DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Veterinary Practices: How to Handle Pet Owner Data Compliantly

#gdpr #healthcare #privacy #veterinary

GDPR for Veterinary Practices: How to Handle Pet Owner Data Compliantly

Veterinary practices collect a remarkable amount of personal data. Behind every patient record — Biscuit the Labrador or Whisper the cat — there is a pet owner whose name, address, phone number, payment details, and often health-adjacent information sits in your practice management system.

If you run a vet practice, a veterinary group, or a locum-staffing operation, GDPR applies to you. This guide works through every significant data category you handle, the lawful basis for each, your obligations to staff and locums, what your privacy notice must say, and how to handle the situations that trip practices up — from pet insurance data sharing to CCTV in the waiting room.

What Personal Data Veterinary Practices Collect

The first step in any GDPR compliance programme is understanding what personal data you actually process. For a veterinary practice, the list is longer than most owners initially assume.

Pet owner contact data: Names, postal addresses, email addresses, and mobile numbers. This is the most obvious category — collected at registration and updated over time.

Payment information: Credit and debit card details, bank account numbers for direct debit or standing orders, payment history, and outstanding balances. Some practices store card details for recurring customers; others use payment processors. Where you store payment data directly, this is high-sensitivity personal data.

Health-adjacent data from pet records: Here is where it gets nuanced. Pet health records are records about the animal, not the person — but they can reveal things about the owner. A record that notes an owner requested euthanasia for a pet they can no longer afford to treat may reveal financial circumstances. A record noting a pet was given up because an owner was hospitalised reveals health information about the owner. Notes in your practice management system about "owner called in distress" or "owner has mobility issues and needs home visits" are personal data about the owner, not the pet.

Insurance policy details: Insurer name, policy number, and cover level, collected when you process insurance claims on behalf of owners.

Communication preferences and history: Notes of phone calls, appointment reminder preferences, opt-in or opt-out status for newsletters and health plan marketing.

Deceased pet owner data: Accounts that remain in your system after an owner has died. This requires careful handling — see below.

Lawful Basis for Processing Pet Owner Data

Under GDPR Article 6, every processing activity requires a lawful basis. For veterinary practices, two bases do most of the work.

Contract (Article 6(1)(b)) covers processing necessary to perform the service you have been engaged to provide. When an owner registers their pet with your practice and books an appointment, you are entering a contractual relationship. Processing their name, contact details, and payment information to book appointments, send invoices, and deliver veterinary care is processing necessary for that contract.

Legitimate interest (Article 6(1)(f)) applies where you have a genuine business or professional reason to process data, and that reason is not overridden by the individual's privacy interests. This is the appropriate basis for:

  • Appointment reminders — Sending SMS or email reminders for booked appointments, vaccination due dates, and annual health checks is a legitimate interest. Owners benefit from these reminders, and the processing is proportionate. Document a brief Legitimate Interests Assessment (LIA) confirming this.
  • Client relationship management — Keeping records of past consultations, treatments, and clinical history for continuity of care is a legitimate interest for you and a direct benefit to the pet owner.
  • Safety follow-ups — Contacting owners after procedures or treatments to check on recovery is legitimate interest.

Consent (Article 6(1)(a)) is needed for processing that goes beyond the contract and legitimate interest — specifically, marketing communications. If you want to send newsletters, pet food offers, or health plan promotions to owners who are not currently registered for those services, you need explicit, granular consent. Do not bundle marketing consent into registration forms without a separate, unticked checkbox.

Legal obligation (Article 6(1)(c)) applies where you are required by law to retain or disclose data — for example, retaining clinical records as required by professional regulatory guidance from the Royal College of Veterinary Surgeons (RCVS).

Practice Management Software as Data Processors

Most veterinary practices now use dedicated practice management software. Popular systems include VetSoft, RoboVet, Vet-AI, and ezyVet. When you use any of these platforms to store and process pet owner data, the software provider is acting as your data processor under GDPR Article 28.

You remain the data controller — responsible for deciding why and how the data is processed. The software provider processes it on your behalf, under your instructions.

