Care homes take heed: if you have failed to pay the ICO data protection fee you could be breaking the law

The Information Commissioner’s Office (ICO) has commenced formal enforcement action against care homes that have failed to pay the data protection fee.

What is the data protection fee?                                                                      

On 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 came into force, which changed the way the ICO fund their data protection work.  Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt. This replaces the former requirement for data controllers to register with the ICO. The data protection fee helps fund the ICO’s work in upholding information rights such as investigations into data breaches, complaints and the publication of guidance and resources for organisations to better understand their data protection obligations.

The ICO has published guidance explains that an organisation is exempt from paying the fee if it is only processing personal data for one (or more) of the following purposes: staff administration, advertising, accounts/records, not-for-profit purposes, personal, family/household affairs, maintaining a public register, judicial functions or processing personal information without an automated system.

As the ICO has made clear, the care home sector process particularly sensitive personal information for health administration and patient care purposes and will not be exempt from the 2018 Regulations.

What action should be taken upon receipt of a notice?

Organisations have 21 days to respond to a notice regarding non-payment of the fee. If paid, the action will cease. Those that ignore the notice or fail to pay within timescales may be fined for breach of the 2018 Regulations.

 The fine payable is set by the 2018 Regulations, which is fixed with reference to the fee payable. Under the funding model, organisations are set into 3 tiers as follows:

1. Micro organisations:  a maximum turnover of £632,000 for the financial year or no more than ten members of staff. The fee for tier 1 is £40 and the fine  for non-payment is £400.
2. Small and medium sized enterprises:  a maximum turnover of £36 million for the financial year or no more than 250 members of staff. The fee for tier 2 is £60 and the fine for non-payment is £600.
3. Large organisations: any organisations that do not meet the criteria of tiers 1 or 2. The fee for tier 3 is £2900 and the fine for non-payment is £4000. However, in the event of aggravating factors this can be increased to a maximum of £4350.

Paul Arnold, Deputy Chief Executive Officer at the ICO has commented:

We expect the notices we have issued to serve as a final demand to these businesses and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.

All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining formal action.’  

Commentary

Given that the ICO has shown it is more than willing to flex its enforcement muscles, the care sector ought to take particular care to ensure compliance. A financial penalty of anything between £400 and 4000 can have a significant impact on any business - alongside the reputational damage that comes with it.

We have expertise in acting for care homes in relation to matters involving the Care Quality Commission (CQC), as well as investigations and enforcement action by the ICO. If your organisation has any questions about the issues raised in this blog, please contact a member of our team in confidence.