Tag Archives: Data Protection Fees

Non-payment of Data Protection Fees: The ICO announces first steps in enforcement

Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.

The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.

In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.

It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).

The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law

New Data Protection Fees

The draft Data Protection (Charges and Information) Regulations 2018 have now been laid before Parliament by the UK Government; it is intended that they will enter into force on 25th May 2018.  The Regulations will introduce the new charging regime that is to replace “notification fees”, once the requirement upon data controllers to notify the Information Commissioner of their processing of personal data.

As expected, the fees will move from the current two-tier structure to a three-tier structure; however, the fee amounts are different to what was proposed in the consultation last year.  The tiers are as follows:

Tier 1
Data controllers who fall into tier 1 will pay an annual fee of £40 to the Information Commissioner.  You fall into this fist tier if you have a turnover of less than or equal to £632,000 for your financial year, or you have no more than 10 members of staff.  Charities also fall into this category as do small occupational pension providers.

Tier 2
Data controllers who fall into tier 2 will pay an annual fee of £60 to the Information Commissioner.  You will fall into this tier if you do not fall into tier 1 and have a turnover less than or equal to £36m for your financial year, or have no more than 250 members of staff.

Tier 3
Data controllers who fall into tier 3 will pay an annual fee of £2,900 to the Information Commissioner.  All non-exempt data controllers who do not fall into the first two tiers will fall into tier three.  The Commissioner has indicated that they will assume that every data controller falls into tier 3 unless they prove the contrary.

These fees do represent a shift from the levels that were consulted on last year.  In particular the top-tier fee that was suggested in October was £1,000 but has now become £2,900.  Data controllers can save themselves a bit of money (a grand total of £5) by paying their annual fees by Direct Debit.

The fees structure that was consulted on had suggested that there would be a premium to be paid by any data controller that also carried out direct marketing activities by electronic means; however, that hasn’t been given effect to in the draft Regulations that have been laid before Parliament,

In terms of working out how many members of staff you have for the purposes of these regulations you can’t just count the number of employees you have.  A member of staff, for the purposes of the Regulations, is: (i) an employee; (ii) a worker, within the meaning of s.296 of the Trade Union and Labour Relations (Consolidation) Act 1992; (iii) an office holder; or (iv) a partner.  Part-time members of staff are counted as one member for these purposes.  To calculate the members of staff you need to work out how many members of staff you employed each month in your last financial year, add together the monthly totals and then divide it by the number of months in your last financial year.  Even members of staff who work outside of the United Kingdom (and, indeed, the European Union) need to be counted.

You do not need to work out how many members of staff you have if you are a charity or if you are a small occupational pension scheme.  Public authorities are required to ignore those reference to turnover and are required only to determine how many members of staff that they have.

If you are processing personal data solely for one of the following eight purposes, you do not need to pay a fee to the Information Commissioner:

  1. Staff Administration;
  2. Advertising, marketing or public relations,
  3. Accounts and records,
  4. Not-for-profit purposes
  5. Personal, family or household affairs
  6. Maintaining a public register
  7. Judicial functions
  8. Processing personal information without an automated system such as a computer

To be able to rely upon this exemption your processing must be solely for one or more of the above noted purposes.  If your processing is for one of those activities in addition to another activity then you will need to pay the fee at the appropriate tier.

In order to ensure that data controllers are paying the correct level of fee, the draft Regulations have provision within them for data controllers to supply various pieces of information to the Information Commissioner; this information fits around establishing which, if any, of the three tiers the controller falls into.

There are a couple of final things to note.  The first is that if you pay a notification fee prior to 25th May 2018 then you will not be required to pay the new fees until that notification has expired.  Therefore, if you are due to notify the ICO under the Data Protection Act 1998 on or before 24th May 2018 you will not be required to pay the new fees until next year.  The final thing to note is that these Regulations are only in draft form; they are still subject to parliamentary approval and could be amended.  However, this blog post reflects the position as contained within the draft Regulations.  Large organisations should, however, be planning to pay significantly more to the Information Commissioner than the £500 they have been paying until now.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, including the GDPR, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.