Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Digital, Culture, Media and Sport, (a) what process has been involved in setting funding limits on the Information Commissioner's Office (ICO) in respect of funds that it can use for its Data Protection activities in each of the last 10 years; and if he will place in the Library copies of all records relating to such processes including any notes of meetings and communications between the Government and the ICO.

The Information Commissioner’s Office (ICO) is an independent regulator. Funding for data protection activities is provided by the data protection charges, which are levied on data controllers in accordance with the Data Protection (Charges and Information) Regulations 2018 (previously the Data Protection (Notification and Notification Fees) Regulations 2000). The collection of the data protection charge (and previously the notification fee) is the responsibility of the ICO. The Data Protection Act 2018 sets out powers for the ICO to enforce collection of these charges, including penalties up to a maximum of 150% of the highest charge payable by a controller in that year (Part 5 section 158). The ICO is at liberty to use all funding generated by these charges for data protection activity.

As a body funded by public money, the ICO is subject to standard Cabinet Office Spend Controls and HMT’s Managing Public Money principles. Full details on the controls pertaining to the ICO’s expenditure are available in the Management Agreement between the ICO and DCMS.

Under the terms of this Management Agreement, the ICO is able to retain such funds as are necessary to meet any liabilities at the end of the financial year (such as creditors), or unspent funds up to a maximum of 3% of total annual data protection charge income (whichever is the greater). Any additional surplus would be remitted to the Consolidated Fund at the end of the financial year. This is the only scenario in which income from data protection charges would be remitted to the Consolidated Fund. As such, the data protection charge (previously notification fee) is not collected for the benefit of the Consolidated Fund, but rather to ensure the ICO is able to fulfil its important regulatory functions.

Information on the amount of surplus remitted to the Consolidated Fund is not available for 2008/09 or 2009/10. For 2010/11 and 2011/12, this information is published on page 50 of the 2011/12 Annual Accounts. From 2012/13 onwards, this information is available in note 5b of the ICO’s Annual Accounts for each year. Copies of the Annual Accounts for each year are available on the ICO’s website www.ico.org.uk.