Data fee reminder letter from the ICO: do freelancers need to pay?
Freelancer’s Question: I have received a letter from the Information Commissioner’s Office entitled ‘Data Fee Reminder.’
Firstly, I do not believe that I received an initial letter.
Secondly, I do not believe that I am required to pay a data fee, given I’m just a PR freelancer. What should I do? The letter appears to imply I need to take action or they will write again. Please help.
Expert’s Answer: Whether they wrote to you initially or not, you have now been contacted by the Information Commissioner’s Office (ICO), to pay a data protection fee.
It is clear from your question that you consider that this indication that you a pay a fee is incorrect, and it does not apply to your self-employed business. So it begs the following question:
Are freelancers required to pay the ICO data protection fee?
The answer is – 'Potentially, yes!'
In fact, in general, all organisations (including small businesses and freelancers) in the UK which process personal data as a ‘controller’ must pay the data protection fee to the ICO.
Seven exemptions to check
However, you will be exempt from paying the data protection fee if you are only processing personal data for one of the below reasons:
- Staff administration
- Advertising, Marketing and Public Relations (PR)
- Accounts and records
- Non-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Processing personal information without an automated system such as a computer.
Running the ICO's tool...
To be on the safe side, it is best to use the ICO’s self-assessment tool on their website.
This tool, which the ICO letter you have received likely directs you to use, can be helpful in determining whether you need to pay the fee.
Not only does the tool allow you to establish whether you need to pay the fee but, if you do, it will also inform you what ‘tier’ your organisation fits into, and the amount of the data protection fee that you will be required to pay.
If I do have to pay the ICO data protection fee, how much is it?
This will vary depending on the size of your business, your turnover, and the type of organisation you are.
The fee varies from £40 to £2,900 and depends on which tier your organisation fits into.
There are three types of organisations that the ICO has categorised into 3 tiers.
Know your tier
1. Tier 1 – micro-organisations: £40 fee.
This applies if your business has a maximum turnover of £632,000 (per financial year) and a maximum of 10 members of staff (including yourself).
2. Tier 2 – small and medium organisations: £60 fee.
This applies if you have a maximum turnover of £36 million (per financial year) and a maximum of 250 members of staff.
3. Tier 3 – large organisations: £2,900 fee.
This final tier applies to all organisations which do not fit the guidelines of tier 1 or tier 2; this includes ‘all controllers’ (unless proved otherwise).
As you are self-employed, you might not be affected by the staff criteria, but be aware that when assessing your tier, all staff members count – including those who are part-time and working overseas.
If I have to pay a data fee to the ICO, how do I pay?
- If you are paying the ICO for the first time:
You can submit your information here.
You will need to give details of your organisation including turnover and number of staff.
The ICO will then determine the tier of your organisation and charge you the fee accordingly.
- If you are already registered:
The ICO will decide what tier your organisation is classed in based on the information you have previously provided. But if you think there is an error – do contact the ICO (via phone or email) . The ICO’s contact details are on their website.
Please note, if you were previously registered under Data Protection Act 1998, you will only need to pay the new data protection fee when your registration expires. You will be notified of this by the ICO (which is possibly the cause of why the ICO has written to you).
And crucially, be aware -- if your registration expires, you will automatically be required to pay the hefty tier 3 fee! To avoid this happening, notify the ICO as soon as possible in order to establish what tier your organisation is classed in.
Are there any consequences if I don’t pay the data protection fee when I am supposed to?
Yes. The maximum penalty for failure to pay the ICO data protection fee when you are supposed to is a fine of £4,350 (which equates to 150% of the top tier fee). You will be subject to this penalty if you have not paid a fee or have paid the incorrect fee.
The expert was Gabrielle O’Sullivan, legal counsel at law firm Gerrish Legal.