RCVS, GDPR and the Data Security Obligations Every Vet Practice Must Meet

Veterinary practices operate at the intersection of several regulatory frameworks, each of which places obligations on how clinical and client data is handled and protected. Unlike some sectors where a single regulator provides clear, consolidated guidance, vet practices must navigate requirements from the Information Commissioner's Office, the Royal College of Veterinary Surgeons, and the framework established by the Veterinary Medicines Regulations — as well as the practical expectations of the pet insurers and laboratory partners they work with daily.

This post sets out the specific data security obligations that apply to veterinary practices in the UK and what demonstrably meeting those obligations looks like.

UK GDPR: The Foundation

Veterinary practices are data controllers under UK GDPR. They collect, process, and store personal data about their clients — not their patients, who are animals and therefore not data subjects — and they must meet the full range of UK GDPR obligations in relation to that client data.

The security obligation under Article 32 requires that practices implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. For a practice that holds client contact details, payment records, and insurance information, "appropriate" means considerably more than a basic antivirus product. The ICO's published guidance on appropriate technical measures includes: encryption at rest and in transit, access controls that limit who can reach personal data, current patching, and — increasingly — continuous monitoring capability.

The 72-hour breach notification requirement under Article 33 applies to veterinary practices exactly as it applies to any other organisation. A ransomware attack that encrypts client records is a personal data breach. A stolen laptop containing client information is a personal data breach. A compromised email account used by a client-facing staff member is a personal data breach. Each triggers the obligation to notify the ICO within 72 hours of the practice becoming aware of it — and potentially to notify affected clients directly where there is a high risk to their rights and freedoms.

The ICO has not hesitated to take enforcement action against small healthcare organisations. The consequences of inadequate security are not hypothetical: ICO fines for small organisations with inadequate security measures range from £8,000 to £175,000, alongside the reputational and operational consequences of the breach itself.

The RCVS Code of Professional Conduct

The RCVS Code of Professional Conduct for Veterinary Surgeons places an obligation on veterinary surgeons to protect client confidentiality. Chapter 12 of the Supporting Guidance explicitly addresses client confidentiality and the circumstances in which information may or may not be disclosed.

While the RCVS Code does not specify technical security controls in the way that a dedicated data protection framework would, the principle is clear: the professional obligation to maintain client confidentiality is not discharged by an intention to protect data. It requires that actual technical measures are in place to prevent unauthorised access or disclosure. A practice whose systems are breached because it had inadequate security controls faces both a regulatory data protection question and a professional conduct question — the two are not separate.

The RCVS Practice Standards Scheme, which governs accredited practices, includes general requirements for appropriate record keeping and data management. Practices seeking or maintaining accreditation should be able to demonstrate that their data security arrangements are proportionate to the sensitivity of the records they hold.

Veterinary Medicines Regulations: Controlled Drug Records

The Veterinary Medicines Regulations 2013 (as amended) require veterinary practices to maintain registers of Schedule 3 controlled drugs, including details of every acquisition and disposal. These registers must be kept for a minimum of five years. For practices maintaining these records electronically — as most modern practice management systems allow — the security and integrity of the records themselves is a legal obligation, not just a good practice.

A ransomware attack that destroys or encrypts controlled drug registers creates a compliance problem with the VMR in addition to the ICO and RCVS consequences. The ability to demonstrate an intact, unaltered audit trail of controlled drug usage is a legal requirement. Systems that hold these records must be backed up in a manner that preserves their integrity — a separate offline backup, not a sync that could be overwritten by an encrypted version of the files.

The Animal Medicines Training Regulatory Authority (AMTRA) and the Veterinary Medicines Directorate both provide guidance on record-keeping obligations. Practices should confirm with their practice management software provider what specific backup and security configurations are required to meet these obligations.

Pet Insurer Data Sharing Requirements

Most major pet insurers operate electronic claim submission portals that require practices to transmit client and patient data in a structured format. Agria, Petplan, ManyPets, and others each have their own portal credentials and data transmission requirements. These portals are a source of credential exposure risk: if the login details for an insurer portal are compromised, the attacker has access to both the practice's submitted claims and potentially the ability to submit fraudulent claims under the practice's identity.

Practices should use unique, strong passwords for each insurer portal — managed via a password manager — and should enable MFA on any portal that supports it. They should also review the data sharing agreements with each insurer to understand what obligations apply to the practice's handling of data transmitted through these systems.

Laboratory and Diagnostic Partner Data

External laboratory results from IDEXX, Axiom, Finn Pathologists, and others are transmitted to practices electronically, often integrating directly with the practice management system. These integrations typically require API credentials or portal login details that, if compromised, could give an attacker access to patient diagnostic results and — depending on the portal — the ability to submit fraudulent test orders.

The practice's obligations under GDPR extend to the data processing arrangements with these partners: the practice must have appropriate data processing agreements in place and must satisfy itself that its technical arrangements for receiving and storing diagnostic data meet the security standard appropriate to the sensitivity of that data.

What Demonstrable Compliance Looks Like

The ICO's accountability principle — the requirement to be able to demonstrate compliance, not just achieve it — means that a vet practice needs evidence of its security measures, not just a good-faith belief that they are in place. Evidence that is meaningful to the ICO, to an insurer underwriting a cyber liability policy, and to the RCVS if a conduct question arises includes:

• Cyber Essentials certification — an independent assessment that five foundational controls are in place
• A documented data protection policy and a privacy notice that has been reviewed in the last 12 months
• Evidence of staff training on data security and GDPR obligations
• A backup policy with documented testing — specifically including controlled drug records
• Evidence of continuous security monitoring — monthly reports from a named analyst are the most credible form of this evidence
• A documented breach response procedure that includes the ICO notification process

None of this requires specialist legal expertise to put in place. It does require deliberate effort and the willingness to treat data security as a practice management obligation rather than an IT afterthought.