Question to the Department for Digital, Culture, Media & Sport:
To ask the Secretary of State for Culture, Media and Sport, what recent representations (a) his Department and (b) the Information Commissioner's Office have received on the failure of organisations to register as data controllers with the Information Commissioner's Office under the terms of the Data Protection Act 1998; and what steps (i) his Department and (ii) the Information Commissioner's Office have taken to ensure that organisations (A) are compliant with such terms of the Data Protection Act 1998 and (B) pay their notification fees.
The Data Protection Act 1998 requires every data controller who is processing personal information to register with the Information Commissioner’s Office (ICO) unless they are exempt. The ICO’s website sets out the criteria for notification and provides guidance on the level of fee organisations should be paying. The ICO have also made it easier for organisations to notify and pay the fee by introducing online payments.
At the end of 2015/2016 there were 441,000 data controllers registered with the ICO, which generated a total income of £18.3 million. Due to the very broad range of exemptions from the need to notify, and because these exemptions do not need to be actively claimed, there is no recognised figure for the number of notifiable data controllers in the UK. It is for data controllers to seek registration; the ICO periodically reminds organisations of the requirement to notify.