A practical guide to data protection - Veterinary Practice
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now



A practical guide to data protection

reviews the legal obligations on practices in handling the personal data they hold on staff and clients and provides a checklist on how to keep on the right side of the law

WITH the high-profile phone-hacking scandal
involving the
News of the World and the Sun
still in view, privacy issues, losses and misuse
of private information have never been so

So with
negative publicity
and large
penalties on
offer, what
need to do
when it comes to data protection?

What is data protection?

In a nutshell, data protection is the protection of
information about people and respecting their
rights in relation to that information.

What laws apply?

There are plenty of laws which apply, but in the
UK the main ones to consider are the Data
Protection Act 1998 (DPA) and the Privacy and
Electronic Communications (EC Directive)
Regulations 2003 (PECR).

Human Rights laws and confidentiality may
also be relevant, especially so in a medical context.
Special rules apply to monitoring of individuals that is hard to do lawfully.

What is personal data?

Personal data is information which on its own or
when combined with other information held relates to and identifies
a living individual. It all
depends on context:
personal data can be
about staff, clients and
individuals at suppliers.
It may range from name
and address, through e-
mail addresses, bank
accounts and, of course, the medical history.

Some information should be treated with even more care than the rest due to the harm or distress
that may be caused if it is lost, damaged or
misused. This could be because the details relate to
certain protected types of information such as
health or religion (called “sensitive personal data”),
or because they carry other risks of damage or
distress (such as identity theft or fraud from lost
bank account details).

Do these laws affect all my use of
personal data?

Yes. If you decide what data to collect,
what to use the data for and how you use it – say as an employer handling
staff records – you are the “data
controller” and must comply with the

The DPA affects any use of
personal data from collection, through its active use (including storage, reading, copying,
disclosing and exporting), to its archiving and

What must I do to comply?

To stay legal…

  • Your use of the details must be fair, lawful and
    justified. Individuals should expect the use you make
    of their details. Normal personal data can be used to
    the extent necessary to perform a contract with the
    individual concerned; sensitive personal data may be
    used to the extent necessary to comply with an
    employment related legal obligation. There are other
    conditions for use but these are the most commonly
    used. You should issue privacy notices to inform
    individuals about use of their details.
  • Make sure you have an up to date notification
    (summarising your personal data use) with the DPA
    regulator, the Information Commissioner’s Office
    (ICO), and renew it each year. There is guidance on
    the ICO’s website about this and how to deal with it.
    Breach is a criminal offence.
  • You cannot normally use the details for new or
    different reasons without going back to the individuals
    to warn them and obtaining their consent.
  • You should only have the details that are adequate
    for the agreed use.
  • You must then ensure you keep your records
    accurate. Where a matter is live, you must
    normally also keep details up to date.
  • You cannot keep personal data
    indefinitely but only so long as necessary
    for the agreed purpose. Have a retention
    policy to make this clear.
  • Individuals have various rights with
    which you must comply. Make sure staff can recognise these requests, know who to pass them to and how to deal with
  • You must keep data secure from
    unauthorised access, misuse, corruption
    or loss. Have security and data
    protection policies and train staff so
    they understand how to look after
    personal data.
  • You cannot normally export
    (“transfer”) personal data outside of
    what is called the European Economic
    Area, that is the EU member states plus
    Iceland, Lichtenstein and Norway.

What rights do individuals

The person about whom you hold
information is known as the “data
subject” and he or she has a number of
rights. The most important is that the
data subject can write to a data
controller and (for £10) find out
whether you process their personal data.

If you do, they can obtain a copy of
almost all of their data and find out its
sources, its recipients and what you use
it for. This is known as a subject access
request or SAR. This right can be
enforced through the courts. All these
rights carry strict timescales and you
must deal with them promptly.

Individuals who feel aggrieved about
the use of their personal data can
complain to the ICO. They can also sue you for unlimited amounts
for damage (and distress)
from breach of the DPA.

What security
measures should
apply to personal

You must secure the data through, for
example, locked rooms and cabinets, a
clean desk policy, shredding facilities,
firewalls and virus protection. The
details and level of security will depend
upon your practice, its resources,
available technology and equipment, the
data concerned and its proposed use.

More protection is needed for
sensitive personal data, very confidential
data and data where loss or misuse
carries the risk of harm or distress.

If you have sensitive personal data
on a mobile device such as a laptop, it
must be encrypted. Likewise, if you
want to e-mail such personal data, it
should be encrypted. The ICO provides
guidance on expected encryption

Where you outsource to a data
processor, say a payroll service, you
remain responsible for their use of your
personal data. By law you must have a
written contract with your processor.
This must contain mandatory terms set
by the DPA and should have other
terms recommended by the ICO. Check you have these terms in
place and if not introduce

In particular, be very
careful about disclosing or
sharing personal data.
Doing so is at your risk (normally even if to the police) and
must comply with the DPA.

What happens if security is

You must deal quickly to stop any
ongoing breach or any repeat of the
breach. You must investigate and find
out how many people were affected,
what the breach was, where it happened,
why it happened and what type of
information is affected.

You need to consider whether to
report any such breach to the ICO.
Although not a legal obligation, it is
expected by the ICO in serious cases
and it may aggravate enforcement action
if you did not report and the ICO
believes you should have done.

You also need to consider whether
to inform affected individuals. There is
normally no legal obligation to do so
and they should not be worried

However, in serious cases, this should be considered to try to minimise
the risks to them. Consider also careful
monitoring of accounts to prevent

What happens if we breach
the DPA?

If the breach comes to the attention of
the ICO, it is likely to investigate. If
serious, they may take a variety of
actions including: an audit, obtaining a
contractual undertaking, an enforcement
notice, and a monetary penalty notice or
civil fine for certain serious breaches of
the DPA principles which can be up to
£500,000. All these are made public.

What else should I know?

There are special rules about direct
marketing, especially electronic
marketing (e-mails when PECR applies).

Normally, electronic marketing
requires an explicit consent and
objections to marketing must be dealt
with very promptly.

Where can I obtain more

Visit the ICO’s website,
www.ico.gov.uk, where there is a great
deal of helpful guidance and

Have you heard about our
IVP Membership?

A wide range of veterinary CPD and resources by leading veterinary professionals.

Stress-free CPD tracking and certification, you’ll wonder how you coped without it.

Discover more