Skip to main content

Data Protection (Charges and Information) Regulations 2018

Volume 790: debated on Tuesday 20 March 2018

Considered in Grand Committee

Moved by

My Lords, the work of the Information Commissioner and her office is of fundamental importance and relevance in today’s society. Data is a pivotal element of the digital revolution, enabling a multitude of technological innovations that support growth and benefit our society. However, for these innovations to be successful, we—both government and the general public—must be confident that our data is not being misused. For this reason, we are modernising our data protection laws through the Data Protection Bill, and providing new and stronger powers for the Information Commissioner.

An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. This is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently in Parliament, and internationally. This was highlighted in the Prime Minister’s recent Mansion House speech, which featured the UK’s exceptionally high standards of data protection as one of the foundations underpinning our post-Brexit trading relationship with the EU. This changing data protection landscape has increased the responsibilities of the Information Commissioner and the challenges she faces, and with these increased responsibilities comes an increased cost.

It is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities and that government meets its responsibility under the GDPR to ensure that the ICO is funded for the effective performance of its tasks. As with other similar organisations, such as the Care Quality Commission, Ofcom and the BBC, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers.

Currently, data controllers pay two tiers of charge: tier 1, for organisations with less than 250 staff or turnover under £25.9 million, is £35 per annum; and tier 2, for the remaining larger data controllers, is £500 per annum. These charges have not increased at all since their introduction in 2001 and 2009 respectively. The regulations will implement a new charge structure in order to fund the Information Commissioner’s data protection activities, and will come into force on 25 May 2018, which is when the new Data Protection Act and the GDPR standards are due to take effect.

The new structure is made up of three categories of charge: “micro-organisations”—including individuals—which will pay a charge of £40; “small and medium organisations”, which will pay £60; and “large organisations”, which will pay £2,900. The structure is designed to be closely aligned with the standard government categorisation of businesses. Furthermore, a £5 discount applies to all organisations where they pay by direct debit. This in effect means that micro-organisations which pay by direct debit will pay the same charge that they have since 2001 and that all micro, small and medium data controllers are paying less than the annual cost of a Netflix subscription towards maintaining the ICO as a world-class data protection regulator.

Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised on the basis of number of members of staff only. In addition, charities and small occupational pension schemes will continue automatically to pay the lowest charge. The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and raise awareness of data protection obligations in organisations, thereby increasing their compliance. Let me expand on what that means in practice.

First, in designing the new charge structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups. The charge levels have been increased from the current level of fees primarily to reflect the increased responsibilities of the ICO under the GDPR. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities. In 2016, the Department for Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to such a high standard.

Secondly, large organisations, including public authorities, often hold the most complex and sensitive datasets, as such represent a higher level of information risk and will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data. The charge structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, as well as to recognise that it would not be appropriate for large businesses and public authorities to be effectively subsidised by small and micro-businesses, which make up the majority of the register of data controllers.

Thirdly, and finally, in making these regulations we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, thereby increasing their awareness of the ICO as the regulator and their own obligations. The new regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the current exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption to make clear that homeowners using CCTV for these purposes are no longer required to pay a charge under the new scheme. I appreciate that there is appetite from stakeholders to review these exemptions in general; the Government have committed to undertake a public consultation on the exemptions later this year. Your Lordships may be interested to hear that we are especially minded to consider an exemption for elected representatives and the House of Lords.

In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy. It is vital that we secure adequate funding, for now and the future. The new funding regime set out in these regulations maintains the spirit of notification fees in charging only those people and organisations that handle personal data without the need for direct government funding, while providing the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator. I beg to move.

I thank the Minister for her comprehensive introduction. We all accept the need for a well-resourced Information Commissioner’s Office. On Report, we welcomed what the noble Lord, Lord Ashton, who was the Minister at the time, had to say in response to an amendment from the noble Lord, Lord Puttnam, about the commitment to ensuring that the commissioner has adequate resources to fulfil her role as a world-class regulator and to take on the extra regulatory responsibilities set out in the Bill. There is no argument between us about the principles of funding the Information Commissioner’s Office. The pledges made by the noble Lord, Lord Ashton, were very welcome. We wish the Information Commissioner well with her extended role and her extended £33 million budget.

That does not come without a cost to data controllers. It is not simply a question of deciding the budget and then deciding what people pay, without considering affordability. Local authorities have put to me that they are very concerned at the lack of consultation offered to all affected parties, including the LGA, ahead of the new charging model. Apparently, approximately 40,000 data controllers were written to, inviting them to respond to the consultation: I understand that about 2,000 did so. However, not all affected parties were offered the opportunity to contribute. The consultation, and responses to it, are not publicly available, which differs from most government consultation. Will the Minister commit to publishing the outcome of the consultations?

Local authorities are concerned by what appears to be a rather arbitrary increase in the charges that they will have to pay to the ICO as data controllers. I also understand that it is proposed that elected representatives will be subject to a small increase in their charge. Under the new charging model, councils with 250 or more employees are defined as large data controllers and are subject to the highest fees under the SI. In practice, most councils that would have been paying £500 to register with the ICO will now have to pay £2,900. This is an increase of 480%; an inflationary increase would have seen the fees rise from £500 to £623.61. This comes at a time when local government is under significant financial pressure and local councils are receiving no additional government funding to help implement the GDPR.

