclosure risk back into view.

The missing threshold is a governance problem, not a reason to abandon the method

It would be convenient if regulators had already defined a universal safe threshold. They have not. The Nature regulatory perspective identifies the absence of agreed acceptable residual risk levels across the published guidance. [2] Arora and colleagues, in The Lancet Digital Health, similarly call for accelerated synthetic data privacy frameworks for medical research, reflecting the broader gap between technical adoption and settled governance. [4]

That absence should not be caricatured as regulatory failure. A single number would be difficult to defend across all health datasets and all release models. A synthetic dataset derived from intensive care records, released publicly for benchmarking, does not pose the same risk as a tightly governed internal dataset generated from a larger and less distinctive source population. The same metric can also mean different things depending on attacker assumptions and auxiliary information.

The metrics landscape itself remains unsettled. A 2024 scoping review of privacy and utility metrics in medical synthetic data examined how the field evaluates both dimensions, underscoring that practitioners face a measurement problem as well as a legal one. [5] Metrics can inform a decision, but they do not replace the decision. The approving organization still has to say which tests were run, what threat model they addressed, what residual risk remained, and why that risk was acceptable for the proposed use.

What should be true before treating synthetic health data as low-risk

A credible approval file for synthetic health data should read less like a product description and more like a controlled release decision. The key question is not whether the generator is modern, or whether the output looks realistic, but whether the organization can explain the privacy claim in terms that survive review.

  • The source-data processing has a lawful basis, defined purpose, documented data flows, and access controls before generation begins.
  • The synthetic output has been tested against relevant disclosure pathways, including membership inference, attribute disclosure, and reconstruction-style risks where appropriate.
  • The release model matches the risk: public release, partner sharing, controlled enclave access, and internal-only use require different levels of assurance.
  • Purpose limits are written into the approval, especially where a dataset generated for one research question might later be reused for broader AI development.
  • Bias and representativeness checks are included when the synthetic data may inform decisions with health consequences.
  • A named organization or role owns the residual-risk judgment rather than leaving responsibility split between the vendor, investigator, and data-access committee.

Some technical controls may lower risk further, including privacy-preserving training methods and stronger restrictions on who can query, inspect, export, or combine the data. But those controls need to be tied to the actual project. A generic statement that synthetic data was produced using a privacy-enhancing method is not the same as evidence that this dataset, for this population, under this access model, has sufficiently low residual risk.

The same discipline applies to utility claims. If the dataset is being used only for software testing, lower clinical fidelity may be acceptable. If it is being used to train or evaluate a model that could affect care, fidelity, bias, and subgroup performance become part of the governance question. Privacy protection achieved by erasing clinically important variation may simply move the risk from disclosure to patient impact.

The sign-off standard

Synthetic health data is at its strongest when it is treated as a risk-reduction tool inside a larger governance system. It can reduce exposure of raw patient records. It can make collaboration possible where direct sharing would be hard to justify. It can help researchers and developers work with data that carries useful clinical structure without giving them full access to the underlying records.

But the word “synthetic” should not be allowed to do the work of a privacy assessment. The current regulatory materials point in the same direction: generation starts from personal data, outputs can retain residual disclosure risk, bias matters when health-impact decisions are involved, and no published guidance supplies a universal safe number. The organization approving use or release still has to document why the remaining risk is low enough.

Synthetic data can support healthcare AI privacy when it is paired with privacy testing, access controls, purpose limits, bias checks where health consequences are possible, and a clear chain of accountability. It cannot outsource the privacy conclusion to its own name.

References

  1. Are synthetic health data personal data? PHG Foundation/MHRA, 2023.
  2. Protecting patient privacy in tabular synthetic health data: a regulatory perspective. Nature, 2025.
  3. Harnessing the power of synthetic data in healthcare: innovation, application, and privacy. Nature, 2023.
  4. The urgent need to accelerate synthetic data privacy frameworks for medical research. The Lancet Digital Health, 2025.
  5. A scoping review of privacy and utility metrics in medical synthetic data. Nature, 2024.