It’s easy to think that veterinary practices aren’t targeted by hackers because they don’t deal in high finance, so they need only pay basic lip service to data protection obligations and the law. However, as a hack on CVS in April 2024 illustrated, veterinary practices are very much in the firing line.
CVS, with 500 practices worldwide, is large and a bigger target than most, but it’s important to recognise that the law is blind when it comes to organisational size, sector and ownership. Forgetting the legal ramifications, in practical terms the CVS hack interrupted business, and such hacks can harm a company’s reputation.
On top of this are the “ambulance-chasing” law firms. One example claims to be a “veterinary surgery data breach claims expert” that works on a no-win no-fee basis to help clients “find out if [they] can claim compensation” from practices that have suffered a breach.
Of course, veterinary practices don’t go out of their way to make mistakes, but they can make mistakes or misunderstand their obligations under the law.
So, where do they go wrong? Adam Bernstein spoke to Charley Goodwin, an associate at Walker Morris, for her expert opinion.
Lack of awareness and training
To begin with, Charley is bothered by the lack of awareness and training in relation to data protection matters. She worries that “without proper training, even the most robust internal policies and procedures cannot be effectively enforced, and a practice will leave itself susceptible to compliance failings”.
From her perspective, training ensures that “employees are equipped with the essential knowledge to maintain compliance and remain vigilant and promptly identify potential issues and take swift action”. Functionally, she thinks that training “ultimately positions [employees] as the first line of defence against potential data breaches within the organisation”.
Training, however, shouldn’t be seen as a one-off event; rather, practices should run regular refresher training to keep employees’ knowledge up to date. The benefit of such training is that, as Charley comments, “regular awareness campaigns can reinforce knowledge and keep data protection high in employees’ minds”.
| Did you know we offer CPD membership plans? Get access to thousands more articles, hundreds of short courses and easily fulfil your annual CPD requirements. Find out more here. |
Mistakes in relation to data handling
Too often organisations retain data longer than required for their business purposes, violating the GDPR’s core ‘storage limitation’ principle
The UK General Data Protection Regulation (GDPR) details seven key principles at the core of data protection. In terms of that relating to data handling – collection, storage, processing and deletion – Charley says that “the key to effective handling lies in transparency, necessity and security”.
She explains that “a practice must clearly communicate why, how and on what legal basis it collects and processes personal data from the outset”. Next, she details that personal data “should only be retained for as long as necessary to fulfil its original purpose. Too often organisations retain data longer than required for their business purposes, violating the GDPR’s core ‘storage limitation’ principle.”
Also, Charley says that some don’t have robust measures in place to safeguard data at all times, including on deletion. As she says, “simply deleting data from systems does not absolve an organisation of its continuing responsibilities; practices must ensure data is securely deleted and cannot be recovered by unauthorised third parties”.
Consent to hold and use data
Allied to the previous point is the fact that, as Charley highlights, organisations forget that “the lawful basis of consent is designed to provide individuals with complete autonomy and control over how their personal data is used”.
It’s important that veterinary practices identify the appropriate lawful basis or bases for processing personal data at the outset. Consent is not the only option and often is not the appropriate basis
She adds that this is especially important when “consent serves as the legal basis for processing special category personal data, which carries a higher level of risk due to its sensitive nature”. In essence, she says that practices should only process such data “when consent has been given on a clear, explicit, informed and deliberate basis”. This means that it’s important that veterinary practices identify the appropriate lawful basis or bases for processing personal data at the outset. Consent is not the only option and often is not the appropriate basis.
Charley remarks here that “there is a common misconception that consent can be given on a blanket and indefinite basis. It is essential that practices from the outset inform individuals of their right to withdraw their consent at any time and must honour this request without delay.”
Not updating software and testing systems
The problem with IT systems is that as they evolve, so do the ways that malevolent individuals can seek to take advantage of vulnerabilities. This increases the need for veterinary practices to keep up with system updates and password security.
Notably, in terms of passwords one school of thought says they should be changed regularly. Another, however, suggests that they shouldn’t be changed overly frequently as users struggle to remember them and so record them in places where they can be discovered.
Charley knows that software and systems must be flexible enough to keep up with the constantly evolving landscape of cyber risks. Part of this, she reckons, is regular testing that identifies vulnerabilities that could facilitate attacks. Software updates allow firms to address these risks by patching potential weaknesses and strengthening defences. Consequently, she says that “regular testing and updating systems plays a critical role in proactively minimising exposure to cyber risks”.