GDPR Article 28 requires you to have a written Data Processing Agreement (DPA) with every data processor. Major veterinary software providers have addressed this, but you must verify:

  • That you have actually reviewed and accepted the DPA — not just signed up to the service
  • Where the provider stores your data (UK, EEA, or third country)
  • What their sub-processor list looks like (cloud infrastructure, payment processors, etc.)
  • What their data breach notification commitment is

If you use additional tools — a CRM, an email marketing platform, a payment gateway, a recall reminder service — the same DPA requirement applies to each.

Practical step: List every SaaS tool that processes pet owner data. Confirm you have a DPA in place for each. If the tool does not offer a DPA, that is a red flag — either switch providers or conduct a thorough assessment of the risk.

Appointment Reminder Systems: SMS and Email

Appointment and vaccination reminders are one of the most common data processing activities in a vet practice — and one of the most frequently misconfigured from a GDPR perspective.

If you use a third-party reminder service (integrated with your practice management software or standalone), that provider is a data processor and needs a DPA. The reminder service typically receives owner names, mobile numbers, email addresses, and appointment information.

SMS reminders are generally proportionate and appropriate under legitimate interest, provided:

  • The reminder relates to an appointment the owner has booked
  • There is an easy way for owners to opt out of SMS contact
  • You do not use SMS for unsolicited marketing without consent

Email reminders follow the same logic. For clinical reminders — "Biscuit's annual booster is due next month" — legitimate interest is the appropriate basis. For promotional emails — "Book a dental check-up this month and get 10% off" — you need prior consent under both GDPR and the UK's Privacy and Electronic Communications Regulations (PECR).

Vaccination recall campaigns are the grey area many practices fall into. A recall reminder for a lapsed booster is arguably legitimate interest — it directly benefits the animal's health. A recall reminder that is primarily a revenue driver requires more careful analysis and, ideally, explicit consent.

Document your LIA for reminder communications. Keep it brief, but make it explicit: what is the legitimate interest, why does it not override owner privacy, and how can owners opt out?

Pet Insurance Claims and Data Sharing with Insurers

Pet insurance claims involve sharing personal data with third parties — the insurer and, sometimes, a claims handling intermediary. This is a significant data-sharing activity that many practices handle without fully considering their GDPR obligations.

When an owner asks you to submit an insurance claim on their behalf, the lawful basis for sharing their data with the insurer is a combination of contract (you are performing a service the owner has requested) and the owner's explicit instruction. The owner's request for you to submit the claim constitutes the authority to share.

What you should have in place:

  • A clear statement in your registration paperwork or privacy notice explaining that you share data with insurers when processing claims
  • Confirmation that you share only the data necessary for the claim — clinical records relevant to the condition, treatment details, and invoices
  • A record of which insurer you shared data with and when

Be aware of scope creep: Insurers sometimes request full clinical histories when only a specific episode is relevant to the claim. You are not obliged to provide more than what the claim requires. If an insurer demands extensive records going beyond the claimed condition, discuss this with the owner before sharing, and document your decision.

Third-country insurers: If the owner's insurer is based outside the UK or EEA, you need to consider whether adequate safeguards exist for the transfer. Most major UK pet insurers are UK-based, but international policies exist. Check before you share.

CCTV in Veterinary Waiting Rooms

CCTV is common in veterinary practices — for security, to monitor animals left in the practice, and sometimes for staff safety in handling situations. CCTV footage that captures identifiable individuals (pet owners and staff in the waiting room) is personal data under GDPR.

Lawful basis: The appropriate basis for CCTV in a veterinary waiting room is legitimate interest — security and safety. Document your LIA, considering whether CCTV is genuinely necessary (and whether less intrusive means would achieve the same result), and whether the security benefit outweighs the privacy impact on owners and staff.

Signage: You must notify people that CCTV is in operation before they enter the area covered. A clearly visible sign at the entrance — stating that CCTV is in use, the identity of the data controller, and where they can get more information — satisfies the transparency requirement.

Retention: CCTV footage should not be retained longer than necessary. For most practices, 30 days is typical unless footage is needed for a specific incident. Define your retention period, document it, and configure your system to overwrite or delete automatically.

