Question to the Ministry of Justice:

To ask Her Majesty’s Government what steps, including review, audit or other assessment, have been taken by (1) the Ministry of Justice, (2) the Information Commissioner's Office, and (3) any external auditors and advisers, to ensure that every data controller that processes personal information has (a) registered with the Information Commissioner, if required to, (b) paid the correct registration fee in accordance with the tiered structure, and (c) not processed any personal data if it has not registered.

The Data Protection Act 1998 requires every data controller who is processing personal information to register with the Information Commissioner’s Office (ICO) unless they are exempt. The ICO’s website sets out the criteria for notification and provides guidance on the level of fee organisations should be paying. The ICO have also made it easier for organisations to notify and pay the fee by introducing online payments.

At the end of 2014/15 there were 409,000 data controllers registered with the ICO which generated a total income of £17,519,000.

It is for data controllers to seek registration; the ICO periodically reminds organisations of the requirement to notify.