DATA PROTECTION FEES
Following legislative changes arising from the General Data Protection Regulation (GDPR), data controllers are, from today (25 May 2018), no longer required to register with ("notify") the Information Commissioner's Office (ICO), provide detailed information about their data processing to the ICO, and pay an annual registration fee. Instead they must maintain their own internal data processing records and, unless they are exempt from doing so, must pay an annual data protection fee to the ICO. The level of the new fee is intended to ensure the ICO is adequately funded, and to reflect the relative risk to data processed by the organisation.
For organisations which are not exempt from paying the new fee, the three fee tiers are:
- Tier 1, for "micro organisations" with a maximum turnover of £632,000 or no more than average 10 members of staff over the financial year; and small occupational pension fees and charities regardless of turnover or number of staff: fee £40, or £35 if paid by direct debit.
- Tier 2, for SMEs (small and medium organisations) with maximum turnover of £36 million or no more than average 250 members of staff: fee £60, or £55 by direct debit.
- Tier 3, for large organisations not meeting the tier 1 or 2 criteria: fee £2,900. This fee is much higher than the £500 most of these organisations have been paying, because the ICO considers these organisations are likely to hold and process the largest amount of data, and therefore represent a greater level of risk.
The fee for public authorities, as defined by the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002, is based only on number of staff – not turnover.
Any organisation, regardless of size, is fully exempt from paying the fee if it is processing personal data only for one or more of the following activities. If personal data is being processed for any other purpose(s), the exemption does not apply.
- Staff administration.
- Advertising, marketing and public relations.
- Accounts and records.
- Not-for-profit purposes.
- Personal, family or household affairs.
- Maintaining a public register.
- Judicial functions.
- Processing personal information without a computer or other automated system.
Organisations have to comply with GDPR and other data protection legislation even if they are exempt from paying the fee.
Registration and payment
For organisations currently registered with the ICO, the new fee is payable from when their current ICO registration ends. Prior to the renewal date the ICO will make an initial decision about the organisation's tier, based on information it holds, and will notify the organisation. The organisation can, if it believes the decision is wrong, explain why it should be altered. Unless the ICO is likely to know, from information it holds, that the organisation is a charity and/or that meets the tier 1 or tier 2 criteria, it will be classed as tier 3 – so currently registered organisations should contact the ICO to ensure they are not incorrectly treated as tier 3 at any time, and should challenge immediately if the ICO says at the time of renewal that the organisation is (incorrectly) tier 3.
New organisations which are not exempt from the fee, or existing organisations which are not exempt and have not previously registered with the ICO and paid a fee, will need to register. This can be done via the ICO's website, and only includes the data controller's name, address and other trading names; number of staff; turnover for the financial year; and contact details for the person completing the registration process, the person responsible for regulatory issues and renewal of the registration fee if different, and the data protection officer if there is one. Details of types of personal data held and how it is used no longer need to be provided as part of the registration process.
The maximum penalty for not paying, or for not paying the correct fee, is £4,350 (150% of the tier 3 fee). This is a civil monetary penalty, rather than a criminal sanction as in the past.
The data protection fee: A guide for controllers, ICO, 17pp: http://tinyurl.com/y993szos (the full URL is ridiculously long). This includes, for example, how to calculate members of staff, a series of questions to determine whether the organisation is exempt from registering to pay the fee, and a glossary defining terms in the legislation or the guide, such as charity, member of staff, turnover etc.
Data Protection (Charges and Information) Regulations 2018: http://www.legislation.gov.uk/uksi/2018/480/contents/made
If you are taking GDPR (the General Data Protection Regulation) seriously, you should have sorted everything or at least started getting it sorted by now, as it has come into effect today (25 May). But better late than never. As the Information Commissioner said in her newsletter on 3 May, "To small and micro businesses [and this would include charities as well], clubs and associations who are not quite there, I say … don't panic! … We pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities."
For those starting out, see Paul Ticher's "Elements of GDPR" summary, attached. Then, for all of the Information Commissioner's GDPR resources, go to https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/. This includes links to its detailed guide to all aspects of GDPR, the GDPR self-assessment tool, FAQs for specific organisations, and much more. FAQs specifically for charities are at https://ico.org.uk/for-organisations/charity/charities-faqs/.
The ICO's helpline for organisations and businesses with fewer than 250 employees is on 0303 123 1113, option 4.
Recommended resources published since updates 1803-1805
Paul Ticher's "Elements of GDPR", a colourful six-page summary of how GDPR works, April 2018: attached, with thanks to Paul
'Bitesize' briefings from the Fundraising Regulator and Institute of Fundraising: https://www.fundraisingregulator.org.uk/information-registration-for-fundraisers/guidance/gdpr-charitable-fundraising-guidance-briefings/.
NICVA (Northern Ireland Council for Voluntary Action) GDPR toolkit, including templates for a register of personal data for controllers, a legitimate interests assessment, and privacy notice: http://www.nicva.org/data-protection-toolkit. Data protection law is the same in Northern Ireland as in the rest of the UK, so this guidance and the templates can be used anywhere.
Mills & Reeves solicitors GDPR hub, another source for the basics, with links for various checklists: https://www.mills-reeve.com/gdpr/.
