A Data Protection Officer (DPO) is a requirement for any public authority under the Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2]. Dental practices which treat NHS patients are defined as public authorities and therefore must appoint a DPO. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. The DPO can be an existing employee, providing that their other duties are compatible with the duties of the DPO and do not lead to a conflict of interest i.e. the DPO should not be the person with overall responsibility for the processing of personal data. It is likely that an internal DPO will require training to enable them to undertake their data protection duties. Alternatively, you can choose to outsource this function to an external provider or you could work in combination with other local practices.
The duties of your DPO cover all personal data processing activities. Specific tasks include:
• informing, advising and monitoring compliance of practice staff with data protection obligations
• monitoring compliance with your practice’s data protection polices in line with the UK GDPR, including managing internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits
• advising on data protection impact assessments where these are required (see Data Protection Impact Assessments)
• cooperating with the (UK) Information Commissioners Office (ICO)
• being the contact for the (UK) ICO and for individuals whose data is processed (employees, patients etc).
When carrying out their tasks the DPO is required to take into account the risk associated with the data processing your practice is undertaking. They must consider the nature, scope, context and purposes of the processing and should prioritise and focus on activities which have the highest risk, for example special category data processing.
If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.
Under the UK GDPR [2], you are required to publish the contact details of your DPO and also provide them to the ICO. This will enable patients, your employees and the ICO to contact the DPO as needed. You do not need to include the name of the DPO when publishing their contact details.
You are also required to provide your DPO’s contact details in the following circumstances:
• when consulting the ICO under Article 36 about a DPIA (see Data Protection Impact Assessments)
• when providing privacy information to individuals, under Articles 13 and 14.
You do have to provide your DPO’s name if you report a personal data breach to the ICO and to those individuals affected by it.
Appoint a Data Protection Officer; this may be an existing employee or an external provider of this service.
If your Data Protection Officer is an existing employee, such as a practice manager, ensure that:
- they receive appropriate training
- they are able to carry out their duties in an independent manner
- there is no conflict of interest with their other duties in the practice.
Publish the contact details of your DPO, this can be done by via your practice's Data Protection, Confidentiality and Information Security Policy and your practice's Privacy Notice.
Provide the contact details of your DPO to the Information Commissioner's Office