BlogVeterinary AI scribe and GDPR: what UK practices need to know
Dr Nick Lloyd

Veterinary AI scribe and GDPR: what UK practices need to know

AI scribes record client conversations in your consult room. Here is what UK GDPR requires from veterinary practices, what the RCVS now expects, and the questions to ask before you sign a contract.

Key points

  • Your practice, not the AI scribe vendor, is the data controller under UK GDPR. That means a signed Data Processing Agreement, an updated privacy notice, and a documented lawful basis need to be in place before the tool goes live.
  • RCVS guidance published in April 2026 requires every AI-generated clinical record to be manually verified by a vet, with edits made contemporaneously. A note is not a signed-off record until a vet has read and confirmed it.
  • Ask vendors about data residency, audio retention periods, subprocessors, and whether consultation data is used for model training before signing. "GDPR compliant" on a pricing page does not answer any of these on its own.

An AI scribe records audio in your consult room, processes what it hears, and returns a structured clinical note. That is useful. It is also a data processing operation: from the moment it captures the first word, it may be handling personal data about your client alongside clinical data about their animal.

Most practices that have adopted AI scribes have done so primarily to save time on records. That is the right reason. The GDPR obligations that attach to the tool are not vast, but they are specific, and "GDPR compliant" printed on a vendor's pricing page does not tell you whether your practice has met them. Awareness of where the obligations sit is the starting point.

This article covers what UK practices need to know: the RCVS position issued in April 2026, what it means that your practice is the data controller, and the questions to ask before you commit to any tool. It is not legal advice. For guidance specific to your practice, your professional association, such as SPVS or BVA, is the right first call.

What the RCVS now requires

In April 2026, the RCVS Standards Committee published its guidance on the use of AI in everyday veterinary practice. Rather than creating new obligations, it applies existing professional standards to the new technology. The requirements are clear.

Professional and clinical decision-making must not be wholly delegated to AI. Vets and vet nurses remain responsible for their decision to use any given tool and must think critically about how its output is used. Where AI generates clinical records, the output must be manually verified, with any necessary edits made contemporaneously.

That point matters in practice. A note generated by an AI scribe is not a signed-off clinical record until a vet has read it and confirmed it is accurate. In a busy practice, that verification step can become a habit of scrolling and clicking rather than reading and judging. The RCVS treats the vet's review as a professional act, not an administrative formality, and that distinction matters if a record is ever challenged.

The guidance also requires that client confidentiality and client rights under the Data Protection Act 2018 and UK GDPR are maintained specifically in relation to AI-generated records.

The verification requirement is straightforward on paper. In practice, Dr Nick Lloyd, Chief Veterinary Officer at Lupa, sees three ways it tends to break down.

"The first is reviewing under pressure. You are at the end of a consult block, the waiting room is full, and you click through the note without really reading it. The second risk is becoming too trusting: you have used the scribe for six months, it has been accurate, and you stop looking critically. The third is reviewing the notes later in the day, when you genuinely cannot remember the detail of what was said."

Each of those failure modes produces the same outcome: a clinical record that does not accurately reflect the consultation. The errors Nick sees most commonly are not dramatic. "An incorrect value on a verbal estimate. A misrecording of the duration of symptoms, which can matter significantly if the client later makes an insurance claim. A drug name that has been slightly garbled. Whether or not dosing advice was given." These are easy to miss on a quick review and consequential if they are not caught.

On the compliance side, Nick is direct about what "GDPR compliant" on a vendor's website actually tells a practice owner. "It doesn't tell you very much. The badge means different things for different vendors and there isn't always clarity about what it covers. What you need to do is drill down. Can you delete a client's data easily if they ask you to? Where is the data stored? How long is the audio kept for? Is the audio screened for confidential content before it is retained? Where exactly is the audio and transcript processed? Those are the questions that matter, and a vendor who cannot answer them clearly is a vendor worth pausing on."

His framing on the overall GDPR picture is a useful one for practice owners to hold. "The GDPR issue in a typical vet consult may be narrower than people assume, because much of the clinical discussion concerns the animal rather than the client. But where personal data is captured, the obligations are specific, and you need to know what they are before something goes wrong."

Your practice is the data controller

The most important thing to understand about an AI scribe from a GDPR perspective is where legal responsibility sits, because most practices assume it sits with the vendor.

It does not. Under UK GDPR, the organisation that determines the purpose and means of processing personal data is the data controller. In most veterinary AI scribe arrangements, that is the practice. The AI scribe vendor processes the audio on your behalf and is therefore a data processor. As the controller, your practice is accountable to your clients for how their data is handled, even when the actual processing is happening inside a third-party system.

One question worth asking before you sign any contract is whether the vendor intends to use consultation data for purposes beyond delivering the service, such as model training or product development. If the answer is yes, the controller and processor analysis becomes more complex and warrants closer scrutiny, ideally with independent legal or data protection advice.

The practical implication that follows most immediately is the Data Processing Agreement. Before any consultation audio is captured, you need a formal contract in place with the vendor covering what data is processed, why, how it is protected, how long it is retained, and what happens when the relationship ends. A vendor who cannot produce a DPA or is reluctant to discuss its terms is a vendor worth pausing on.

The second implication follows downstream: your clients need to know what is happening to their data. Your practice privacy notice should describe the fact that consultation audio is captured and processed by a third party to generate clinical records, name that third party, identify the lawful basis, and state the retention period. Most practice privacy notices were written before AI scribes existed. If yours has not been updated since you introduced one, it needs to be.

