Home Menu

GP Practice and CCG Responsibilities for Data Protection Officers (DPO)


Since April 2018, CCGs have been required to provide IG advice and DPO support to practices. The new GP contract announced that this mandatory requirement would be extended. In 2019, CCGs are required to offer a Data Protection Officer (DPO) function to practices in addition to their existing DPO support services. This DPO function can be provided by the CCG direct or through its commissioning support service. Funding has been made available in CCGs’ baseline to support this requirement. The new Primary Care (GP) Digital Services Operating Model, due to be published in July, includes detail about CCGs’ responsibilities. The requirements are as follows:

Mandatory Requirements for CCGs

  1. IG advice and Data Protection Officer (DPO) Support:

Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. This includes:

  • Access for practices during normal service hours to specialist qualified advice on GDPR matters;
  • Advice on compliance with GDPR obligations;
  • Advice reflecting national guidance on GDPR compliance as it is published;
  • A review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security. This may for example be a facilitated workshop at CCG level which would encourage shared learning;
  • Advice to support practices develop and maintain best practice processes that comply with national guidance on citizen identity verification;
  • Advice to support practices achieve mandatory compliance with the National Data Opt-Out policy by March 2020.


2. DPO Function (New requirement from April 2019):

  • As data controllers and “public authorities” general practices are legally required to designate a DPO.
  • CCGs are now required to provide a named DPO for practices to designate as their Data Protection Officer. The named DPO could be shared between practices.
  • Practices may choose to make their own DPO arrangements. CCGs are not expected to fund alternative arrangements, if a DPO service has already been offered by the CCG. However a CCG may at its discretion offer to fund these alternative arrangements.