It seems from the Explanatory Memorandum that the Government are considering an exemption for elected representatives, subject to a full review of exemptions in general. In the current process, there are exemptions from the requirement to register with the ICO. These include exemptions for those maintaining a public register, for staff administration purposes, for advertising and for accounting. I refer the Minister to paragraph 7.10 of the Explanatory Memorandum, where the Government state their intentions about the review.

On these Benches, we would definitely support an exemption for elected representatives. Councillors should not have to pay a charge to the Information Commissioner to correspond with their residents and should not incur a cost associated with their duties in representing their constituents. I am interested to hear what the Minister has to say about the review which is heralded in the Explanatory Memorandum.

My Lords, I agree with just about everything that the noble Lord, Lord Clement-Jones, said, particularly on the comments—they have been passed to me as well—from the Local Government Association, which seems to have been badly hit by the changes. He will remember, although I think this predates the Minister, that we went through some of the thinking behind the charges in what is now the Digital Economy Act. He will recall the debate and discussion at that time; it is good to see it coming through now in a form that we can look at.

I will not repeat some of the issues that have been raised because I come at this with a slightly different argument, although we arrive at roughly the same place. First, noble Lords could not have gone through the Data Protection Bill without recognising, as the Minister did, the huge amount of extra work and responsibility that will lie with the ICO after it went through. It is an astonishing step change. Yes, it is true that that is reflected in the additional resources, which will be calculated to flow from these changes and increases in the fee structure, but two questions arise. We are relying for the arithmetic on work that was done, as I understand it, by working through the new charge structure; the department has modelled the anticipated income generated to try to come up with something. Two things occur to me from that.

First, what happens if the calculations are wrong? As we speak, we are living through a situation in which a huge additional workload has suddenly landed on the ICO’s desk. Cambridge Analytica was not a household name before this week’s revelations but if the matter goes to court to get submissions, the ICO will have to prosecute and defend itself. I cannot quite see where that was built into things. I am not looking for a specific response but I want to sharpen the question. It is all very well being on a cost-recovery basis when the funds exceeds the expenses, but what happens when they do not? Who will carry the cost? Can the Minister comment on that? Secondly, would it be possible to get a bit more detail about how this plays out in real terms, given the reserves that are allowed to be carried forward and the implication for what work would have to be cut if it is not possible to carry forward deficits from year to year? We are talking about government accounting so, presumably, the NAO will be watching very carefully. I worry a bit about what will happen in the short term. I do not want a detailed response now but I would be happy to get a letter on that.

My second point is about the assertion made that somehow the structure we have here is a way of responding to what was described in paragraph 7.2 of the Explanatory Memorandum as building,

“regulatory risk into the charge level”.

I do not understand what risk is being assessed here. Again, this may need a more considered response. Is it the numbers? It is clear that there will be a lot more tier 1 organisations and therefore a lot of detailed administration and housekeeping, but does that equate to risk? I think not. I therefore wonder why the charge, relatively speaking, is being kept at roughly what it was before—it is still £40—and has been extended.

I do not think that the noble Lord, Lord Clement-Jones, made this point today but I am sure that he raised it in discussion in Committee and on Report. We are talking about a situation where it did not matter whether you registered with the system under the Data Protection Act 1998, despite the fact that the noble Lord did not get his amendment through on having a statutory register for these things. I am sorry about that. There will effectively be a register for all those who use data, which will be policed to some extent. Therefore, the chances are that anyone who was not paying before will certainly be caught now. There is a huge additional element here that has not been previously caught or considered. I am intrigued by that. Therefore, the comment made about not wanting micro-organisations to pay for their activities further up the scale struck me as a little odd. Perhaps we might come back to that.

Tier 2 includes the mid-range of the organisations. A lot of companies are in this area; in fact, the bulk of activity in the industry. Yes, they should pay for services received but I would hazard that they are extremely low-risk. I cannot believe that major breaches of personal data are happening in a large number of small and medium-sized enterprises. That bears comparison with the new third tier that has been introduced to look at large organisations; we are talking about Facebook and other organisations which I do not need to name. We are asking them only to pay a modest proportion more than small and medium-sized organisations. I do not know how that equates to risk. It seems that the evidence of this week is that 50 million Facebook accounts could have been picked up and used in some alleged way of trying to influence elections. We are talking about damage on a substantial scale, which is not the same, in any sense, as that which might occur to citizens—the local joiner, plumber or building firm mislaying their accounting records for a short period. However, I am prepared to listen to the arguments on that.

