My Lords, the work of the Information Commissioner and her office is of fundamental importance and relevance in today’s society. Data is a pivotal element of the digital revolution, enabling a multitude of technological innovations that support growth and benefit our society. However, for these innovations to be successful, we—both government and the general public—must be confident that our
data is not being misused. For this reason, we are modernising our data protection laws through the Data Protection Bill, and providing new and stronger powers for the Information Commissioner.
An effective data protection regulatory framework is critical to retaining the right balance between innovation and privacy. This is particularly the case now, when data is at the forefront of the political agenda, both domestically, with the Data Protection Bill currently in Parliament, and internationally. This was highlighted in the Prime Minister’s recent Mansion House speech, which featured the UK’s exceptionally high standards of data protection as one of the foundations underpinning our post-Brexit trading relationship with the EU. This changing data protection landscape has increased the responsibilities of the Information Commissioner and the challenges she faces, and with these increased responsibilities comes an increased cost.
It is crucial that we ensure that the Information Commissioner and her office are adequately funded to fulfil their responsibilities and that government meets its responsibility under the GDPR to ensure that the ICO is funded for the effective performance of its tasks. As with other similar organisations, such as the Care Quality Commission, Ofcom and the BBC, it is only right and appropriate that this funding comes from charges levied on relevant stakeholders—in this case, data controllers.
Currently, data controllers pay two tiers of charge: tier 1, for organisations with less than 250 staff or turnover under £25.9 million, is £35 per annum; and tier 2, for the remaining larger data controllers, is £500 per annum. These charges have not increased at all since their introduction in 2001 and 2009 respectively. The regulations will implement a new charge structure in order to fund the Information Commissioner’s data protection activities, and will come into force on 25 May 2018, which is when the new Data Protection Act and the GDPR standards are due to take effect.
The new structure is made up of three categories of charge: “micro-organisations”—including individuals—which will pay a charge of £40; “small and medium organisations”, which will pay £60; and “large organisations”, which will pay £2,900. The structure is designed to be closely aligned with the standard government categorisation of businesses. Furthermore, a £5 discount applies to all organisations where they pay by direct debit. This in effect means that micro-organisations which pay by direct debit will pay the same charge that they have since 2001 and that all micro, small and medium data controllers are paying less than the annual cost of a Netflix subscription towards maintaining the ICO as a world-class data protection regulator.
Similar to the current approach under the Data Protection Act 1998, public authorities will be categorised on the basis of number of members of staff only. In addition, charities and small occupational pension schemes will continue automatically to pay the lowest charge. The new funding model for the Information Commissioner has three main policy objectives. It will ensure an adequate and stable level of funding for the ICO, build regulatory risk into the charge level and
raise awareness of data protection obligations in organisations, thereby increasing their compliance. Let me expand on what that means in practice.
First, in designing the new charge structure, the Government, in conjunction with the ICO, have given detailed consideration to the income requirements of the ICO now and in future. The new charge levels recognise the increased funding required by the ICO under the new data protection regime and spread the funding provision appropriately across each of the three tier groups. The charge levels have been increased from the current level of fees primarily to reflect the increased responsibilities of the ICO under the GDPR. For example, the GDPR will expand the Information Commissioner’s responsibilities in relation to mandatory breach notification and data protection impact assessments, as well as increasing the scope and scale of her existing activities. In 2016, the Department for Culture, Media and Sport estimated that the ICO’s income requirements for its data protection functions will increase from approximately £19 million in 2016-17 to approximately £33 million in 2020-21. A financial forecast for the first year of operation under the GDPR—that is, 2018-19—sets the income requirement for the ICO at approximately £30 million. It is imperative for the ongoing success of the UK’s data protection regulatory framework that the ICO has the income it needs to continue fulfilling its vital functions to such a high standard.
Secondly, large organisations, including public authorities, often hold the most complex and sensitive datasets, as such represent a higher level of information risk and will generally draw more heavily on the ICO’s resources than small organisations that process small amounts of personal data. The charge structure has been designed to ensure that overall income from each group of data controllers—micro, small and medium, and large—adequately reflects the proportionate information risk accruing to each group, as well as to recognise that it would not be appropriate for large businesses and public authorities to be effectively subsidised by small and micro-businesses, which make up the majority of the register of data controllers.
Thirdly, and finally, in making these regulations we are highlighting the importance of compliance with the UK’s data protection regulatory framework to data controllers, thereby increasing their awareness of the ICO as the regulator and their own obligations. The new regulations substantially replicate the current exemptions from paying notification fees, with some exceptions. The regulations will remove the current exemption for some data controllers who are only undertaking processing for the purposes of safeguarding national security, and introduce clarification to the wording of the existing personal and household purposes exemption to make clear that homeowners using CCTV for these purposes are no longer required to pay a charge under the new scheme. I appreciate that there is appetite from stakeholders to review these exemptions in general; the Government have committed to undertake a public consultation on the exemptions later this year. Your Lordships may be interested to hear that we are especially minded to consider an exemption for elected representatives and the House of Lords.
In conclusion, the work of the Information Commissioner and her office is fundamental to the success of our digital economy. It is vital that we secure adequate funding, for now and the future. The new funding regime set out in these regulations maintains the spirit of notification fees in charging only those people and organisations that handle personal data without the need for direct government funding, while providing the ICO with the level of income it requires to continue to deliver as a world-class data protection regulator. I beg to move.