Data protection officersU.K.
69Designation of a data protection officerU.K.
(1)The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.
(2)When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—
(a)the proposed officer's expert knowledge of data protection law and practice, and
(b)the ability of the proposed officer to perform the tasks mentioned in section 71.
(3)The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.
(4)The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.
70Position of data protection officerU.K.
(1)The controller must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
(2)The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to—
(a)perform the tasks mentioned in section 71, and
(b)maintain his or her expert knowledge of data protection law and practice.
(3)The controller—
(a)must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71;
(b)must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests;
(c)must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71.
(4)A data subject may contact the data protection officer with regard to all issues relating to—
(a)the processing of that data subject's personal data, or
(b)the exercise of that data subject's rights under this Part.
(5)The data protection officer, in the performance of this role, must report to the highest management level of the controller.
71Tasks of data protection officerU.K.
(1)The controller must entrust the data protection officer with at least the following tasks—
(a)informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person's obligations under this Part,
(b)providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,
(c)co-operating with the Commissioner,
(d)acting as the contact point for the Commissioner on issues relating to processing, including in relation to the consultation mentioned in section 65, and consulting with the Commissioner, where appropriate, in relation to any other matter,
(e)monitoring compliance with policies of the controller in relation to the protection of personal data, and
(f)monitoring compliance by the controller with this Part.
(2)In relation to the policies mentioned in subsection (1)(e), the data protection officer's tasks include—
(a)assigning responsibilities under those policies,
(b)raising awareness of those policies,
(c)training staff involved in processing operations, and
(d)conducting audits required under those policies.
(3)In performing the tasks set out in subsections (1) and (2), the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.