I suspect many businesses and probably most members of the general public are unaware that the fees for notification under the Data Protection Act 1998 were changed with effect from 1st October 2009. The change was made through The Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 Statutory Instrument 2009/1677 laid before Parliament by Michael Willis, Minister of State in the Ministry of Justice, on 6th July 2009.
The annual notification fee has been £35 for all data controllers, regardless of their size, since 2000. However, from 1st October 2009, two-tiers of fees have been in force.
Essentially, small and medium sized-organisations with fewer than 250 employees or less than £25.9M turnover continue to pay £35 annually and are now defined as “Tier 1” organisations. All other bodies (including any public authorities defined in the 1998 act) will now fall into “Tier 2” and must pay £500 annually.
I think the general public have come to realise over the last couple of years just how important their data is and how easily it can be lost by cavalier organisations (including government departments!)
I welcome the change in the fee structure provided the extra funds taken are used to increase the Information Commissioner’s capability to ensure all of our private data is kept more securely by those with whom it is entrusted and that those who flagrantly breach the rules are brought to task.
Many businesses see the current fee as a stealth tax and I suspect a good number of the general public too. However, I hope with the increased funding that the Information Commissioner will be seen to be doing more to actively protect the public from cavalier data controllers by everybody.
These fee increases have been introduced ahead of new powers that will come into effect in April 2010 that will allow the Information Commissioner
to fine people and organisations that recklessly breach any of the eight principles that underpin the act.
These new powers were introduced as part of the Criminal Justice and Immigration Act 2008, but will only come into force in April 2010. The Information Commissioner will only be able to fine data controllers when one or more of the eight principles have been seriously breached in cases where the breach was deliberate, or where the controller knew (or ought to have known) that the risk of such a breach was likely to cause substantial damage or distress; and the controller failed to take action to stop it.
Hopefully, these new teeth will work in tandem with the new funding to ensure all of our personal data is kept much more safely.