Privacy Policy

General Data Protection Regulations & Confidentiality Policy

Practice policy: Broughton Veterinary Group (the practice) has a policy of keeping client and patient information confidential, in keeping with the Code of Conduct as set down by the Royal College of Veterinary Surgeons, and in accordance with the General Data Protection Regulations (GDPR). However, veterinary practice is a regulated profession and we may be exempt from some aspects of the GDPR if it would cause a breach in ethics. All employees, locums, and visitors with access beyond the waiting and consulting rooms must sign a confidentiality notice.

Lawful basis for processing your data: The following criteria provides the practice with a lawful basis for processing your personal data (in each criteria listed below, irrespective of how your data may be processed under each criteria, your name and address are used in conjunction with your pet’s name as a vital aid in identifying your pet):

  • Contract: you are entering a contract between ourselves, whereby the practice provides you with veterinary services in exchange for payment at time of treatment (or 30 days credit for commercial farming enterprises). This puts you under a contractual obligation to provide your personal data.
  • Consent: by registering yourself as our client, and your pets as our patients, and entering a contract for us to provide veterinary services, you consent to us collecting and processing your personal data in order to carry out legitimate veterinary business activities in accordance with RCVS standards.
  • Legal obligation: there may be times when your personal data is recorded or shared or open to scrutiny by an official veterinary, or other legal, inspector. For example we are legally obliged to: keep detailed records of the use of Controlled Drugs, which are open to inspection by the Veterinary Medicines Directorate, and the Police; maintain an accident book, which must be completed whenever an accident occurs on the premises (involving a client or member of staff) and includes a description of the accident and the personal details of the person involved.
  • Legitimate interests: There are times when we would have a legitimate interest in processing your personal data, for example business interests such as: updating a client’s contact details; on receipt of a serious client complaint we may seek legal and professional advice (RCVS/VDS/BVA), and would need to divulge some client information and patient medical history specific to that case; in cases of bad debt, (including client bankruptcy and insolvency) we would be obliged to divulge some client information to third parties (for example small claims court or the Official Receiver).

An individual has the right to erase any personal data which has been processed unlawfully.

Registering: “The Owner”; joint ownership; and your agents: when registering as a client, please realise that the name given to us will be “The Owner”, and will be the person we contact to discuss patients, go to for consent, and who is responsible for making payment of our fees (owners must be 18 years of age or over). Therefore in the case of joint ownership, both names should be given. If at a later date, one owner requests the removal of their name from our records, then we will require consent from both owners before we can do so. There may be occasions when you send a friend or relative along with your pet to consult a vet, in which case they will be regarded as your agent, and we will discuss freely any matters relating to that particular visit and any treatment required.

Security: Our computers have anti-virus protection. Computerised client data is stored securely on our password-protected practice management system: RxWorks. We keep minimal paper records, but we retain consent forms etc in files, which are archived on the premises. The data we acquire is legally held for the purpose of providing core veterinary services to our clients. We do not sell any information to third parties. Data breaches must be reported by us to the Information Commissioners Office (ICO).

Acquiring information & personal data held: The vast majority of data held in the practice are in relation to our patients, and GDPR does not cover animals. We only collect sufficient personal data from our clients in order to contact them in relation to their pets’ healthcare, and as a vital aid to identify their pets. The personal data we acquire comes mainly direct from our clients themselves (or sometimes via other veterinary professionals) and is used by the practice in order to provide our clients with core veterinary services. This information consists of: client (owners) names / addresses / telephone numbers / email addresses / tweet addresses / patient details and medical histories / invoices raised / payments received / card payment receipts (merchant copy) /credit control & communications history.

  • Marketing: We may wish to contact clients from time to time with details of events, promotions, or offers, or in regard to other marketing projects. It is our policy not to use any client data held for marketing purposes unless we first obtain specific consent to do so from the client. Clients wishing to receive marketing material, must select which means of communications are acceptable, from a list of: post / phone / text / email / tweet. Clients can change their mind at any time – we aim to implement that change immediately (but the GDPR gives a timescale of within one month of receipt of the request).

Sharing information: We would share some or all of an individual’s information only with other veterinary professionals, where the owner has given consent to refer a case, for example, to either: another veterinary practice (referrals); veterinary institute (post mortems); laboratory (blood or tissue (etc) sampling & testing); drug manufacturer (adverse drug reactions); microchip companies (registering pets or identifying lost pets); insurance companies (pet insurance claims). Consent to share information is acquired either in writing, or verbally during individual discussions between veterinary staff and owners in regards to their pet’s health and medical treatment; or when a pet insurance claim form is submitted to us by a client for completion.

When a client brings an animal to us for initial or booster vaccination, the client pays us for a service which includes us sending a reminder for the following booster vaccination. This is a service we provide to our clients, and is not marketing. We will provide reminders either by post / text / email or tweet. Clients can change their mind at any time – we must implement that change within 30 days. Vaccination reminders are either produced in-house, or externally by the manufacturer of the relevant vaccination. In these cases the relevant owner’s name and address and their patient’s name are shared with the relevant manufacturer, with whom we hold a contract purely for the production of vaccination reminders, with a guarantee that information provided is not shared or sold elsewhere, and that their processes comply with GDPR.