In terms of passwords, Charley advises clients that starting with “a strong password is far more secure than refreshing a weak password several times over”. Indeed, she thinks that getting it right from the start eliminates the need for frequent updates. Her recommendation is the “three random words” approach set by the National Cyber Security Centre. This approach aims to facilitate a password that is strong enough to combat cyber threat actors but simple enough to remember, coupled with multi-factor authentication when necessary, ideally using an authenticator.
Prepare for a potential data breach
Veterinary practices must ‘invest in robust security measures and endpoint protection to stay ahead of evolving cyber threats’
To assume that a data breach will always happen to another is naïve; the reality is that it can happen to anyone or any organisation. This means that it’s the practice’s employees who are the first line of defence against potential data breaches. Again, Charley says that “effective training that provides practical guidance, such as how to spot a phishing attack and how to report suspicious activity, is vital to prevention and early detection”.
But relying solely on employee awareness is not enough. Here Charley strongly advises that veterinary practices must “invest in robust security measures and endpoint protection to stay ahead of evolving cyber threats”. She adds that they “should have an incident response plan to be followed in the event of a cyber breach which allows employees to act without delay and prevent further infiltration”.
Don’t ignore third party risks
Just because a practice has taken steps to protect its position doesn’t mean that every risk has been dealt with as third parties can be a source of trouble too.
On this, Charley makes a key recommendation – that practices move to ensure that “a data processing agreement is in place whenever a firm engages a third party to provide a service that involves personal data processing”. The importance of this cannot, in her view, be understated: “These agreements serve to secure a third party’s compliance with data protection requirements and ensure the security of the personal data it shares.”
It follows that practices should also undertake appropriate diligence before engaging a third party. As Charley notes, “the last thing an organisation wants is to partner with a provider that has a history of losing customer data due to having insufficient security measures and poor general data protection compliance”.
Not understanding the need for DPIAs and DPOs
There are two key acronyms that organisations need to be aware of and which are often disregarded.
The first is the requirement to conduct a data protection impact assessment (DPIA). Charley says that this is ignored on “the assumption that the nature of the proposed processing isn’t likely to result in a high risk to the rights and freedoms of individuals”. However, she cautions that less obvious profiling – for example, through the use of artificial intelligence or data matching through the use of direct marketing – is becoming more mainstream and “presents a high risk to individuals”. In such circumstances, she warns that practices “must conduct a DPIA before such processing takes place”.
Then there’s the need for a data protection officer (DPO). With regard to this, Charley says that sometimes DPOs are appointed on a tick-box basis. “While a DPO isn’t required to have formal qualifications,” she says, nevertheless “they should possess expert knowledge of data protection law and practices. If not, it’s unlikely that a strong understanding of data protection requirements will be achieved across the business.”
Failing to maintain records of data processing activities
Comprehensive records of processing serve as an audit trail of the types of personal data collected, the lawful basis relied on for processing and the measures in place to safeguard data
Whenever there’s a dispute, it’s inevitable that records can make or break a case. And so it is that Charley explains that records of processing are “not only a legal requirement and play an important role in demonstrating compliance, but they are also a valuable tool in self-auditing”.
In essence, comprehensive records of processing serve as an audit trail of the types of personal data collected, the lawful basis relied on for processing and the measures in place to safeguard data, as well as identifying gaps in procedures. Charley is clear when she says that “complete records of processing are a strong tool to evidence to the ICO that the firm’s processing practices are compliant with data protection law”.
Giving data subjects information
When individuals seek information held on them, it is known as a subject access request. Charley observes that veterinary practices can fail to understand the need to redact third-party data and, equally, fail to anticipate how onerous and time-consuming the process can be.
They also commonly misunderstand what this right entitles an individual to. She says that “it’s important to note that individuals are entitled to only their personal data. While in some cases a firm may need to provide a copy document so the individual can see the context of the processing, individuals do not have a blanket right to copies of documents containing their personal data.” But when handing over personal information, Charley notes that practices must be able to “verify the identity of the individual making a data subject access request, as failure to do so could inevitably create a bigger issue of non-compliance”.
However, while a practice needs to take steps to verify an individual’s identity, Charley states that they “must be reasonable and proportionate in what they ask for and have regard to the circumstances surrounding the request”. She gives an example: not requesting excessive proof of identity where the practice has an ongoing relationship with the individual as this is likely to be seen as unnecessary and evasive.
Summary
Data protection has been with us for several decades and given the high number of cases in the media involving data protection breaches, there really is no excuse for practices not realising that they have obligations under the law.
