This site is intended for health professionals only

NHS organisations could face GDPR fines, data regulator warns


By Léa Legraien
Reporter
3 October 2018

Share this story:

NHS bodies could be faced with fines for non-compliance with the General Data Protection Regulation (GDPR), the UK data regulator has warned.

The Information Commissioner’s Office (ICO) said last week that a number of private and public sector organisations, including the NHS, could receive fines of up to £4,350, should they fail to pay their GDPR fees within 21 days of notice.

Last month, a professional panel heard that the NHS was still behind on GDPR, as some organisations have not yet updated their contracts with service providers to be compliant with the regulation.

Failure to pay fee 

The ICO reported that it has begun taking formal action against 34 organisations by sending them notices, informing them of their ‘intend to fine’ them unless they proceed with the payment.

An ICO spokesperson told Healthcare Leader they were not able to provide details of the NHS bodies involved. The ICO said: ‘Organisations have 21 days to respond to the notices. If they pay, action will stop.

‘Those that ignore the notices or refuse to pay may face a fine ranging from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.’

Under GDPR, most organisations that handle personal data have to pay a fee, which funds the ICO’s work. The fee is based on their size, turnover and status.

Fees are divided as follows:

  • Tier 1 includes micro organisations that have a maximum turnover of £632,000 or no more than 10 staff members. The fee is £40, with a £5 discount if payment is made by direct debit.
  • Tier 2 is for small and medium-sized enterprises with a maximum turnover of £36m or no more than 250 staff members. The fee is £60.
  • Tier 3 refers to large organisations outside Tiers 1 and 2. The fee is: £2,900.

‘Final demand’

ICO chief executive officer Paul Arnold said: ‘We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.

‘All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.’

Want news like this straight to your inbox?

Related news


Any Covid inquiry should consider primary care support to care homes, says think tank
Any inquiry into the Government’s response to Covid-19 should consider how primary care supported social...
NHS leaders urge Instagram to clamp down on unlicensed weight-gain drug
NHS England has written to Instagram asking for an ‘urgent update’ on action it is...