GDPR for veterinary practices in the UK: RCVS & ICO

Veterinary practices have a quirk that makes UK GDPR easier to reason about than people often assume: animal data is not personal data. A dog's clinical notes, breed, vaccination history and weight chart are not, by themselves, regulated under the UK GDPR — animals are not data subjects.

But the owner of that dog is. Their contact details, their payment information, their conversations with the practice and the link between them and the animal are personal data. And clinical records almost always contain both, so the file is regulated in its entirety. The RCVS Code of Professional Conduct overlays the whole picture with a confidentiality duty that long pre-dates GDPR.

This guide covers what a UK veterinary practice — a single-vet rural practice, a mid-sized group, or a corporate clinic — needs to do to keep the picture compliant.

---

Animal data ≠ personal data, but owner data IS

UK GDPR Article 4(1) defines personal data as relating to "an identified or identifiable natural person". Animals are not natural persons. That means:

• A dog's clinical notes in isolation are not personal data
• A breed-specific health database that does not link back to owners is not in scope
• Anonymised case studies for journals or CPD (no owner identifiers, no unique animal identifiers that can be linked) are fine

But the moment you record the owner, the file becomes mixed personal data:

• Owner contact details (name, address, phone, email)
• Appointment history with the practice
• Clinical correspondence and consent forms signed by the owner
• Microchip records (the chip number plus the owner record on the Defra-compliant database)
• Insurance claim correspondence
• Payment records, direct-debit mandates
• Premises CCTV (capturing the owner, not the pet)

Frame your privacy notice around the owner as the data subject, not the animal. RCVS guidance on confidentiality (chapter 14 of the Code of Professional Conduct) takes the same line — the "information about clients" obligation is the same whether or not it strictly meets the UK GDPR personal-data definition.

---

Lawful basis for the owner relationship

For most veterinary work the lawful basis stack is straightforward:

• Article 6(1)(b) — contract for the treatment itself. The owner is the contractual counterpart; the vet is providing a service
• Article 6(1)(c) — legal obligation for record-keeping under the Veterinary Surgeons Act 1966, the Veterinary Medicines Regulations 2013, the Misuse of Drugs Regulations 2001 (controlled-drug register), and the Animal Welfare Act 2006
• Article 6(1)(f) — legitimate interest for limited marketing to existing clients — vaccination reminders, worming prompts, end-of-life care follow-up. The balancing test is usually comfortably met because the marketing is closely aligned with the animal's welfare. But PECR still applies to the channel (see below)

Special category data is uncommon in veterinary practice — owner allergies (relevant for which anaesthetic agent to use during a home visit) or owner mobility (relevant for collection logistics) might cross the line into health data on the owner side. If it does, the same stack as for human-health professionals applies: Article 6 + Article 9(2)(h) + DPA 2018 Schedule 1 paragraph 2.

---

The RCVS Code and the common-law duty of confidentiality

The Royal College of Veterinary Surgeons regulates UK vets. Chapter 14 of the RCVS Code of Professional Conduct sets out the confidentiality duty: vets and veterinary nurses must not disclose information about a client or their animal except where the client has consented, where there is a statutory duty, where there is a court order, or where animal welfare or public interest requires it.

Practical interactions with UK GDPR:

• RCVS confidentiality and UK GDPR sit alongside each other. Satisfying UK GDPR does not satisfy RCVS, and vice versa — a disclosure that has a lawful basis under Article 6 may still breach the Code if the client has not consented and there is no statutory or welfare justification
• The RCVS Practice Standards Scheme treats data protection as a marker of practice maturity — Core, General Practice, Veterinary Hospital and equine modules all reference information governance, even though it is not always the headline assessment criterion
• Fitness-to-practise. An RCVS Professional Conduct Committee can investigate an individual vet's serious or persistent breach of confidentiality independently of any ICO action against the practice. The practice and the practitioner can both face action — the ICO targeting the controller, the RCVS targeting the individual

---

Clinical record retention

There is no single "veterinary record retention" rule. The actual answer is the longest of several overlapping rules.

In practice most practices set a single retention period (often "lifetime of animal + 7 years") that satisfies all overlapping rules. Document the choice and the reasoning. Once the period elapses, securely destroy paper records (shredding, not bin) and properly delete or cryptographically erase digital records — document each destruction event.

For comparison with another health-data sector, see GDPR for dental practices in the UK — the special-category framing there is stricter, but the retention-mapping approach is the same.

