As the NHS continues to restructure and Integrated Care Boards (ICBs) take on broader system leadership roles, it’s increasingly common to see ICBs offering shared or centralised Data Protection Officer (DPO) services to GP practices. On the face of it, this makes sense: consistency, efficiency, shared expertise, and reduced burden on already stretched practices.

But there is a governance issue sitting underneath this approach that deserves some careful attention, particularly where the same ICB is both commissioning services from GP practices and acting as their DPO.

This issue is about a structural role conflict.

Why the dual role creates tension

Under UK GDPR, the DPO’s role is to provide independent advice, monitor compliance, and support controllers, and our experience shows that sometimes this requires us to give advice that is uncomfortable, inconvenient, or operationally disruptive.

That can include recommending that processing stops, that a service pauses until risks are addressed, or that a breach is escalated externally.

Commissioning, by contrast, exists to enable delivery. It carries responsibility for service continuity, contractual performance, political scrutiny, and system reputation. Those pressures are real and unavoidable.

When the same organisation occupies both roles, it can find itself in the impossible position of advising GP practices, in a trusted DPO capacity, that the very services it has commissioned may be non-compliant or high-risk. In effect, the system is asked to mark its own homework.

Even where individuals act scrupulously, the institutional incentives are very clearly pulling in opposite directions.

How the risk shows up in practice

The risk shows up subtly: practices hesitating before sharing near misses; DPO advice becoming more cautious or framed around “managing” rather than challenging risk; Pre-approved DPIAs being issued with pressure to sign off before a Monday 'go live', uncertainty in meetings about whether a comment is being made as confidential DPO advice or as part of commissioning oversight. Over time, this erodes clarity and confidence on both sides.

There is also a legal and accountability dimension. GP practices are typically independent controllers for their own processing. When an ICB “provides the DPO,” it can unintentionally blur where accountability really sits, especially in breach handling, subject access requests, or complaints. In a moment of pressure, that confusion really matters.

This is not unmanageable, but it does need to be managed

It’s important to say that this risk is not binary. An ICB providing DPO services does not automatically mean non-compliance. But it does mean strong, explicit safeguards are needed if practices are to have confidence in the arrangement.

In practice, that means clear separation between DPO casework and commissioning assurance, with explicit rules preventing the use of DPO-derived information for performance management or contractual action. It means being transparent, in every meeting and project, about which “hat” the DPO is wearing, and structuring forums so that confidential DPO advice is not given in mixed commissioner settings.

It also means keeping controller accountability crisp: practices remain responsible for decisions, risk ownership, breach reporting, and transparency, even where they receive DPO support through a shared service.

One safeguard in particular is critical: where GP practices are independent controllers, their DPO function should not be line-managed by, or report into, the commissioning body’s DPO. Funding a service is one thing; managing and directing the people whose role is to challenge risk in commissioned services is quite another. Without that separation, DPO independence becomes very difficult to evidence in practice.

Finally, these arrangements benefit from independent review. Periodic checks that separation is actually working — not just described on paper — help ensure confidence is maintained over time.

The need to design carefully

As the NHS evolves, shared services and system solutions will become more common, not less. That’s not a bad thing. But data protection governance relies heavily on trust, independence, and clarity of role, and those don’t always survive consolidation unless they’re designed in deliberately.

Raising this issue isn’t about opposing ICB-provided DPO services, nor about defending any particular delivery model. It’s about illustrating a structural risk early, while there is still space to design safeguards properly, rather than discovering the problem later through incidents, complaints, or regulatory scrutiny.

Getting this right protects everyone involved: practices, commissioners, patients, and the credibility of the system as a whole.