Under the Data Protection Act all data controllers who process personal information must notify the Information Commissioners Office (ICO) unless they qualify for an exemption under the Act. At present, all data controllers must pay a fee of £35 when notifying.

New Regulations have now been introduced that mean that from the 1st October 2009; the notification fee will increase for certain data controllers.

The Regulations will replace the £35 flat rate notification fee with a two tiered system that will lead to some organisations paying a £500 notification fee. The fee for data controllers who are in Tier 1 will remain £35. Tier 2 data controllers will, however, need to pay a £500 fee to the ICO.

The Regulations provide that a data controller will be in Tier 2 if:

  • it is not a charity or a small occupational pension scheme;
  • it has been in existence for more than one month;
  • it has an annual turnover of £25.9 million or more for the financial year; and
  • it has 250 or more members of staff.

Data controllers who do not qualify for Tier 2 will be in Tier 1.

The Explanatory Memorandum, prepared by the Ministry of Justice, has indicated that it costs the ICO £16 million per year to carry out its existing data protection duties. It is expected that an additional £4.7 million will come from the use of the two tiered system. The Memorandum states that "The higher fee payable by Tier 2 data controllers reflects the amount of resources invested by the IC [Information Commissioner] in regulating large data controllers."

Under the two tiered system data controllers will decide into which tier they fall, based on the criteria detailed above. The ICO will then be able to verify that a data controller has registered in the correct tier. It will be a criminal offence to provide false information when registering as a data controller. Failure to notify as a data controller is also a criminal offence.