Veterinary Medicines Directorate: Privacy Notice

Privacy notice regarding personal data processed by the VMD.


VMD Privacy Notice

Request an accessible format.
If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email Please tell us what format you need. It will help us if you say what assistive technology you use.


VMD Privacy Notice

The VMD Privacy Notice sets out the standards you can expect from the Veterinary Medicines Directorate (VMD) when we collect, hold, or use your personal information and applies to any VMD website, application, product, software, or service linked to us (collectively, our “services”).

We are committed to the responsible handling and security of personal data. Your privacy is important to us and protected in law through the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA 2018), and the Law Enforcement Directive.

Who does GDPR apply to

The GDPR applies to processing carried out by organisations operating within the UK, the EU, and the European Economic Area (EEA), and to those operating outside these areas but that offer goods or services to individuals in the UK, EU, and EEA.

GDPR applies to ‘controllers’, who determines the purposes and means of processing personal data, and ‘processors’, who are responsible for processing personal data on behalf of a controller.

As a controller, we ensure our contracts with processors comply with GDPR. As a processor, we have a legal obligation to maintain records of personal data, processing activities, and reporting breaches.

Our contact details

Data Protection Manager
Veterinary Medicines Directorate
Woodham Lane, New Haw, Addlestone, Surrey KT15 3LS

The VMD is part of the Defra group that comprises several separate legal entities and organisations, which are grouped into separate data controllers.

What is personal data

Personal data is data that identifies an individual directly or indirectly, by reference to an identifier such as their name or a reference number.

The type of personal information we collect

We currently collect and process:

  • names and contact details
  • job titles
  • business names and addresses
  • animal owner names and addresses
  • professional organisation membership numbers and status
  • medical history information if provided as part of a suspected adverse event report

How we get it

Most of the personal information we process is provided to us directly by you because you:

  • have registered for or used our services
  • have provided it to help demonstrate regulatory compliance
  • have taken part in a survey or data collection exercise
  • have requested assistance or provided feedback
  • have reported a problem, adverse event, or suspected illegal activity
  • are part of a scientific or policy network

We also receive personal information indirectly, usually because:

  • business associates have provided your contact details
  • we gather enforcement information and intelligence from members of the public, the pharmaceutical and veterinary industries, and other law enforcement partners
  • we receive reports of adverse events from members of the public and the pharmaceutical and veterinary industries

Why we have it

We use the information given to us to:

  • carry out our functions, services, or research
  • help us to confirm your company affiliations when registering to use our services
  • maintain records of qualified, registered, or approved businesses and personnel
  • provide information that may be of interest or relevance
  • seek feedback on our functions and services
  • evaluate suspected adverse reactions
  • investigate and monitor suspected illegal activity
  • facilitate professional networks and specialist committees or groups

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

  • Your consent. You can remove your consent at any time by contacting the Data Protection Manager at
  • We have a contractual obligation
  • We have a legal obligation
  • We need it to perform a public task
  • We have a legitimate interest

Automated decision-making and profiling

We do not use information about you for automated decision-making (making a decision solely by automated means without any human involvement) or profiling (automated processing of personal data to evaluate certain things about an individual). We will tell you if that changes.

Who can see it

Bodies charged with auditing, monitoring, or inspecting our compliance with applicable law and other standards as necessary and for the purposes of preventing and detecting fraud.

Who we share it with

The data you provide will only be transferred to processors compliant with GDPR. We may share information with:

  • other UK government departments and agencies
  • organisations or individuals under a Data Sharing Agreement for the purposes of research
  • UK and EEA law enforcement partners
  • UK professional membership bodies
  • UK and organisations in the EEA that we work with to deliver our services and engagement activities
  • network, committee, or group members

Personal information provided as part of a suspected adverse event will not be shared with anyone outside the VMD without your expressed permission.

Contact details are only used if we need more information. If you do not wish to be contacted, you can tell us when you report the adverse event.

When we publish personal data

There are circumstances when we need to publish personal data and we balance the need for transparency compared to your privacy rights. As a public body we are required to be transparent about the use of money and publish Senior Executive salaries and procured contract details.

We may have to release personal data and commercial information to execute our enforcement strategy, or under the Environmental Information Regulations 2004 and the Freedom of Information Act 2000.

How we store it

Your information is securely stored within databases on our premises or in cloud service centres.

Online services and support

Data collected through our Support Service Desk is processed and stored as described with the Atlassian Privacy Policy as well this Privacy Notice.

