Question to the Ministry of Justice:

To ask the Secretary of State for Justice, what assessment he has made of the extent of revenue that has been lost to the public purse in each of the last seven financial years as a result of data controllers who are required to notify or register under the Data Protection Act and pay a fee not doing so; and what steps he is taking to (a) recoup the losses to the public purse that have occurred and (b) prevent such further losses.

The Data Protection Act 1998 (DPA) requires every data controller who is processing personal information to register with the Information Commissioner’s Office (ICO) unless they are exempt. Failure to do so is a criminal offence.

The ICO has the ability to prosecute data controllers who process personal data having failed to notify in accordance with the DPA. A successful prosecution could result in a fine being imposed. The length of time that a data controller has failed to notify, and any financial benefit they have received from not paying the notification fees, is a factor that is taken into account by the Court when sentencing and setting the appropriate level of fine. There are no provisions in the Proceeds of Crime Act that would require someone to report to a court or anyone else that any profit has been made from the offence of processing personal data without being registered. If someone suspects that money laundering has occurred then the reporting obligations set out in the Money Laundering Regulations 2007 will, for example, apply.

It is for data controllers to seek registration; the ICO periodically reminds organisations of the requirement to notify. Fee income has been increasing year on year with increasing numbers of notifications.

The Ministry of Justice and the ICO are looking at the current funding model as part of negotiations on the proposed EU Data Protection Regulation.