To ask the Secretary of State for Digital, Culture, Media and Sport, what steps his Department plans to take to encourage the collection of funds for the benefit of the consolidated fund by the Information Commissioner's Office (ICO) from all data controllers (a) who should have paid and (b) should pay (i) data notifications and (ii) registration fees to the ICO.
To ask the Secretary of State for Digital, Culture, Media and Sport, what limits his Department has been placed on the Information Commissioner's Office in respect of funds that it can use for its data protection activities; and what such excess funds have been remitted to the consolidated fund in each of the last 10 years.
To ask the Secretary of State for Digital, Culture, Media and Sport, (a) what process has been involved in setting funding limits on the Information Commissioner's Office (ICO) in respect of funds that it can use for its Data Protection activities in each of the last 10 years; and if he will place in the Library copies of all records relating to such processes including any notes of meetings and communications between the Government and the ICO.
To ask the Secretary of State for Digital, Culture, Media and Sport, what steps his Department has taken to ensure that the Information Commissioner's Office (ICO) has collected (a) all data notification fee income under the 1998 Data Protection Act and (b) registration fee income under the Data Protection Act 2018 from data controllers; and whether he has taken steps to ensure that such funds are allocated to the ICO rather than collected for the consolidated fund.
The Information Commissioner’s Office (ICO) is an independent regulator. Funding for data protection activities is provided by the data protection charges, which are levied on data controllers in accordance with the Data Protection (Charges and Information) Regulations 2018 (previously the Data Protection (Notification and Notification Fees) Regulations 2000). The collection of the data protection charge (and previously the notification fee) is the responsibility of the ICO. The Data Protection Act 2018 sets out powers for the ICO to enforce collection of these charges, including penalties up to a maximum of 150% of the highest charge payable by a controller in that year (Part 5 section 158). The ICO is at liberty to use all funding generated by these charges for data protection activity.
As a body funded by public money, the ICO is subject to standard Cabinet Office Spend Controls and HMT’s Managing Public Money principles. Full details on the controls pertaining to the ICO’s expenditure are available in the Management Agreement between the ICO and DCMS.
Under the terms of this Management Agreement, the ICO is able to retain such funds as are necessary to meet any liabilities at the end of the financial year (such as creditors), or unspent funds up to a maximum of 3% of total annual data protection charge income (whichever is the greater). Any additional surplus would be remitted to the Consolidated Fund at the end of the financial year. This is the only scenario in which income from data protection charges would be remitted to the Consolidated Fund. As such, the data protection charge (previously notification fee) is not collected for the benefit of the Consolidated Fund, but rather to ensure the ICO is able to fulfil its important regulatory functions.
Information on the amount of surplus remitted to the Consolidated Fund is not available for 2008/09 or 2009/10. For 2010/11 and 2011/12, this information is published on page 50 of the 2011/12 Annual Accounts. From 2012/13 onwards, this information is available in note 5b of the ICO’s Annual Accounts for each year. Copies of the Annual Accounts for each year are available on the ICO’s website www.ico.org.uk.