Every GP Practice in England and Wales should have a designated Data Protection Officer (‘DPO’) who is key to the practice being able to comply with its UK General Data Protection Regulation 2016 (‘GDPR’) duties. Unfortunately, there is a lack of understanding about the importance of the DPO role, resulting in partners and separately, the DPO, taking on potentially significant regulatory and financial liability. In many practices, the DPO is seen as a secondary function that a partner, practice manager, or relatively junior member of staff can undertake in addition to their normal duties. In this blog, our data and information security solicitor, David Sinclair, identifies some of the key risks and some steps you can take to avoid them.
The role of the DPO
A DPO has significant, statutory data protection responsibilities that require them to possess requisite professional qualities and other abilities (not defined in the legislation), together with an ‘expert knowledge of data protection law and practices’. Given the complexity and ever-changing nature of UK data protection law, this is a significant burden to impose on any professional – even one with considerable information governance experience.
Unless otherwise expressly set out in the partnership agreement, partners are jointly and severally liable for GDPR compliance, including for formally appointing and adequately supporting a competent DPO, and for filing the DPO appointment with the ICO.
Partners bear the full statutory responsibility of ensuring that the DPO (whether a staff member or third party) has the experience, skills and knowledge to fulfil their DPO duties, as well as the required ongoing training, support and resources to enable them to carry out their role.
A DPO carries significant liability if a GDPR breach is attributed in whole or in part to a failure on their part to properly undertake their DPO duties. This is the case even when it can be shown that they perhaps did not have the necessary experience for the role and/or were not provided with adequate training to understand the GDPR’s requirements (many of which are poorly defined and open to interpretation), unless the DPO can demonstrate that they raised these issues with the practice at the earliest opportunity.
A common misconception among DPOs is that they have immunity from prosecution, dismissal, or other disciplinary action by virtue of their status as a DPO. This is not the case.
Article 38 of the GDPR provides DPOs with limited protection from dismissal or other penalty relating purely to the performance of their DPO tasks. In addition, DPOs cannot be personally liable for the partnership’s non-compliance with the GDPR, which remains with the partners.
Data protection law does not, however, protect DPOs who fail to undertake their statutory role or who do so negligently, eg by them failing to advise the partners, or them giving inaccurate advice, particularly where this is due to the DPO’s lack of competence and they failed to raise that with the practice.
Further, the GDPR does not prevent partners disciplining DPO employees (up to and including dismissal) under the terms of their employment contract, or from partners seeking to recover damages (in breach of contract and/or negligence) from external DPOs, whose failure to undertake their role results in a breach of data protection law.
So how can you minimise your liabilities?
Partners should undertake due diligence on a DPO’s competence and suitability to undertake their role. The practice must also provide the DPO with the resources and support they need to carry out their duties. We strongly advise partners to review their DPO appointment on a regular basis.
Existing DPOs and those considering taking on the role should give thought to whether they have the required training, experience, skills and knowledge to undertake the role. Particular consideration should be given to whether they can advise the practice competently and confidently on complex GDPR issues. Individuals who have doubts about their competence in this area should raise this with a partner as a priority.
For more information about GDPR, the role of the DPO or on information governance issues generally, please contact David Sinclair on 01483 511555 or by email to firstname.lastname@example.org.
With workload becoming ever more complex and demand continuing to grow for general practice services, many PCNs are looking at incorporation as a solution to running a safe and sustainable structure going forwards. Produced by Ockham Healthcare, Nils Christiansen presents a short podcast offering practical advice on safeguarding and streamlining the PCN as a business entity.
Most GP practices continue to be organised as partnerships: an ‘independent contractor’ status which has outlived innumerable changes in the NHS. The ‘golden hello’ new to partnership scheme has attracted over 1,300 applicants over the last year, demonstrating that there are still plenty of people who aspire to becoming a partner in a GP practice. However, in an effort to keep up with the fast changing environment and to appeal to a broader range of partner candidates, many GP partnerships are looking at ways of flexing the traditional partner role, to the benefit of all concerned.
In this blog, we look at the 3 main types of partner we regularly encounter in GP practices.
1. Equity Partner (self-employed)
This is the most traditional partner model. Equity Partners are self-employed and have full and equal rights to decision making and are part of a collective management team which is jointly responsible for all aspects of running the practice. Profits and losses are shared equally, although sometimes there is a ‘path to parity’ over a period of a few years. With the rise of part-time working, a common variant is to share the profits and losses on the basis of planned sessions. Equity Partners are expected to contribute capital to the business (as a minimum working capital, but sometimes also property or other capital) which is usually called ‘buying in’. An Equity Partner is jointly and severally responsible for any losses and liabilities that arise in the partnership. This means that creditors can choose to pursue one or all of the partners for the full amount of the partnership debts.
2. Fixed Share Partner (self-employed)
Fixed Share Partners are also self-employed. A Fixed Share Partner typically receives a fixed, guaranteed income for a defined period of time (sometimes during a mutual assessment period) and there should also be an element of variable income based on the profits or losses of the practice. The ‘golden hello’ scheme does not apply to Fixed Share Partners where the fixed share period extends beyond the expiry of any mutual assessment period. Fixed Share Partners still share full liability alongside the Equity Partners so they ought to be suitably indemnified by the Equity Partners in the partnership deed. Fixed Share Partnership arrangements need to be carefully documented to avoid HMRC viewing the tax status of the person as an employee.
3. Salaried Partner (employed)
Salaried Partner and Fixed Share Partner are often (incorrectly) used interchangeably. The key to this person’s status is in the word ‘salary’. Whereas partners take drawings on account of their profit share, Salaried Partners are employees who receive a salary. Salaried Partners should have an employment contract, they benefit from the protection of all relevant employment legislation and they receive a salary with tax and NI deducted at source under PAYE. Salaried Partners may have an element of ‘bonus’ depending on the profitability of the practice and this will be documented in their employment contract. Salaried Partners will not be a party to the partnership deed and they should have no share in the partnership profits and no voting rights. For a Salaried Partner, the word ‘partner’ is just a title and nothing more so they need to be suitably indemnified by the Equity Partners in their employment contract.
A word of warning…
Third parties can bring a claim against anyone who calls themselves a partner, be they an Equity, Fixed Share or Salaried Partner. So behind the scenes, Fixed Share and Salaried Partners are usually protected by way of an indemnity from the Equity Partners. An indemnity is a promise from the Equity Partners to financially compensate the Fixed Share or Salaried Partner in the event of a loss or liability arising. However, the indemnity will not be worth the paper it is written on unless the Equity Partners are good for the money.
If you are a GP practice or a partner or you are thinking about partnership and you want clarification on this blog or any other matter relating to primary care, then it’s time to contact us. Please call us on 01483 511555 or send an email to email@example.com