Access: Control who can access CCTV footage and log access. Footage should not be shared casually — with neighbouring businesses, for social media, or for purposes unrelated to the security purpose it was collected for.

Staff notice: Your CCTV privacy notice must also inform staff that they may be captured in waiting room footage. Include this in your employee privacy notice.

Staff and Locum Vet Employment Data

Veterinary practices hold a significant volume of employment-related personal data — not just for permanent staff, but for locum vets, nurses, and reception staff sourced through agencies.

For permanent employees, the lawful basis for processing employment data is primarily:

  • Contract — processing necessary to fulfil the employment contract (payroll, pension contributions, annual leave records)
  • Legal obligation — HMRC PAYE reporting, right-to-work checks, professional registration verification with the RCVS
  • Legitimate interest — performance management, sickness absence records, internal communications

For locum vets, the situation is slightly more complex. If you engage locums directly (not through an agency), you are the data controller for their personal data and need to comply fully with GDPR. If you engage them through an agency, the agency is likely the data controller for the locum's personal data, but you will still receive some of that data (name, professional registration number, contact details) and must handle it appropriately.

RCVS registration verification: You are required to verify that any vet practising at your premises is registered with the RCVS. Retaining evidence of this verification is a legal obligation under the Veterinary Surgeons Act 1966 — a clear Article 6(1)(c) basis.

Health data for staff: If you process sickness records, occupational health reports, or fit notes for staff, this is special category data under Article 9. You need both an Article 6 lawful basis and an Article 9 condition — typically Article 9(2)(b) (employment law obligations) combined with your obligations under health and safety law.

Locum agency DPAs: If you use a locum agency that provides temporary staff and accesses your systems or shares candidate data with you, review whether a DPA is needed. If the agency processes personal data on your behalf (e.g., manages scheduling in your system), yes. If you are joint controllers, a different arrangement applies.

What Your Privacy Notice Must Cover

GDPR Articles 13 and 14 require you to provide pet owners with clear, accessible privacy information. Your privacy notice — displayed on your website and provided to owners at registration — must include:

  • Identity of the data controller: Your practice name, registered address, and contact details
  • DPO or data contact: If you have appointed a Data Protection Officer, their contact details. If not, a named contact for data protection queries
  • What data you collect and why: Each category of personal data, the purpose for processing it, and the lawful basis
  • Legitimate interests: Where you rely on legitimate interest, briefly describe what that interest is
  • Third parties you share data with: Insurers, practice management software providers, reminder services, RCVS, HMRC, locum agencies
  • International transfers: If any data is transferred outside the UK/EEA, explain the safeguard in place
  • Retention periods: How long you keep different categories of data and why
  • Data subject rights: Right to access, rectification, erasure, restriction, portability, and objection — and how to exercise them
  • Right to complain: The ICO's contact details and the owner's right to lodge a complaint
  • Automated decision-making: If any decisions are made solely by automated means (e.g., automated credit checks), this must be disclosed

A privacy notice that says "we take your privacy seriously and will not share your data with third parties" is not compliant. It must be specific, accurate, and cover the categories above.

Handling Deceased Pet Owner Data

Pet owners die. What happens to their records in your system?

GDPR applies to living individuals only — the regulation explicitly states it does not apply to personal data of deceased persons. However, UK data protection law and ICO guidance recommend treating deceased individuals' data with discretion, particularly where family members may be affected.

Practical approach:

  • When a practice becomes aware that an owner has died (often through a family member making contact), update the record to reflect this and cease active marketing or reminder communications to that contact
  • Retain the clinical history for the remaining animals if they have been transferred to a new owner — but update the owner record
  • Retain account records (payment history, outstanding balances) for your standard financial retention period
  • If a family member requests deletion of all records, consider this carefully — you may need to retain certain records for financial or clinical reasons, but should delete or suppress unnecessary personal data (marketing preferences, contact notes, etc.)

There is no strict legal obligation to delete deceased individuals' records within any particular timeframe, but the ICO encourages proportionate and sensitive handling. Document your approach in your retention policy.

