This long-awaited SI
has now gained Parliamentary approval and has been published here. There
are no material changes from the widely publicised draft. The Regulations come
into force on 25 May.
The Explanatory Note reads as follows:
These
Regulations set out the circumstances in which data controllers are required to
pay a charge, and provide information, to the Information Commissioner from
25th May 2018. They will replace the previous regime under the Data Protection
(Notification and Notification Fees) Regulations 2000 (S.I. 2000/188).
Regulation 2 requires a data controller to pay an annual charge
to the Information Commissioner unless all the processing of personal data by
the data controller is exempt processing. The descriptions of exempt processing
are set out in paragraph 2 of the Schedule to the Regulations and cover
non-automated processing; processing undertaken for the purposes of personal,
family or household affairs; processing for the purpose of the maintenance of a
public register; processing for the purposes of operations involving staff
administration; processing for the purposes of advertising, marketing and
public relations in respect of the data controller’s own activities; processing
for the purposes of accounts, record keeping and the making of financial
forecasts; processing carried out by non profit-making organisations for
certain purposes; and processing for the purposes of exercising judicial
functions. An exemption from the requirements of regulation 2 is not lost
solely because the data controller makes a disclosure of personal data in the
circumstances described in paragraph 2(3) of the Schedule.
Regulation 2 also sets out specified information that a data
controller is required to provide to the Information Commissioner to determine
the correct charge.
Regulation 3 makes provision for the amount of a charge to be
paid by a data controller to the Information Commissioner in respect of each
“charge period”. Three tiers of charge are prescribed, in the amounts of £40,
£60 and £2900 according to criteria relating to a data controller’s turnover
and number of members of staff (or only members of staff, for a public authority).
Specific provision is made for charities and small occupational pension schemes
and the charge is reduced if a data controller pays the charge by direct debit.
Regulations 4 and 5 make special provision in two cases where
there is more than one data controller in respect of personal data; regulation
4 provides for the requirements of regulation 2(2) to be satisfied by business
partners in the name of the partnership and regulation 5 for the requirements
to be satisfied by the governing body and head teacher of a school in the name
of the school.
Regulation 6 makes provision in respect of the extent to which
these Regulations apply to the Crown.
