Data Protection (Notification and Notification Fees) Regulations 2009


Since 2000, the ICO has required data controllers to pay a flat fee of £35 to notify and annually renew such notifications for data protection purposes. As of October 2009, data controllers may have to pay increased data protection notification and renewal fees.  The Data Protection (Notification and Notification Fees) Regulations 2009 (the “Regulations”) were laid before Parliament on 6 July 2009. Regulations 3 and 4, which relate expressly to the increase in notification fees, come into force on 1 October 2009.

The new fee structure

The Regulations introduce a new, two-tiered fee structure. The fees payable will depend on the make up of the data controller, as outlined in the diagram below:

The renewal fees due to the ICO also follow this process. The MoJ rationale behind this fee structure is that it is intended to reflect the additional resources used by the ICO to regulate larger data controllers. According to Regulation information documents, it is anticipated that 4% of data controllers will have to pay the increased Tier 2 fee, which will boost the ICO purse by £4.7m.

Data controllers will have to self-assess whether they fall under Tier 1 or Tier 2. Turnover and staff numbers are to be determined in the same way as under current legislation (e.g. for turnover, see s.474 of the Companies Act 2006). Since failure to notify and providing false information (here, in order to fall within Tier 1, rather than Tier 2) are criminal offences, Tier 2 data controllers will not be able to avoid paying the increased fee.

Direct debits

Under the current regime, data controllers may have set up direct debits to pay the annual fee of £35. As of 1 October 2009, when the new fees are rolled out, it is unclear how the ICO will deal with direct debits set up by the c.4% of Tier 2 data controllers. According to BACS Payment Schemes Ltd. (which processes direct debit payments), the ICO may change the amount to be paid under a direct debit, but must give the data controller written notice of the change it proposes to make to the direct debit. Notice should be given at least 10 working days in advance of the data controller’s account being debited.

Alternatively, the ICO could cancel the direct debits that are set up with the Tier 1 fee, where a Tier 2 fee is due. It is permissible for the ICO to cancel a direct debit. If it does so, the ICO is not legally obliged to inform the data controller that its direct debit has been cancelled, but should do so out of courtesy.

Either method of dealing with out-dated direct debits will increase the initial administrative burden on the ICO, which may be covered by the expected £250,000 project management costs to be incurred by the ICO in setting up the new structure.


According to the explanatory memorandum to accompany the Regulations, the ICO will be publishing guidance to inform data controllers about the new fee structure in the three months prior to the introduction of the new fees (October 2009). This information is not available to date.