Data Subject Access Requests for Clinical Records

Pet owners have the right to request access to their personal data under GDPR Article 15. In a veterinary context, this typically means a request for:

  • Their own contact and account information
  • Notes in the practice management system that relate to them (not just the pet)
  • Correspondence (emails, letters) between the owner and the practice
  • Records of insurance claims processed on their behalf
  • CCTV footage in which they appear

Clinical records about the pet are not personal data about the owner — but owner-specific notes within those records are. When responding to a DSAR, you must extract the owner's personal data from clinical records without necessarily providing the full clinical history of the animal (which belongs to the owner in any case, but is a separate matter from the DSAR).

Timescale: One calendar month from the date of receipt, extendable by two further months for complex requests.

Verification: You may ask for reasonable verification of identity before releasing data. Do not ask for more than is necessary — a copy of a driver's licence or passport is usually sufficient.

Clinical records ownership: In the UK, the RCVS Guide to Professional Conduct states that clinical records belong to the veterinary practice, not the animal owner — but owners have a right of access to their pet's clinical records. This is separate from (but often conflated with) the DSAR process. Handle both clearly and distinctly.

GDPR Compliance Checklist for Veterinary Practices

Use this checklist to assess your current compliance position:

Lawful basis and documentation

  • [ ] Lawful basis documented for each category of pet owner data processing
  • [ ] Legitimate Interests Assessment completed for appointment reminders and recall campaigns
  • [ ] Record of Processing Activities (ROPA) maintained and up to date

Privacy notice

  • [ ] Privacy notice published on your website and available at reception
  • [ ] Notice covers all Article 13 requirements (purposes, lawful basis, retention, rights, third parties)
  • [ ] Staff and locum employment privacy notice separate and up to date

Data processors

  • [ ] DPA in place with practice management software (VetSoft, RoboVet, Vet-AI, ezyVet, or equivalent)
  • [ ] DPA in place with appointment reminder / recall services
  • [ ] DPA reviewed for payment processor and any card storage solution
  • [ ] DPA or data sharing agreement in place with locum agencies (as appropriate)

Insurance data sharing

  • [ ] Process documented for sharing data with insurers during claims
  • [ ] Owners informed (in privacy notice) that data is shared with their insurer when they request a claim
  • [ ] Data minimisation practised — only sharing what the claim requires

CCTV

  • [ ] Legitimate interest documented for CCTV operation
  • [ ] Visible signage at entrance(s) to CCTV areas
  • [ ] Retention period defined and system configured to auto-delete
  • [ ] Access to footage logged and controlled

Staff and locums

  • [ ] Employee privacy notice issued to all permanent staff
  • [ ] Right-to-work and RCVS registration check records retained with documented legal basis
  • [ ] Health/sickness data handled under Article 9(2)(b) with appropriate access controls

DSARs and rights

  • [ ] Process in place for handling DSARs within one month
  • [ ] Process for separating owner personal data from pet clinical records when responding to DSARs
  • [ ] Deceased owner data handled sensitively with documented approach

Security

  • [ ] MFA enabled on practice management software and email
  • [ ] Encrypted storage for client records (check your software provider's security documentation)
  • [ ] Data breach response procedure documented
  • [ ] Staff trained on basic data protection and phishing awareness

Next Steps

GDPR compliance for a veterinary practice is not dramatically complex — but it does require you to think systematically about the personal data you hold, how you use it, and who you share it with.

A practical first step: audit what your practice website is actually doing with visitor data. Many vet practice websites use analytics, booking widgets, and contact forms that collect personal data in ways not covered by their privacy notices — often without a valid consent mechanism.

Scan your website free at Custodia — no signup required, results in 60 seconds. It identifies every tracker, cookie, and third-party script on your site and flags what needs to be addressed.

This post provides general information about GDPR as it applies to veterinary practices in the UK. It does not constitute legal advice. Your specific obligations depend on your practice structure, the data you process, and your jurisdiction. Consult a qualified data protection solicitor or the ICO's guidance for advice specific to your situation.

Top comments (0)