Expert Clinical Policy Writers Jen Clayton and Jenny Coverley share their insight into the role of a Data Protection Officer, explaining what this position entails and the criteria for requiring one.
“The Information Commissioner’s Office (ICO) state that an organisation requires a Data Protection Officer (DPO) if it meets specific criteria.
One of these criteria is if the business process ‘special category data on a large scale.’ Unfortunately, the ICO does not go on to specify what is considered ‘large scale’ in terms of numeric value.
As a result, as a data controller (the data controller being someone within the business who decides ‘how’ and ‘why’ personal data should be processed) you will be required to make a judgement on whether the sensitivity, volume, range and geographical location and proposed permanence of the processing equates to large scale processing. Medical and healthcare data is the most sensitive type of data that can be processed, so it is crucial that you take these considerations seriously. Further guidance relating to this can be sought here Special category data | ICO
If you decide that your business will not be classed as processing sensitive data on a large scale, it would be prudent to document this decision and ensure the decision is reviewed at regular intervals as your business expands over the future. Even if you decide that you do not require a Data Protection Officer, you must still, under the UK GDPR (General Data Protection Regulation) ensure that your business remains compliant with the requirements of the legislation. The ICO stipulates that their accountability principle requires you to take responsibility for what you do with personal data alongside compliancy of additional ICO principles, Accountability principle | ICO, Data protection self assessment | ICO
If you do decide that a Data Protection Officer is required, the person who takes on this role is more than a name only. The Data Protection Officer must be an individual with extensive knowledge of GDPR and the related data protection legislation. The role of the DPO is to support and advise you about your obligations under GDPR, to liaise with the ICO, to provide advice and support in the completion of DPIAs and to monitor compliance. Further guidance on “The Role and criteria of the DPO” can be found here Data protection officers | ICO
Whether you decide that you require a DPO or not, you must still register your business with the ICO if you intend to process personal data. The very nature of our clients’ work means that each of our clients must ensure that they are registered. Data protection fee | ICO
The ICO offers a multitude of tools to assist your business in ensuring that compliance with data protection is being met For organisations | ICO. If required, utilise the ICO they are happy to help and support Get help and support from the ICO | ICO.”