---

Practice management software

Most UK practices run on one of a handful of practice-management systems. Each is a processor under Article 28 UK GDPR. Each needs a written data-processing agreement.

What to confirm in writing with every system:

• Article 28 DPA covering instructions, confidentiality, security, sub-processors, data-subject rights assistance, breach notification timing, return/deletion at end of contract, audit rights
• The sub-processor list and the right to object to changes (Mailchimp/Twilio for messaging, Stripe/GoCardless for payments — each is a sub-processor)
• Hosting country and transfer mechanism for any data leaving the UK (IDTA, UK Addendum to the EU SCCs, or adequacy)
• Security certifications — ISO 27001 and Cyber Essentials are normal; Cyber Essentials Plus for larger groups
• Breach-notification SLA — UK GDPR Article 33 gives the practice 72 hours from awareness to notify the ICO; the processor must give "without undue delay" notice — practically 24-48 hours

---

Veterinary Medicines Directorate and prescribing records

The Veterinary Medicines Regulations 2013 require detailed prescribing records for prescription-only veterinary medicines (POM-V, POM-VPS) and food-producing-animal medicines. The records are partly animal data (drug, dose, animal identifier) but include the owner identifier, which makes the file personal data.

Practical points:

• Prescribing records must be kept for 5 years under Schedule 3 of the Regulations — longer than the GDPR storage-limitation principle would normally suggest, but UK GDPR Article 6(1)(c) (legal obligation) provides the basis
• The VMD (Veterinary Medicines Directorate) can inspect records; the inspection is a statutory information request and disclosure to the inspecting officer is lawful regardless of owner consent
• For controlled drugs (Schedule 2 + 3 of the Misuse of Drugs Regulations 2001), the CD register holds drug-level information; if the register entries identify the patient and owner, those parts of the register are personal data and must be access-restricted accordingly

---

Pet insurance claims

When the practice deals directly with an insurer (Petplan, Animal Friends, Bought By Many / ManyPets, Direct Line, Tesco Bank, etc.) on behalf of an owner:

• The insurer is a separate controller, not your processor
• Each insurer's privacy notice covers their own processing; your privacy notice has to tell the owner which insurers you share data with and why
• Direct claims handling typically requires sending the clinical history along with the claim — diagnosis, treatment notes, surgical reports. Obtain the owner's specific written consent (Article 6(1)(a)) to share clinical detail with the insurer, alongside the standard consent to treat
• A breach by the insurer is the insurer's UK GDPR Article 33 obligation, not yours — but if the leak was data you shared, document the share so you can demonstrate you released only what was necessary
• Owner subject-access requests give the owner access to your records (which include the owner-facing portions of the animal's clinical file); signpost them to the insurer for a parallel request against the insurer's records

---

Online booking, pet portals and reminder messaging

Owner-facing portals (VetVee, MyHealthyPet, the practice's own owner login from RoboVet / Provet) hold the owner's contact details, the animal's records and often payment information. The portal vendor is a processor; the same DPA, transfer and breach-notification requirements apply.

Reminder messages need careful framing:

• A vaccination booster reminder for an existing patient is borderline. ICO guidance treats animal-welfare reminders as legitimate-interest-grounded, but PECR Regulation 22 still applies to SMS and email channels. The safest route is the PECR soft opt-in — collect contact details at the first visit, give a clear opt-out at that point, include a free opt-out in every subsequent message
• An annual health-check prompt sent two years after the last visit is direct marketing and needs the same soft-opt-in basis at minimum
• A product recommendation ("our new diet range") is marketing and needs the full opt-in unless the soft-opt-in can be clearly justified
• For a deeper view of the consent vs soft-opt-in distinction in the UK marketing context see newsletter signup form rules for the UK (the marketing framing carries across sectors)

---

CCTV in practice

CCTV is common in equine and farm practice, in mixed-animal hospitals, and on out-of-hours premises. Same ICO rules apply as elsewhere:

• Notify with signage at every entrance — operator name, contact, purpose
• Document a lawful basis — usually Article 6(1)(f) legitimate interests, with a balancing test
• Set a retention period — 14-30 days is typical; anything beyond 60 days needs strong justification
• Restrict access to recordings
• Audio recording requires a higher-intrusion justification — usually unnecessary
• Cameras facing into consultation rooms, ICU areas where owners may grieve, or staff-only areas warrant a Data Protection Impact Assessment

---

Photography, social media and "patient of the week"

A photo of a labrador in the recovery suite, captioned with the practice's social media post and the owner's first name, is personal data (it identifies the owner via the pet's name + the practice + the post's location). Several recent ICO reprimands in adjacent sectors confirm the position.