Retention of client records: Please note GDPR does not apply to animals, and patient medical history is retained indefinitely. It can be deactivated at any time (for example, when they have died) or upon request of the owner. Client records on RxWorks are retained indefinitely, but can be deactivated at any time (for example, if a client stops using our services).

Disposal of client records: Archived paper records are kept for 7 years, and then destroyed by a Confidential Waste Destruction company.

Your Rights: The GDPR aims to provide the individual with more control over what happens with their personal data, and you have statutory rights as listed below. To make a request relating to any of the following rights, please do so either in writing or verbally to us at the practice – see ‘Contact the Practice’ further down the page for details. Our response to your request will be provided free of charge, (but we have the right to charge an administration fee for unfounded, excessive or repetitive requests).

  • Right to be informed: we inform clients about the collection and use of their personal data in this Privacy Notice. This Notice is displayed at our receptions (where we gather your initial data at registration); there are copies available in our waiting rooms; a copy can be posted or emailed to you on request; and it is available on our website,
  • Right of access: Clients have the right of access to their personal data and supplementary information. We aim to provide this information without delay, (but the GDPR gives a timescale of within one month of receipt of the request). This will be provided free of charge, (but we have the right to charge an administration fee for unfounded, excessive or repetitive requests).
  • Right to rectification: the practice will strive to keep your personal data accurate and up to date. We will endeavour to enter your details correctly at the outset, please let us know if you are aware of any errors in our records so that we can rectify them. You are responsible for keeping us informed of any changes, as and when they occur (for example, if you change your home address, or mobile phone number) verbally or in writing. We aim to process these changes immediately (but the GDPR gives a timescale of within one month of receipt of the request).
  • Right to erasure: The GDPR introduces a right for individuals to have personal data erased, but this right is not absolute and only applies in certain circumstances. We will consider each request upon receipt, and make a decision as soon as possible on whether to erase or not depending on the circumstances. We aim to do this without delay, (but the GDPR gives a timescale of within one month of receipt of the request).
  • Right to restrict processing: Clients have the right to request the restriction or suppression of their personal data. We have two means to achieve this: in relation to direct marketing only, we can amend marketing options from opted-in, to opted-out; or for an all-encompassing option we can deactivate a client’s records, which prevents access, but leaves the data in a dormant state. (However, doing this also prevents access to patient records, so we would require client permission to re-activate the account in order to examine or treat a patient). We aim to restrict processing without delay, (but the GDPR gives a timescale of within one month of receipt of the request). Once we know a client has stopped using our services, we would deactivate a client’s records as a matter of course.
  • Right to data portability: This allows individuals to obtain and reuse their personal data for their own purposes across different services. We commonly provide this service when owners have changed vets, and we send patient history direct to the new vet, either on request of the owner, or direct request from the new vet. We can provide this information direct to the owner on request. We aim to provide this information without delay, (but the GDPR gives a timescale of within one month of receipt of the request). Although GDPR does not include animals, you must be aware that patient history also includes the owners name and address as they are used in conjunction with your pet’s name as a vital aid in identifying your pet.
  • Right to object: We have explained above how we use your personal data. The GDPR gives the individual the right to object to the processing of your personal data based on the following grounds:
    • “legitimate interests” – you must provide specific reasons why you are objecting, and those reasons should be based upon your particular situation. We must stop processing your personal data, unless we can demonstrate compelling legitimate grounds for processing, which override your rights; or where the processing is for the establishment, exercise or defence of legal claims.
    • “direct marketing” – we must stop processing immediately
    • “scientific or historical research, or statistical purposes” – your right to object is more restricted. However, any data processing done by the practice under this heading would be based on animal medical history only and GDPR does not cover animals. If this information was shared outside the practice, care would be taken to delete personal data from any medical histories used.
  • We aim to address your objections without delay, (but the GDPR gives a timescale of within one month of receipt of the request)

  • Rights related to automated decision making including profiling: This right is not relevant in this case as we do not use automated decision making or profiling.

Contact the Practice: In relation to any matters in this Privacy Notice, our contact details are as follows:

  • Write to: The Directors, Broughton Veterinary Group, 12 Swannington Road, Broughton Astley, Leicester, LE9 6TU.
  • Email:
  • Telephone the admin office: 01455 287 129

To lodge a complaint with a supervisory authority: please contact the ICO or RCVS as follows:

  • Information Commissioners Office (ICO)
    • Telephone: 0303 123 1113
    • Online “Report a concern” at:
  • Royal College of Veterinary Surgeons (RCVS)
    • Write to: Royal College of Veterinary Surgeons, Belgravia House, 62-62 Horseferry Road, London, SW1P 2AF
    • Email:
    • Telephone: 020 7222 2001
    • Fax: 020 7222 2004

Broughton Veterinary Group is the trading name of Broughton Vet Group Ltd Company number 9243007 registered in England and Wales Registered Office: 12 Swannington Road, Broughton Astley, Leicester, LE9 6TU