Useful questions and action points from Anthony Collins solicitors, 11 May 2018: https://www.anthonycollins.com/newsroom/ebriefings/gdpr-will-apply-from-25-may-2018-are-you-ready/.
Advising Communities specimen data protection policy for community organisations, guidance on GDPR and archives, checklist for photos you hold or want to take, and much more. Available only to subscribers, but an annual subscription is low cost, and gives access to both a knowledge bank of resources and to email advice from experienced advisors. The knowledge bank covers not only GDPR but also activities and trading; building management; children and young people; community asset transfer; finance and funding; health and safety; HR and employment; legal structures and charitable status; policy matters; running the organisation; setting up a community organisation; trustee roles and responsibilities; and volunteers and volunteering. The annual cost is £20 for community organisations/charities with annual income under £20,000, £50 for community organisations and charities with annual income £20,000 to £500,000, and £100 if income is over £500,000. There are separate rates for individual consultants, community federations and regional groups, local infrastructure organisations, local authorities and housing associations.
Some Advising Communities resources, such as an example privacy notice for website/social media, are free even to non-subscribers; it is in the GDPR section of the knowledge bank.
GDPR: CONSENT v LEGITIMATE INTERESTS
Personal data can be processed only if there is a legal basis for such processing. Of the six legal bases in the GDPR, four are relatively straightforward: where the processing is carried out under a contract involving the data subject; to meet a legal obligation; to protect any person's 'vital interests'; or to fulfil government or judicial functions. For the other two, consent and legitimate interests, it can be less clear which should be used.
The Information Commissioner 's guidance on legitimate interests says this is the most flexible lawful basis for processing, but organisations cannot assume it is the best. It is likely to be the most appropriate only if people's data is being used only in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. In an interesting comment in its guidance, the ICO says that if an organisation would be embarrassed by any negative publicity about its use or intended use of the data, it should avoid using legitimate interests as its lawful basis.
The ICO's guidance on legitimate interests sets out a three-part test:
- Purpose: Identify a legitimate interest, which can be the organisation's own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. [For example, in relation to my legal update mailings the legitimate interest would be improving the effectiveness of the voluntary sector and voluntary sector organisations, by providing information and support on voluntary sector governance and management.]
- Necessity: Show that the processing is necessary for that purpose. [How else can I send you these emails?]
- Balancing: Balance the legitimate interest against the individual's interests, rights and freedoms. [I hold only basic contact details and other information necessary to maintain the mailing list and to process payments for the updates. No one is on the mailing list unless they have asked to be, or a colleague in their organisation has asked for them to be. Individuals' interests and privacy are not compromised by being on the mailing list, and anyone can unsubscribe at any time. I also ask everyone on the mailing list to confirm regularly that they wish to continue to receive the mailings, and remove individuals who do not respond over an extended period.]
This is a simplistic example for a straightforward service, but for those of you who have not yet started thinking about such things, it may be a starting point.
Even where legitimate interests is a valid legal basis for processing personal data under the GDPR, it may not be adequate for organisations which engage in direct marketing. This is because the Privacy & Electronic Communications Regulations (PECR) require explicit consent for some (but not necessarily all) marketing by phone, email or text message.
Organisations which have not already decided which legal basis they are using for each aspect of their data processing should do so as soon as possible. All of the general briefings above and in updates 1803-1805 explain these issues, and many resources have relevant checklists and/or templates. Specific resources include:
ICO's lawful basis interactive tool, to help identify the most appropriate lawful basis for each purpose for which you hold personal data:
ICO's basic guidance on consent, with links at the end to its detailed guidance on consent:
ICO's basic guidance on legitimate interests, with links at the end to its detailed guidance on legitimate interests: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/.
"Members, membership information and marketing", on when membership organisations can rely on legitimate interests and when they need consent. Mills & Reeve solicitors, 9 April 2018: http://www.charitylegalupdate.co.uk/2018/04/members-membership-information-and-marketing.html.
NICVA's template for a legitimate interests assessment: See above under GDPR resources.
"ICO publishes guidance on consent", brief summary of key points in the ICO's consent guidance, key changes from previous versions, and when it may be OK to rely on pre-existing consents. Civil Society, 10 May 2018: https://www.civilsociety.co.uk/news/organisations-not-required-to-automatically-refresh-old-consents-under-gdpr.html.
"Consent: Double-edged sword and the progression towards other legal bases for processing", issues in using consent as the basis for processing. Shoosmiths solicitors, 12 April 2018:
DATA PROTECTION ACT 2018
The Data Protection Act 2018 received royal assent on 23 May 2018 and starts coming into effect on 25 May 2018. It includes flexibilities and derogations allowed by the GDPR, including on children's consent, processing special categories of data and personal data relating to criminal convictions and offences, and automated individual decision making. It also brings the EU Law Enforcement Directive into UK law, sets out data protection rules for the intelligence services, and covers the role of the ICO and enforcement.
The DPA 2018 is 353 A4 pages, so I will wait for someone else to summarise the key points affecting the voluntary sector. In the meantime, the ICO's overview is at
https://ico.org.uk/for-organisations/data-protection-act-2018/, and the Act and the commencement no.1 regulations are on the legislation.gov.uk website.
source sandyadirondack 25.05.18