• Obtain explicit, separately-recorded, written consent for each purpose — clinical/teaching use (kept in the file) is different from social media use is different from your website
• Tell the owner where the image will appear and how long it will be retained
• Withdrawal must be as straightforward as giving consent — and you must be able to take the image down on request unless another lawful basis applies

For under-18 owners, consent must come from a person with parental responsibility (the same rule applies as for under-18 patients of any health-data-handling service).

---

Your practice website

Required on a UK veterinary practice site:

• Companies House disclosures if the practice trades through a limited company — registered name, company number, registered office, country of registration. See company website trading disclosures
• RCVS practice registration number (highly recommended — owners use the RCVS Find a Vet tool to verify)
• RCVS Practice Standards Scheme accreditation badges — only display the badges your practice has earned; misuse can be a Code violation
• Privacy notice covering booking data flows, marketing data flows, insurer disclosures, CCTV, retention, ICO complaint route
• Cookie banner compliant with PECR and the ICO's 2025 enforcement standard — see cookie banner rules under the ICO. The owner-portal login flow, embedded Google Maps and embedded video introductions to the team all drop tracking and need to be blocked until consent

Common gaps on practice sites: owner-portal widgets that drop third-party cookies before consent; embedded YouTube practice tours that load Google tracking before the banner is answered; "book a check-up" Facebook Pixel and Google Ads remarketing tags wired into the conversion event of an enquiry. A free website compliance check will surface this.

---

The ICO data protection fee

Most independent practices are Tier 1 or low Tier 2; small group practices land in Tier 2; the corporate groups (CVS, IVC Evidensia, VetPartners, Linnaeus) all sit in Tier 3 for their head-office controller registration.

Failure to register can result in a monetary penalty of up to £4,350, and the ICO routinely sends discovery letters to unregistered organisations in regulated sectors.

---

Breach procedure

Typical breaches in veterinary practice:

• Practice-management system credentials phished and a client list pulled
• Tablet with owner details and clinical records stolen during an out-of-hours call
• Email sent to the wrong owner (clinical update on the wrong animal)
• Insurance claim file emailed unencrypted to the wrong insurer contact
• Owner-portal misconfiguration exposing another owner's record

Steps:

1. Contain. Revoke access, change credentials, recover or remotely wipe the device
2. Assess. What data, how many owners, likely impact
3. Notify the ICO within 72 hours via ico.org.uk/for-organisations/report-a-breach. If you cannot complete the assessment within 72 hours, file a preliminary notification and follow up
4. Notify the owners directly where the breach is likely to result in high risk — financial information leaked, large numbers of records exposed, ransomware exfiltration confirmed
5. Consider RCVS notification. If the breach materially affected client confidentiality, the practice may need to notify the RCVS as a fitness-to-practise consideration — particularly where a named registrant's conduct was the cause
6. Document everything — Article 33(5) requires a breach record regardless of whether it was notified to the ICO
7. Tell your veterinary defence union and insurer — Veterinary Defence Society and similar bodies typically require notification within a similar window

---

Practical checklist for UK veterinary practices

---

Check your practice website

Free website compliance check →

A TYW scan checks your privacy notice, cookie banner configuration, Companies House disclosures, embedded owner-portal widgets, Google Maps and video embeds, and trackers loaded before consent — in 60 seconds, no signup.

---

Sources

• RCVS Code of Professional Conduct for Veterinary Surgeons — Royal College of Veterinary Surgeons
• RCVS Practice Standards Scheme — RCVS
• BVA — GDPR and data protection — British Veterinary Association
• Veterinary Medicines Regulations 2013 — legislation.gov.uk
• Veterinary Medicines Directorate — VMD (record-keeping operational notes)
• Misuse of Drugs Regulations 2001 (controlled drugs register) — legislation.gov.uk
• UK GDPR — legislation.gov.uk
• ICO data protection fee — Information Commissioner's Office

---

This is technical analysis, not legal advice. Consult the RCVS, your veterinary defence union and a data protection specialist for advice specific to your practice.