Yes. Any and all public bodies are required by law to appoint a DPO.
The definition of a public body is determined by the Data Protection Act 2018, which itself relies on Schedule 1 of the Freedom of Information Act 2000 which includes in its ambit
“Any person providing general medical services, general dental services, general ophthalmic services or pharmaceutical services under Part II of the [1977 c. 49.] National Health Service Act 1977, in respect of information relating to the provision of those services. ”
In addition, the GDPR requires the designation of a DPO, where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. The EU guidance on this specifically states in relation to health care,
“‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.”
