The Data Protection (Charges and Information) Regulations 2018 (SI 2018/480) have now been published
This long-awaited SI has now gained Parliamentary approval and has been published here. There are no material changes from the widely publicised draft. The Regulations come into force on 25 May.
The Explanatory Note reads as follows:
These Regulations set out the circumstances in which data controllers are required to pay a charge, and provide information, to the Information Commissioner from 25th May 2018. They will replace the previous regime under the Data Protection (Notification and Notification Fees) Regulations 2000 (S.I. 2000/188).
Regulation 2 requires a data controller to pay an annual charge to the Information Commissioner unless all the processing of personal data by the data controller is exempt processing. The descriptions of exempt processing are set out in paragraph 2 of the Schedule to the Regulations and cover non-automated processing; processing undertaken for the purposes of personal, family or household affairs; processing for the purpose of the maintenance of a public register; processing for the purposes of operations involving staff administration; processing for the purposes of advertising, marketing and public relations in respect of the data controller’s own activities; processing for the purposes of accounts, record keeping and the making of financial forecasts; processing carried out by non profit-making organisations for certain purposes; and processing for the purposes of exercising judicial functions. An exemption from the requirements of regulation 2 is not lost solely because the data controller makes a disclosure of personal data in the circumstances described in paragraph 2(3) of the Schedule.
Regulation 2 also sets out specified information that a data controller is required to provide to the Information Commissioner to determine the correct charge.
Regulation 3 makes provision for the amount of a charge to be paid by a data controller to the Information Commissioner in respect of each “charge period”. Three tiers of charge are prescribed, in the amounts of £40, £60 and £2900 according to criteria relating to a data controller’s turnover and number of members of staff (or only members of staff, for a public authority). Specific provision is made for charities and small occupational pension schemes and the charge is reduced if a data controller pays the charge by direct debit.
Regulations 4 and 5 make special provision in two cases where there is more than one data controller in respect of personal data; regulation 4 provides for the requirements of regulation 2(2) to be satisfied by business partners in the name of the partnership and regulation 5 for the requirements to be satisfied by the governing body and head teacher of a school in the name of the school.
Regulation 6 makes provision in respect of the extent to which these Regulations apply to the Crown.