Currently all controllers for the purposes of the Data Protection Act 2018 (“DPA 2018”) are required to provide certain information to the Information Commissioner’s Office (“the ICO”) and pay a charge, unless a relevant exemption applies. There are a number of exemptions from paying the charges for certain types of data controller and processing. The exemptions are intended to form part of a fair and flexible framework of paying charges to the ICO, and provide for scenarios where payment of a charge would not be appropriate, for example because payment of the charge would give rise to significant negative impact.
Article 4 of the General Data Protection Regulation (“the GDPR”) defines a controller as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …”. In accordance with this definition, elected representatives, candidates (prospective or nominated) and members of the House of Lords are classed as data controllers where they are responsible for personal data of their constituents and members of the public. For instance, a Member of Parliament (MP) or local councillor will always be the data controller for their office as they correspond with their constituents and make decisions as to how constituents’ cases are dealt with and therefore how their personal data is processed. Employees of the elected representative can process personal data on the data controller’s behalf and are expected to comply with the DPA 2018, but will be acting on the elected representative’s instructions, and therefore the overall responsibility for the processing remains with that individual.
Elected representatives currently incur the £40 charge (£35 if paying by direct debit). There is no current exemption that specifically covers elected representatives, candidates (prospective or nominated) or members of the House of Lords.
A public consultation, “Review of exemptions from paying charges to the Information Commissioner’s Office” was published on 20 June 2018 and closed on 1 August 2018.
The consultation included a question on whether a new exemption should be introduced for elected representatives, as defined in paragraph 23(3) of Schedule 1 to the DPA 2018, as well as candidates (including prospective candidates) for election and members of the House of Lords. The consultation set out the Government’s views that activity deriving from elected representatives’ public office and public function should not be liable to a charge, and that charges of this nature potentially represented a perceived or actual barrier to democratic engagement.
The Data Protection (Charges and Information) (Amendment) Regulations 2018 (“the Funding Regulations”) set out a requirement for data controllers (individuals and organisations that handle people’s personal data) to provide information and pay a charge to the ICO. The Data Protection (Charges and Information) (Amendment) Regulations 2019, SI 2019/478 amend the Funding Regulations by introducing a new exemption for the processing of personal data by: (i) members of the House of Lords; (ii) elected representatives, as defined in paragraphs 23(3) of Schedule 1 to the DPA 2018 in connection with the discharge of their respective functions; and (iii) relevant processing undertaken by candidates (prospective and validly nominated) seeking to become elected representatives. The powers under which this instrument is made cover the entire United Kingdom (see section 137 of the DPA 2018) and the territorial application of this instrument is not limited wither by the Act or by the instrument.
Elected representatives often process very sensitive personal data when handling case work. There is a need to ensure that elected representatives handle that data appropriately and in accordance with the expectations of those who they serve. As with other existing exemptions, the new exemption does not absolve those eligible for the exemption of their data protection responsibilities. Those who are data controllers for their constituents’ casework, will remain controllers. They will be subject to the same penalties and enforcement powers of the ICO as other controllers in the event of a breach of the legislation.
The ICO will provide guidance on the new exemption on its e-newsletter.