NHS bodies could be faced with fines for non-compliance with the General Data Protection Regulation (GDPR), the UK data regulator has warned.
The Information Commissioner’s Office (ICO) said last week that a number of private and public sector organisations, including the NHS, could receive fines of up to £4,350, should they fail to pay their GDPR fees within 21 days of notice.
Last month, a professional panel heard that the NHS was still behind on GDPR, as some organisations have not yet updated their contracts with service providers to be compliant with the regulation.
Failure to pay fee
The ICO reported that it has begun taking formal action against 34 organisations by sending them notices, informing them of their ‘intend to fine’ them unless they proceed with the payment.
An ICO spokesperson told Healthcare Leader they were not able to provide details of the NHS bodies involved. The ICO said: ‘Organisations have 21 days to respond to the notices. If they pay, action will stop.
‘Those that ignore the notices or refuse to pay may face a fine ranging from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.’
Under GDPR, most organisations that handle personal data have to pay a fee, which funds the ICO’s work. The fee is based on their size, turnover and status.
Fees are divided as follows:
- Tier 1 includes micro organisations that have a maximum turnover of £632,000 or no more than 10 staff members. The fee is £40, with a £5 discount if payment is made by direct debit.
- Tier 2 is for small and medium-sized enterprises with a maximum turnover of £36m or no more than 250 staff members. The fee is £60.
- Tier 3 refers to large organisations outside Tiers 1 and 2. The fee is: £2,900.
ICO chief executive officer Paul Arnold said: ‘We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.
‘All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.’