Appointing a data protection officer (DPO)

We give guidance on how to appoint a data protection officer in a GP practice to comply with GDPR, who they are and what they do.
Updated: Wednesday 22 January 2020
GP practice article illustration

Due to the complex nature of data protection laws, the BMA cannot offer comprehensive legal advice on GDPR, and this page should not be seen as such. However, it should point you in the right direction for guidance on the questions you may have.

 

What is a data protection officer? (DPO)

A DPO has formal responsibility for data protection compliance within an organisation.

Under GDPR, the appointment of a DPO is mandatory for GP practices that provide services commissioned by NHS England.

A DPO must be designated, however you do not necessarily have to employ or retain them.

 

Your responsibilities in appointing a DPO

  • Who to designate as DPO is decided by the practice.
  • The DPO is expected to monitor compliance, however, responsibility for compliance remains with the data controller and processor.
  • Large practices and multi-practice groups are likely to have in-house DPOs.
  • Smaller practices may prefer to designate external DPOs, eg a CCG or local/regional health board.

 

Who to appoint

  • Employ a new member of staff with specific knowledge, qualifications and experience.
  • Appoint somebody who already works in the practice with the necessary knowledge, qualifications and experience, or who has the ability to acquire the necessary skills with suitable training.
  • DPOs must not be the final decision-makers regarding data processing; for example, they cannot be the data controller and must avoid any conflicts of interest.
  • Share a DPO with one or more practices. A CCG may be able to help facilitate this, but is unlikely to be able to fund such a person.

Can a partner be a DPO?

In most cases, the data controller will be the GP practice rather than an individual GP. Internal practice decisions about data processing will be subject to the governance arrangements of the practice partnership.

This means it might be possible for GP partners to fulfil the role of DPO provided the role is defined to avoid conflict of interests and decisions are documented.

Support from your CCG or health board

Your DPO can be supported in the role by a more experienced person, such as an information governance lead in the CCG.

A DPO advice and support function by CCGs will be available to support DPOs. The service will include:

  • access for GP practices during normal service hours to specialist qualified advice on GDPR matters
  • advice on compliance with GDPR obligations
  • advice reflecting national guidance on GDPR compliance as it is published
  • advice to support GP practices to comply with the National Data Guardian eight-point data sharing opt-out model. 

 

Does the DPO need to be an expert?

No. Clause 97 states "the necessary level of expert knowledge..."

GDPR accepts there will be different levels of 'expert knowledge' needed according to the sort of processing being done, some will need more expert knowledge than others.

The DPO must keep up to date with changes from the ICO, and how they could impact the practice. Their knowledge can be added to through a network of practice DPOs led by the expert in the CCG or primary care network.

 

The role of a DPO in a GP practice

Data protection officers:

  • demonstrate the practice's compliance with GDPR
  • report to senior partner(s) and don't require line management
  • must have sufficient support and resources, financial and human, to do their job
  • ensure information governance and related policies address:
  • practice accountability
  • DPO reporting arrangements

  • timely involvement of the DPO in all data protection issues

  • compliance assurance: privacy by design and default

  • advising on where data protection impact assessment is required

  • the DPO’s role in incident management.

  • provide advice to the practice and its employees on compliance obligations
  • advise on when data protection impact assessments are required and to monitor their performance
  • monitor compliance with the GDPR and practice policies, including staff awareness and provisions for training
  • co-operate with, and be the first point of contact for the Information Commissioner and all data protection matters
  • are available to be contacted directly by data subjects – the contact details of the data protection officer will be published in the practice’s privacy notice. 

 

The practice's responsibility to the DPO

Practices must ensure:

  • the DPO is not told how to carry out their function and does not face any disciplinary action, dismissal or other penalties for carrying out their tasks as a DPO
  • where the DPO performs another function within the practice, there is no conflict of interest
  • the contact details of the DPO are published in the practice’s transparency information for subjects and are communicated to the ICO
  • the DPO does not hold a position that leads them to determine the purposes and the means of the processing of personal data – this requirement will vary depending on whether the DPO is an internal or external appointment.

 

Holding staff records

The regulations require practices to identify and record what personal data has been collected from job applicants and carried through the employment lifecycle.

This will cover data kept on HR information systems, in personnel files (both electronic and paper), and data saved on hard drives and emails. There isn't a prescribed format for how this data is held and it can take a variety of different forms as long as it fulfils the purpose of helping the practice to determine:

  • What personal data is collected?
  • Where is personal data stored?
  • How is personal data processed?

The GDPR requires a detailed record to be kept of personal data-processing activities.

ACAS - guidance on GDPR