I suspect many businesses and probably most members of the general public are unawarethat the fees for notification under the Data Protection Act 1998 were changed witheffect from 1st October 2009. The change was made through The Data Protection (Notificationand Notification Fees) (Amendment) Regulations 2009 Statutory Instrument 2009/1677laid before Parliament by Michael Willis, Minister of State in the Ministry of Justice,on 6th July 2009.

The annual notification fee has been £35 for all data controllers, regardlessof their size, since 2000. However, from 1st October 2009, two-tiers of fees havebeen in force. Essentially, small and medium sized-organisations with fewer than 250 employees or lessthan £25.9M turnover continue to pay £35 annually and are now definedas “Tier 1” organisations. All other bodies (including any public authoritiesdefined in the 1998 act) will now fall into “Tier 2” and must pay £500annually. I think the general public have come to realise over the last couple of yearsjust how important their data is and how easily it can be lost by cavalier organisations(including government departments!) I welcome the change in the fee structure provided the extra funds takenare used to increase the Information Commissioner’s capability to ensure allof our private data is kept more securely by those with whom it is entrusted and thatthose who flagrantly breach the rules are brought to task. Many businesses see the current fee as a stealth tax and I suspect a goodnumber of the general public too. However, I hope with the increased funding thatthe Information Commissioner will be seen to be doing more to actively protect thepublic from cavalier data controllers by everybody. These fee increases have been introduced ahead of new powers that will come intoeffect in April 2010 that will allow the InformationCommissioner to fine people and organisations that recklessly breach any of theeight principles that underpin the act. These new powers were introduced as part of the Criminal Justice and ImmigrationAct 2008, but will only come into force in April 2010. The InformationCommissioner will only be able to fine data controllers when one or more of the eightprinciples have been seriously breached in cases where the breach was deliberate,or where the controller knew (or ought to have known) that the risk of such a breachwas likely to cause substantial damage or distress; and the controller failed to takeaction to stop it. Hopefully, these new teeth will work in tandem with the new funding to ensureall of our personal data is kept much more safely.