As of 1 October 2009 the notification and renewal fees charged to data controllers by the Information Commissioner's Office (ICO) will be split into two tiers, with an increase from £35 to £500 for larger organisations who act as data controllers. Under the Data Protection Act 1998 almost all data controllers (subject to very limited exceptions – see below) that process personal data are required to notify the ICO of their processing activities so they can be put on the ICO public register. Failure to notify is a criminal offence.
Currently, there is a flat fee of £35 for notification and annual renewal of a register entry for all data controllers. However, from 1 October 2009 a data controller with an annual turnover of £25.9 million and 250 or more staff will have to pay an initial and annual renewal notification fee of £500 each year. Public authorities with more than 250 staff will also have to pay £500 per annum.
Organisations that do not meet these criteria will be classified under a lower tier and continue to pay a fee of £35 per annum. Charities, small occupational pension schemes and organisations that have been in existence for less than a month, regardless of their size and turnover, will also fall under the lower tier and pay £35.
It is important to note that there is no such thing as a parent company registration, which means that each data controller company within a corporate group must register.
A data controller may be exempt from notification if it only processes personal data for the following three "core business purposes", which are essential for the operation of its organisation:
- staff administration (including pay roll);
- advertising, marketing and PR (in connection with its own business); and
- accounts and records.
Another narrow exemption from notification is for not-for-profit organisations. We are able to offer advice to help determine if your organisation falls within the ambit of these exemptions.
According to the government the introduction of the higher fee is to raise revenue for the ICO to support its regulatory and advisory roles, and the criteria have been justified on the basis that it reflects the higher cost of regulating large data controllers.