Add to that the fact that public authorities, which have not previously been involved to this extent, as mentioned by the noble Lord, Lord Clement-Jones, and, presumably, government are also paying. Where was the risk relationship in that? It seems that the public sensitivity on comes from the Government, government agencies or public authorities more generally having a place in people’s thinking that is disproportionate to the possibility of the damage that might be caused by a breach. In other words, there will in some senses be more concern about the loss of privacy in terms of health or other issues than there perhaps would be about the loss, as we have seen in some cases, of phone records and credit card details from a telephone company. Again, what is the risk profile here? Perhaps we need a bit more on this.

The proof of what I am saying was made pretty evident by the examples the Minister gave; even she must have had a slight smile on her lips when she was doing that. To compare this with the contribution that you pay for a Netflix subscription verges on the ridiculous. We are talking about very serious, damaging issues: cybercrimes are on the increase, people put themselves in danger by releasing data uncontrolled on to the internet—and children are affected. These are all things that were talked about in the debates on the Data Protection Bill. These come to force in the way in which the Government set up their charging system, and we have not got this right. I do not want to hold up this statutory instrument, even though I object to the fact that it is not coming out on a common commencement date. However, I understand the reason for that, because these things come into force on 25 May irrespective of what we do. However, I hope that the reviews of the statutory instrument will have a chance to look at some of these things in more detail than perhaps we were able to during the passage of the Digital Economy Act and the Data Protection Bill. Now that we see them, they do not measure up to the aspirations we had for them, and more thought should be given to them.

Finally, I acknowledge that I have benefited from the comment made by the Minister when she introduced the clarification to the wording of the existing exemption relating to processing for personal and household purposes to make clear that homeowners such as me, who use CCTV, are no longer required to pay a charge. I have been paying a charge since 2005 and I am delighted to see that I will be relieved from that going forward; had I not been here today, I would not have known that. I will also benefit from the fact that elected representatives, including Members of the House of Lords, may not have to register in future.

I thank the noble Lords, Lord Clement-Jones and Lord Stevenson, for their comments.

The noble Lord, Lord Clement-Jones, asked whether we will publish the results of the consultation. In response to interest from Peers and in the interests of transparency, they will be published shortly. Both noble Lords talked about the top tier. Indeed, as the noble Lord, Lord Stevenson, said, these regulations and the GDPR come into force on 25 May, so we are a bit short of time. The top tier has been raised significantly, and the amount has been set out to ensure appropriate funding for the ICO without leading to excessive surplus. However, I hear what the noble Lord, Lord Stevenson, said about large companies. It is important to remember that DCMS will review the income generated annually to ensure that it remains appropriate, so it can be checked.

The noble Lord, Lord Stevenson, also talked about large public authorities. It is important to remember that they hold a huge amount of sensitive data about members of the public; therefore they are subject to high levels of information risk. So we consider it appropriate that the regulation of these organisations is effectively subsidised; that means that they are paying a large sum, but the small and medium-sized businesses are not. It is important that they should not be unfairly charged. The new funding model is aimed at ensuring that the new charges are fair and reflect the risk of the organisations. The small and medium-sized businesses will not be paying any more than they have been, in real terms. It is the larger organisations that will be paying the most.

I may not have made the case clearly enough. We have not seen the figures but the last time we asked about this we were told that the proportion of very small registrants—micro-companies and individuals—is really small. As we learned when the Bill was in Committee, an awful lot of people and loads of small companies and organisations—including parish councils, of which much was made—will have to appoint data controllers to make sure that their systems are up and adequate. That is right, but the shock of having to pay on a regular basis will be substantial. I want to make it clear that going from 10% to 100% of people involved in this will be a major change in people’s thinking.

Those that registered did pay, but very small numbers do. That is the point. I bet that no parish council has ever registered: every one will have to register. That is a big change.

I take the noble Lord’s point. However, more often than not they will be able to use somebody who is already on the parish council to do the work. They will not have to pay somebody extra to do it. We feel that this is the fairest way of doing it. Those with the least money are paying the least and those with the most money are paying the most. I think I have answered all the questions.

I do not think the Minister has really answered the question about the lack of consultation with local authorities and why they are being particularly hit by this new set of charges.

As I said earlier, it is because we feel they have quite a lot of risk. They hold a huge amount of data, so it will be quite a lot of work for the commissioner. It is only fair that they should pay their way. Does that satisfy the noble Lord?

It is not so much whether they should be paying—we probably accept that they should, though how much is in question—it is the fact that they were not consulted. The consultation exercise did not reach that far and the Minister was going to try to give some information about why that could have been.

In 2015, the ICO used the BDRC, an independent market research company, to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the register of the Information Commissioner’s Office, including all top fee-payers and a random sample of lower ones. In 2017, data controllers who responded to this initial research formed the basis of the targeted consultation on the new charges last year. This comprised a representative sample of data controllers, including public authorities, small businesses and other large organisations.

I thank noble Lords for their contributions on this important matter. I believe that the funding regime proposed today represents the best way of ensuring that the ICO is appropriately resourced for its increased role, while still keeping regulatory costs and burdens low for small businesses. I assure the Committee that, while the exemptions from paying charges have not significantly changed at present, they will be comprehensively reviewed with a view to updating them later this year. I beg to move.

Motion agreed.

Committee adjourned at 7.24 pm.