Lawful basis: what to confirm before you go live

Processing personal data requires a lawful basis under UK GDPR. For a scribe used in routine consultations, the two most commonly considered options are contract, where processing is necessary to deliver the clinical service the client requested, and legitimate interests, where the practice has a documented interest in maintaining accurate clinical records that is not overridden by the client's rights. The correct basis depends on your specific workflow, how the tool is used, and how it is explained to clients. This article cannot determine that for you, and nor can your vendor. If you are uncertain, your professional association, such as SPVS or BVA, can point you toward appropriate guidance, and the ICO's resources for small organisations are a practical starting point.

Whatever basis you choose, document it before the tool goes live.

The Data (Use and Access) Act 2025 introduced Recognised Legitimate Interests for a narrow set of public interest scenarios, but this is unlikely to be the route most independent practices rely on for routine AI scribe use.

Special category data is worth being aware of as a category, even if it arises rarely. If a client mentions their own allergy while discussing a medication for their dog, or describes a condition that affects how they handle their animal, the scribe may have captured health data about the client alongside the clinical record. Special category data carries stricter requirements under Article 9, on top of the standard Article 6 lawful basis. Whether and how your practice handles this is worth raising with your professional association or a data protection adviser before you go live, rather than after.

What to establish before you sign a contract

The vendor's marketing copy will not surface the questions that matter most. Several are ones practices routinely overlook until after they have committed.

Data residency is the most commonly missed. UK practices should confirm that consultation audio is processed and stored within the UK or the European Economic Area, or that explicit safeguards cover international transfers. A vendor headquartered in the United States, operating on US-based servers, creates transfer obligations that need to be addressed in the DPA. A GDPR compliance claim on a pricing page does not mean those obligations have been met on your side.

On retention: some tools hold consultation audio for a period after the note has been generated; others delete it immediately or within a defined window. Know which your vendor does, confirm it is written into the DPA, and make sure your privacy notice reflects it. Ask whether audio is screened for confidential content before it is retained, and whether you can delete a specific client's data easily if they submit a subject access request or request erasure.

The clinical record ownership question should be unambiguous. Records belong to the practice. If a vendor's contract is unclear on this, or if it asserts any ownership of data generated through the tool, resolve that before going live.

Finally, ask about subprocessors. The company you contract with may use third-party suppliers to handle audio processing, storage, or infrastructure. Your DPA should cover those relationships too, and a vendor unwilling to name their subprocessors is one worth scrutinising.

Do you need a DPIA?

A Data Protection Impact Assessment is required under UK GDPR where processing is likely to result in a high risk to individuals. For most practices introducing an AI scribe, a DPIA is the prudent starting point and may well be required: the tool involves audio recording of client conversations, uses new technology, relies on a third-party processor, and may occasionally capture special category data.

For a single-site independent practice, the exercise does not need to become a major project, but it should be specific enough to record what data is captured, why, what could go wrong for clients, and what controls reduce that risk. The ICO publishes a template that covers the structure. Completing it before the tool goes live is the kind of step that looks unremarkable during normal operation and significant if a complaint is ever raised.

If your practice has a Data Protection Officer, involve them. If not, the ICO's small business hub is a practical starting point.

Telling clients a scribe is running

UK GDPR does not require explicit consent as the lawful basis for processing consultation audio, provided another valid basis applies. Clients should know a scribe is in use, however.

It is good practice to tell a client at the start of a consultation that the practice uses an AI tool to help with clinical notes. This avoids any awkwardness if they spot a recording indicator partway through, and it gives anyone who wants to ask questions the chance to do so. Most clients will not. Some will, and what matters most is being ready with a calm, clear answer rather than the disclosure itself.

The more important briefing is for your team. The disclosure is only as good as the person delivering it. A staff member who is uncertain about what the scribe does, or who hedges when a client asks a direct question, creates friction that a single ten-minute team conversation can prevent entirely. Draft a standard form of words for your practice before the tool goes live, and make sure everyone who might be asked has used it at least once.

Lupa Notes and the compliance picture

Lupa Notes is Lupa's AI scribe tool. It is currently available in two versions: a standalone version and an integrated version that sits within Lupa OS alongside clinical records, client communications, invoicing, and the rest of the consultation workflow. The integrated version is under active development and will expand significantly over the coming months.

For practices using the integrated version, the compliance review, the DPA, the data residency question, and the privacy notice update all involve a single supplier relationship rather than several. For practices using the standalone version, the same due diligence questions apply as with any third-party AI scribe tool.

On the specific compliance questions practices most commonly ask: audio processed through Lupa Notes is stored in the EU. Consultation audio is automatically deleted after six months. Lupa does use audio to support product development and improvement; full details of how data is handled, which subprocessors are involved, and the terms that apply are set out at trust.lupapets.com. For data protection queries or to request a copy of Lupa's data processing documentation, contact Lupa via the data protection page.

In either case, the practice's own obligations remain: a privacy notice that reflects how the tool is used, a documented lawful basis, a verification process for AI-generated records, and clear team governance. An integrated architecture simplifies the compliance conversation. It does not remove it.

To see how Lupa Notes handles note generation, verification, and record-keeping within a live consultation workflow, book a demo. The compliance architecture is part of the walkthrough.

Written by
Dr Nick Lloyd

Dr Nick Lloyd

BVSc MRCVS — Chief Veterinary Officer, Lupa

Dr Nick Lloyd BVSc MRCVS is the Chief Veterinary Officer at Lupa, and the former president of the Society of Practising Veterinary Surgeons (SPVS).