Home Menu

GP Practice and CCG Responsibilities for Data Protection Officers (DPO)


Since April 2018, CCGs have been required to provide IG advice and DPO support to practices. The new GP contract announced that this mandatory requirement would be extended. In 2019, CCGs are required to offer a Data Protection Officer (DPO) function to practices in addition to their existing DPO support services. This DPO function can be provided by the CCG direct or through its commissioning support service. Funding has been made available in CCGs’ baseline to support this requirement. The new Primary Care (GP) Digital Services Operating Model, due to be published in July, includes detail about CCGs’ responsibilities. The requirements are as follows:

Mandatory Requirements for CCGs

  1. IG advice and Data Protection Officer (DPO) Support:

Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. This includes:

  • Access for practices during normal service hours to specialist qualified advice on GDPR matters;
  • Advice on compliance with GDPR obligations;
  • Advice reflecting national guidance on GDPR compliance as it is published;
  • A review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security. This may for example be a facilitated workshop at CCG level which would encourage shared learning;
  • Advice to support practices develop and maintain best practice processes that comply with national guidance on citizen identity verification;
  • Advice to support practices achieve mandatory compliance with the National Data Opt-Out policy by March 2020.


2. DPO Function (New requirement from April 2019):

  • As data controllers and “public authorities” general practices are legally required to designate a DPO.
  • CCGs are now required to provide a named DPO for practices to designate as their Data Protection Officer. The named DPO could be shared between practices.
  • Practices may choose to make their own DPO arrangements. CCGs are not expected to fund alternative arrangements, if a DPO service has already been offered by the CCG. However a CCG may at its discretion offer to fund these alternative arrangements.



Related guidance...

GDPR - General Data Protection Regulation 

The GDPR is a regulation that will come into force from 25th May 2018. Its intention is to strengthen data protection for individuals...

Core Contract Compliance Checks

From time to time NHS England will check that practices are complying with some of the changes to your core contract that have come in...

Safeguarding Collaborative Arrangements

Collaborative arrangements The NHS Act obliges NHS bodies to provide advice to statutory bodies in relation to social services,...

Privacy Notice

Lincolnshire LMC ltd. Commerce House, Carlton Boulevard, Outer Circle Road, Lincoln, LN2 4WJ By virtue of our size, the data we hold...

Safeguarding Children & Young People Roles & Responsibilities

All staff who come into contact with children and young people have a responsibility to safeguard and promote their welfare and should...

MCP Contract Framework

NHS England's Five Year Forward View set out a number of NMCs (New Models of Care) that NHS England believes represent ways to provide...

Core Hours

The Lincolnshire LMC have been contacted by many practices over the past few days who have received an email from NHS England regarding...


Practioner Support Lincolnshire LMC offers professional support for practitioners who may be struggling with challenges or obstacles...

Medical Record Requests from the Police

Update on Medical Record Requests from the Police The BMA have recently updated their guidance around requests from the police for...

ADHD service for patients aged 16 and over

Please Note: The LMC is not the ADHD Service, if you wish to contact the ADHD360 Service please call 01507 534 181 or go to...