Home Menu

GP Practice and CCG Responsibilities for Data Protection Officers (DPO)


Since April 2018, CCGs have been required to provide IG advice and DPO support to practices. The new GP contract announced that this mandatory requirement would be extended. In 2019, CCGs are required to offer a Data Protection Officer (DPO) function to practices in addition to their existing DPO support services. This DPO function can be provided by the CCG direct or through its commissioning support service. Funding has been made available in CCGs’ baseline to support this requirement. The new Primary Care (GP) Digital Services Operating Model, due to be published in July, includes detail about CCGs’ responsibilities. The requirements are as follows:

Mandatory Requirements for CCGs

  1. IG advice and Data Protection Officer (DPO) Support:

Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. This includes:

  • Access for practices during normal service hours to specialist qualified advice on GDPR matters;
  • Advice on compliance with GDPR obligations;
  • Advice reflecting national guidance on GDPR compliance as it is published;
  • A review at least annually to identify and improve processes which have caused breaches or near misses, or which force practice staff to use workarounds which compromise data security. This may for example be a facilitated workshop at CCG level which would encourage shared learning;
  • Advice to support practices develop and maintain best practice processes that comply with national guidance on citizen identity verification;
  • Advice to support practices achieve mandatory compliance with the National Data Opt-Out policy by March 2020.


2. DPO Function (New requirement from April 2019):

  • As data controllers and “public authorities” general practices are legally required to designate a DPO.
  • CCGs are now required to provide a named DPO for practices to designate as their Data Protection Officer. The named DPO could be shared between practices.
  • Practices may choose to make their own DPO arrangements. CCGs are not expected to fund alternative arrangements, if a DPO service has already been offered by the CCG. However a CCG may at its discretion offer to fund these alternative arrangements.



Related guidance...

GDPR - General Data Protection Regulation 

The GDPR is a regulation that will come into force from 25th May 2018. Its intention is to strengthen data protection for individuals...


Covid funding (written by: Dr Kieran Sharrock) NHSEI have announced that £150m will be made available to general practice through the...

Contract Compliance Week Update

Contract Compliance Week Update Lincolnshire LMC has met with representatives of ULHT, NWAFT, and CCG to review the outcomes of the...

Amendments to GMS/PMS Contract Regulations - October 2020

Amendments to GMS/PMS Contract Regulations October 2020 Although there are a number of minor changes, those with the most relevance...

Safeguarding Collaborative Arrangements

Collaborative arrangements The NHS Act obliges NHS bodies to provide advice to statutory bodies in relation to social services,...

Privacy Notice

Lincolnshire LMC ltd. Commerce House, Carlton Boulevard, Outer Circle Road, Lincoln, LN2 4WJ By virtue of our size, the data we hold...

Safeguarding Children & Young People Roles & Responsibilities

All staff who come into contact with children and young people have a responsibility to safeguard and promote their welfare and should...


window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config',...


CQRS (written by: Kate Pilton, COO) NHSEI is overseeing a programme to ensure the CQRS system supports efficient GP incentive-based...

Core Hours

The Lincolnshire LMC have been contacted by many practices over the past few days who have received an email from NHS England regarding...