Under the UK’s Data Protection Act 1998 (DPA 1998), the Information Commissioner’s Office (the ICO) maintains a mandatory register of data controllers. Data controllers are organisations who determine the purposes for and manner in which personal data are processed. The register records the data controller’s name and the purpose(s) for the controller’s processing of the data. Data controllers must go through the registration process, known as “notification”, unless an exemption applies. Failure to notify is a criminal offence, subject to a defence of due diligence, and personal data must not otherwise be processed. The notification must be renewed annually – the ICO usually emails registered organisations 6 weeks before their registration expires. A notification fee must also be paid (which depends on the size and turnover of the organisation), the proceeds of which go towards funding the work of the ICO. Currently, according to the ICO, there are more than 370,000 registered data controllers.
The ICO has been active in bringing prosecutions for both non-registration and failing to maintain a registration, significantly so last year for the former. We therefore thought it would be interesting to know how many registrations have not been renewed in the past few years. We therefore made a request under the UK’s Freedom of Information Act 2000 to the ICO asking about the number of registrations made under the DPA 1998 which had not been renewed each year between the period of January 2010 and the end of February 2015.
In response, the ICO provided monthly figures for registrations that were not renewed from May 2011 (it was not clear why figures for the earlier requested period were not supplied) to the end of February 2015, which revealed the following. The grand total for that period (almost 4 years) came to 61,232. The 2011 total of 8,167 was the lowest for the period in question. The 2013 total of 19,135 made it the worst year, but the 2015 figures for January of 2,388 and February of 2,997 are the highest for any start of a year and if that trend continues the figures for 2015 will easily surpass those of 2013. As the ICO itself pointed out in its response, registrations can still be renewed after expiry. Nevertheless, the overall trend of failing to renew is clearly upwards.
It should be noted that under the proposed EU Regulation there will no longer be a registration requirement. But, data controllers will have the obligation to implement appropriate measures to be able to demonstrate that the processing of data is in compliance with the proposed Regulation. We have written about this and the proposed Regulation previously and you can see the most recent FAQs alert here.
Cordery can register your Company with the ICO and, if you already have a registration, we can review it with you and consider if it should be renewed. For further information about our service please click here.
For more information contact André Bywater who is a lawyer with Cordery in London where their focus is on compliance issues.
Andre Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com