A member was in touch with Scottish Care last week about a letter they received from the Information Commissioners Office (ICO) with regards payment of a data protection fee. As stated on the letter If you hold personal information (including names and addresses) on any electronic device, you probably need to pay. Members of Scottish Care should be aware that letters are being sent out to all care providers whether in the NHS or Social Care and many other sectors regards this.
I have collated some information below which is available on the Information Commissioners Office (ICO) website https://ico.org.uk
Information Commissioners Office (ICO)
On 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force, changing the way we fund our data protection work.
Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt.
The new data protection fee replaces the requirement to ‘notify’ (or register), which was in the Data Protection Act 1998 (the 1998 Act).
Although the 2018 Regulations come into effect on 25 May 2018, this doesn’t mean everyone now has to pay the new fee. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.
If you hold personal information (including names and addresses) on any electronic device, you probably need to pay. More information is available on: https://ico.org.uk
Members of Scottish Care should be aware that letters are being sent out to all care providers whether in the NHS or Social Care and many other sectors regards this.
If you are unsure in whether you require paying a fee there is a helpful self-assessment tool which may help and also a helpline number, you can call the ICO: 0303 123 1113
There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
The tier you fall into depends on:
- how many members of staff you have;
- your annual turnover;
- whether you are a public authority;
- whether you are a charity; or
- whether you are a small occupational pension scheme.
- Not all controllers must pay a fee. Many can rely on an exemption.
Tier 1 – Micro Organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – Small and Medium Organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – Large Organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. We regard all controllers as eligible to pay a fee in tier 3 unless and until they tell us otherwise.
Working out your data protection fee
Calculating members of staff
For the purpose of working out the fee, ‘members of staff’ is defined broadly to include all your employees, workers, office holders and partners. Your number of members of staff is the average number working for you during your financial year. Each part-time staff member is counted as one member of staff.
Membership Support Manager, Scottish Care