Under GDPR, you must appoint a Data Protection Officer if:
you are a public authority, except for courts acting in their judicial capacity;
your core activities include large scale, regular and systematic monitoring of individuals (like online behaviour tracking); or
your core activities include large scale processing of special categories of data (includes health and social care information) or data relating to criminal convictions and offences.
For LA/NHS Owned Care Providers:
Local Authority/NHS owned care homes are considered public bodies under the Freedom of Information Act. You must have, or have access to, a Data Protection Officer. It is likely that the LA or CCG already has a Data Protection Officer – find out who this person is.
For large care organisations:
Large organisations will need to have access to a Data Protection Officer. This can be a consultant role and does not have to sit internally. A large care organisation could be characterised as multi-site (perhaps on a regional or national level). They will have dedicated staff in roles such as IT, HR and estates. They have large volumes of care records.
You should appoint, hire or contract a Data Protection Officer for your organisation. If you choose not to have a Data Protection Officer, you must record why you have made this decision.
For small care providers:
For small care providers it is less clear if a Data Protection Officer is required. This is because there is no clear definition yet for “large scale processing”. A small care provider might have one or two sites. They will have no dedicated staff in roles such as IT or HR and a small volume of care records.
You should assign someone in your organisation to be a “Data Protection Champion”. They are responsible for ensuring your organisation complies with data protection legislation. Do not call this person a Data Protection Officer.
Record the fact that you have not appointed a Data Protection Officer and why you haven’t. There is wording for this in our data protection policy template.