To register to use our Veterinary Medicines Digital Service you will need to create an account with sign-in details to identify you. To ensure that you are authorised to create an account on behalf of a company we collect information on a “referee” and may contact them for confirmation.

The sign-in details you provide will be used to access several services provided by VMD to save you time. We will store basic information about you (and your business, if relevant) so that you do not have to re-enter the information each time you use our service.

Your information will be shared with the administrators associated with your account for them to manage the access to one or more of the online services you use.

To evaluate and improve our services we may store your Internet Protocol (IP) address and details about the web browser you use, and information on how you use our service through cookies and analytics.

We may contact you about our services and opportunities.

How long we hold it

Information that you provide, or that is provided about you, will be kept for the length of time needed to complete that function or service. Some information will be kept for the length of time that an account, registration, certification, approval or authorisation remains in place.

Records periods are set in line with statutory, regulatory, legal, and security requirements, or for their historic value. Our retention policies are listed below. After which time we may anonymise or permanently delete it:

Function/Service Retention policy
Surveillance schemes 7 years
Enforcement 10 years
Inspections Life of authorisation
Complaints and enquiries 3 years
Official government correspondence 5 years
Information or access requests 5 years
Recruitment 1 year
Financial transactions 7 years
Procurements and contracts 6 years (from contract completion date)
Product related 20 years (from authorisation expiry)
Import and export 2 years
Legislation 20 years
Microchip 20 years
Incomplete or rejected online registrations 6 months
Active online service accounts On request by you or your company
Inactive online service accounts 2 years
E-learning 5 years

Your data protection rights

If you do not wish to provide us with your information, we may not be able to provide a full service to you.

Under data protection law, you have rights including:

  • Access - You have the right request information about how your personal data is processed, and to ask us for copies of your personal information. This is called a ‘subject access request’ and we may ask for proof of your identity. We will respond within one month but may extend this by up to two months in complex cases. If the cost to provide you with all the data requested is excessive, we may refuse your request or ask you to provide a contribution to meet these costs.
  • Rectification - You have the right to ask us to rectify personal information you think is inaccurate or to complete information you think is incomplete. When doing so, tell us where you have seen it and what you feel is inaccurate. We will respond within one month but may extend this if the request is complicated. Where we maintain that the original information held was accurate, we will explain why. If you do not agree, you have the right to complain to the ICO.
  • Erasure - You have the right to ask us to erase your personal information in certain circumstances. However, we may refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority.
  • Restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Objection to processing - You have the right to object to the processing of your personal information in certain circumstances.
  • Data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

A full explanation of your rights can be found on the ICO website.

If you discover that the personal data we hold about you is inaccurate, or incomplete, please tell us where you have seen it and what it should be, so we can update your records.

You can request that we a) no longer process your personal data and b) delete your personal data. However agreement may not be assumed as we may have to refuse your request should the data be required to comply with a legal obligation, performance of a contract or public interest task or exercise of official authority. Where this is the case we will tell you.

Contact the Data Protection Manager at if you wish to make any request and we will respond within 1 month. You will not be charged for exercising your rights.

Detecting and preventing fraud

The VMD has a duty to protect the public funds it administers, and to this end may use the information provided by its customers and suppliers for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.

The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. Our legal basis for processing your criminal convictions data is paragraphs 6 and 10.

Any questions or issues

If you have any questions or issues about our use of your personal information or how we have handled your request, or to report a breach, contact our Data Protection Manager at

You can also contact the Defra Group Data Protection Officer:

Tim Beale
Accountability and Governance Team
4th Floor, Seacole, Marsham Street, Westminster, London, SW1P 4DF

Or the Information Commissioner’s Office, the independent regulator using their helpline number 0303 123 1113 or through ICO website

Our Personal information charter also explains more about how we treat your personal information. If you have any questions, or would like to enforce any of your rights, please contact the Data Protection Manager:

Data Protection Manager
Veterinary Medicines Directorate
Woodham Lane
New Haw
KT15 3LS

Published 21 May 2018
Last updated 11 April 2022 + show all updates
  1. Email address has been amended

  2. E-learning privacy notice added

  3. Updated VMD Privacy Notice for Employees, workers and contractors

  4. Added privacy notices for licensing service and service registration

  5. Privacy notice for the VMD’s Service Desk supporting VMD IT Services added.

  6. Added: VMD Privacy Notice for employees, workers and contractors (UK)

  7. Microchip Surveillance Privacy Notice added

  8. First published.