Under the Data Protection Act 1998, all data controllers have to register with the Information Commissioner's Office (ICO). The fee for such notifications has remained static for several years. However, one of the first measures of the new Information Commissioner is to revise the fee structure and to increase fees for some data controllers.
The new two-tier structure
From 1 October 2009, the ICO will introduce a new two-tier structure for notification fees. The changes are included in the Data Protection (Notification and Notification Fees) (Amendment) Order 2009 (Order) which was laid before Parliament on 6 July 2009.
- A "tier 1" data controller is any controller not covered by tier 2. The notification fee for "tier 1" controllers remains £35 per year.
- A "tier 2" data controller is any controller which:
- is not a charity or a small occupational pension scheme;
- has been in existence for more than a month; and
- has a turnover of £25.9 million or more for its financial year and 250 or more members of staff or, in the case of a public authority, 250 or more members of staff.
From October, the annual notification fee for "tier 2" controllers will rise to £500.
The Order provides more detail about how these tests will be applied and in particular how the accounting of turnover in a financial year will be assessed. For companies, the ICO will apply s390 and s494 of the Companies Act 2006 in determining the meaning of financial year and turnover for the purposes of the Order. For limited liability partnerships, the ICO will apply these provisions as interpreted by the Limited Liability Partnerships (Accounts and Audits) (Application of Companies Act 2006) Regulations 2008. For other bodies, the ICO will apply similar tests, looking at any 12 month period over which the data controller determines its income and expenditure and normal trading activities which would make up turnover.
What this will mean for data controllers
There are two major consequences arising from the change for data controllers:
- controllers will now have to consider carefully which "tier" they fall into when applying for notification; and
- many companies will have to pay substantially more for their data protection notification compliance in the future. This is particularly relevant for large corporate groups.
Although the fee increase will not concern some larger companies, the significant increase may put pressure on some smaller companies which fall just above the threshold for "tier 2". In order to minimise the notification fees payable, a data controller may want to submit its first notification within the first month of existence if the data controller is a new company. If the notification is submitted within the first month, the company will be classed as "tier" 1 for the first year at least, regardless of the size of the company.