We have set up a helpline for the duration of the Covid-19 crisis. Call us on 0208 133 3430 (Mon-Fri 9-5) or email [email protected] for free support.

Do I need a Data Protection Officer?

A Data Protection Officer is a new role which has been mandated, by the General Data Protection Regulation (GDPR). However, only in specific situations.
Under GDPR, you must appoint a Data Protection Officer if:
  1. you are a public authority[1], except for courts acting in their judicial capacity;
  2. your core activities include large scale, regular and systematic monitoring of individuals (like online behaviour tracking); or
  3. your core activities include large scale[2] processing of special categories of data (includes health and social care information) or data relating to criminal convictions and offences.

For LA/NHS Owned Care Providers:

Local Authority/NHS owned care homes are considered public bodies under the Freedom of Information Act. You must have, or have access to, a Data Protection Officer. It is likely that the LA or CCG already has a Data Protection Officer – find out who this person is.

For large care organisations:

Large organisations will need to have access to a Data Protection Officer. This can be a consultant role and does not have to sit internally. A large care organisation could be characterised as multi-site (perhaps on a regional or national level). They will have dedicated staff in roles such as IT, HR and estates. They have large volumes of care records.
You should appoint, hire or contract a Data Protection Officer for your organisation. If you choose not to have a Data Protection Officer, you must record why you have made this decision.

For small care providers:

For small care providers it is less clear if a Data Protection Officer is required. This is because there is no clear definition yet for “large scale processing”. A small care provider might have one or two sites. They will have no dedicated staff in roles such as IT or HR and a small volume of care records.
You should assign someone in your organisation to be a “Data Protection Champion”. They are responsible for ensuring your organisation complies with data protection legislation. Do not call this person a Data Protection Officer.
Record the fact that you have not appointed a Data Protection Officer and why you haven’t. There is wording for this in our data protection policy template.

More information:

[1] As defined in the Freedom of Information Act 2000 – this will only apply to LA or NHS owned providers
[2] Note that there has not yet been a definition of what is meant by “large scale”. So there is some uncertainty around which size of provider would be expected to have a Data Protection Officer.
Back to FAQs