The following update has been received from Sandy Adirondack, voluntary sector legal expert – www.sandy-a.co.uk
Data protection fees
Following legislative changes arising from the General Data Protection Regulation (GDPR), data controllers are, from today (25 May 2018), no longer required to register with (“notify”) the Information Commissioner’s Office (ICO), provide detailed information about their data processing to the ICO, and pay an annual registration fee. Instead they must maintain their own internal data processing records and, unless they are exempt from doing so, must pay an annual data protection fee to the ICO. The level of the new fee is intended to ensure the ICO is adequately funded, and to reflect the relative risk to data processed by the organisation.
For organisations which are not exempt from paying the new fee, the three fee tiers are:
- Tier 1, for “micro organisations” with a maximum turnover of £632,000 or no more than average 10 members of staff over the financial year; and small occupational pension fees and charities regardless of turnover or number of staff: fee £40, or £35 if paid by direct debit.
- Tier 2, for SMEs (small and medium organisations) with maximum turnover of £36 million or no more than average 250 members of staff: fee £60, or £55 by direct debit.
- Tier 3, for large organisations not meeting the tier 1 or 2 criteria: fee £2,900. This fee is much higher than the £500 most of these organisations have been paying, because the ICO considers these organisations are likely to hold and process the largest amount of data, and therefore represent a greater level of risk.
The fee for public authorities, as defined by the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002, is based only on number of staff – not turnover.
Any organisation, regardless of size, is fully exempt from paying the fee if it is processing personal data only for one or more of the following activities. If personal data is being processed for any other purpose(s), the exemption does not apply.
- Staff administration.
- Advertising, marketing and public relations.
- Accounts and records.
- Not-for-profit purposes.
- Personal, family or household affairs.
- Maintaining a public register.
- Judicial functions.
- Processing personal information without a computer or other automated system.
Organisations have to comply with GDPR and other data protection legislation even if they are exempt from paying the fee.
Registration and payment
For organisations currently registered with the ICO, the new fee is payable from when their current ICO registration ends. Prior to the renewal date the ICO will make an initial decision about the organisation’s tier, based on information it holds, and will notify the organisation. The organisation can, if it believes the decision is wrong, explain why it should be altered. Unless the ICO is likely to know, from information it holds, that the organisation is a charity and/or that meets the tier 1 or tier 2 criteria, it will be classed as tier 3 – so currently registered organisations should contact the ICO to ensure they are not incorrectly treated as tier 3 at any time, and should challenge immediately if the ICO says at the time of renewal that the organisation is (incorrectly) tier 3.
New organisations which are not exempt from the fee, or existing organisations which are not exempt and have not previously registered with the ICO and paid a fee, will need to register. This can be done via the ICO’s website, and only includes the data controller’s name, address and other trading names; number of staff; turnover for the financial year; and contact details for the person completing the registration process, the person responsible for regulatory issues and renewal of the registration fee if different, and the data protection officer if there is one. Details of types of personal data held and how it is used no longer need to be provided as part of the registration process.
The maximum penalty for not paying, or for not paying the correct fee, is £4,350 (150% of the tier 3 fee). This is a civil monetary penalty, rather than a criminal sanction as in the past.
- The data protection fee: A guide for controllers, ICO. This includes, for example, how to calculate members of staff, a series of questions to determine whether the organisation is exempt from registering to pay the fee, and a glossary defining terms in the legislation or the guide, such as charity, member of staff, turnover etc.
- Data Protection (Charges and Information) Regulations 2018: http://www.legislation.gov.uk/uksi/2018/480/contents/made.
GDPR: consent v legitimate interests
Personal data can be processed only if there is a legal basis for such processing. Of the six legal bases in the GDPR, four are relatively straightforward: where the processing is carried out under a contract involving the data subject; to meet a legal obligation; to protect any person’s ‘vital interests’; or to fulfil government or judicial functions. For the other two, consent and legitimate interests, it can be less clear which should be used.
The Information Commissioner ‘s guidance on legitimate interests says this is the most flexible lawful basis for processing, but organisations cannot assume it is the best. It is likely to be the most appropriate only if people’s data is being used only in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. In an interesting comment in its guidance, the ICO says that if an organisation would be embarrassed by any negative publicity about its use or intended use of the data, it should avoid using legitimate interests as its lawful basis.
The ICO’s guidance on legitimate interests sets out a three-part test:
- Purpose: Identify a legitimate interest, which can be the organisation’s own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- Necessity: Show that the processing is necessary for that purpose.
- Balancing: Balance the legitimate interest against the individual’s interests, rights and freedoms.
Even where legitimate interests is a valid legal basis for processing personal data under the GDPR, it may not be adequate for organisations which engage in direct marketing. This is because the Privacy & Electronic Communications Regulations (PECR) require explicit consent for some (but not necessarily all) marketing by phone, email or text message.
Organisations which have not already decided which legal basis they are using for each aspect of their data processing should do so as soon as possible. All of the general briefings above and in updates 1803-1805 explain these issues, and many resources have relevant checklists and/or templates. Specific resources include:
- ICO’s lawful basis interactive tool, to help identify the most appropriate lawful basis for each purpose for which you hold personal data: https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/lawful-basis-interactive-guidance-tool/.
- ICO’s basic guidance on consent, with links at the end to its detailed guidance on consent: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/.
- ICO’s basic guidance on legitimate interests, with links at the end to its detailed guidance on legitimate interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/.
- “Members, membership information and marketing”, on when membership organisations can rely on legitimate interests and when they need consent. Mills & Reeve solicitors, 9 April 2018: http://www.charitylegalupdate.co.uk/2018/04/members-membership-information-and-marketing.html.
- NICVA’s template for a legitimate interests assessment: See above under GDPR resources.
- “ICO publishes guidance on consent”, brief summary of key points in the ICO’s consent guidance, key changes from previous versions, and when it may be OK to rely on pre-existing consents. Civil Society, 10 May 2018:https://www.civilsociety.co.uk/news/organisations-not-required-to-automatically-refresh-old-consents-under-gdpr.html.
- “Consent: Double-edged sword and the progression towards other legal bases for processing”, issues in using consent as the basis for processing. Shoosmiths solicitors, 12 April 2018: http://www.shoosmiths.co.uk/client-resources/legal-updates/consent-progression-legal-bases-processing-14019.aspx.
Data Protection Act 2018
The Data Protection Act 2018 received royal assent on 23 May 2018 and starts coming into effect on 25 May 2018. It includes flexibilities and derogations allowed by the GDPR, including on children’s consent, processing special categories of data and personal data relating to criminal convictions and offences, and automated individual decision making. It also brings the EU Law Enforcement Directive into UK law, sets out data protection rules for the intelligence services, and covers the role of the ICO and enforcement.
The ICO’s overview of the DPA 2018 is at https://ico.org.uk/for-organisations/data-protection-act-2018/, and the Act and the commencement no.1 regulations are on the legislation.gov.uk website.
To join Sandy Adirondack’s legal updates email list, contact firstname.lastname@example.org.