ICO demand – is it a scam?

by Readers Question

9:52 AM, 10th December 2019
About A year ago

ICO demand – is it a scam?

Make Text Bigger
ICO demand – is it a scam?

Our Ltd company has just received a demand from ICO (Information Commissioner’s Office) claiming that we are not registered with them. That is true…. I have never heard of or from them before.

They say our customers, clients and tenants expect us to take our data protection obligations seriously like the many real estate companies that have paid their fee on time. If we have not paid a data protection fee to ICO we could be liable to pay fines of up to £4000.

In former times we did take personal details from our, mainly student, tenants….names, addresses ,telephone numbers, college details etc. Nowadays however we use agents and although, if we wanted, we could have copies of all tenancy agreements we normally leave all that with the agents.

As we do not hold these details I think the rules (if there are such rules) do not apply to us directly, but might apply to our agents. But something about this demand smells of a scam.

How come we have never heard of this before? Has anybody else received a similar demand?

Nick

Editors Note:

ICO blog 03/12/2019 >> Click here

We have launched a campaign to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt. You can quickly and easily find out if your organisation needs to pay the fee by using our self-assessment checker, but if you hold personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it is likely an annual fee payment is due.

You can avoid us needing to contact you by either:

  1. Visiting our website to pay your organisation’s Data Protection Fee online
  2. Completing this form to tell us why your organisation is exempt from paying the fee.

Since the new annual data protection fee was introduced in May 2018, over 600,000 organisations have registered to pay it. They have gone on to access the range of services and support we provide to help them to comply with the law and give their customers, clients and suppliers trust and confidence in the way they process personal information. At the same time, between 1 July and 30 September 2019, we issued 340 monetary penalties to organisations that have not paid the Data Protection Fee.

As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information.

We know data protection legislation can be complicated and we are here to help. The reminders we are sending to organisations are to help make it easy to comply with the law as well as access a great deal of advice and support available from the ICO. This includes:

  • a Helpline and Live Chat service dedicated to supporting small businesses and organisations;
  • a series of self-assessment tools and products on our website;
  • advisory visits and support designed to help small businesses and organisations to comply with the law.

The cost of the data protection fee depends on a company’s size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. The cost is reduced by £5 if you sign up by direct debit and you can find out how much you need to pay by taking a self-assessment.

For further help and advice, call the ICO’s small business helpline on 0303 123 1113 between 9am – 5pm, Monday to Friday (excluding Bank Holidays).

Comments

Prakash Tanna

13:05 PM, 11th December 2019
About A year ago

Reply to the comment left by Luke P at 11/12/2019 - 12:57
crazy !!! ;(

Beaver

13:07 PM, 11th December 2019
About A year ago

Reply to the comment left by Luke P at 11/12/2019 - 12:57
I think you may have misunderstood the details of what the ICO requires and why.

Jack Craven

13:13 PM, 11th December 2019
About A year ago

What about us sending tenants details to deposit protection companies, does that put us in breach of the law ?

Luke P

13:16 PM, 11th December 2019
About A year ago

Reply to the comment left by JJ at 11/12/2019 - 13:07
I was responding to the waste carriers licence comment. Howsoever, I don't know why the ICO needs the information, no. If a company/person breaks the law then they can be dealt with. A licence won't change anything.

Luke P

13:21 PM, 11th December 2019
About A year ago

Reply to the comment left by Jack Craven at 11/12/2019 - 13:13
Once again, and taken from the ICO's website, any ‘processing’ of data (obtaining, recording, storing, updating or sharing) using a computer of system that can process the information automatically (including the use of CCTV for the purpose of crime prevention), by any business, requires a licence be obtained.

I would suggest your example does indeed require a licence.

Almost every business does in fact require one unless you, somehow, manage exclusively on paper. And probably why they're getting annoyed that only 600,000 have registered.

Beaver

14:08 PM, 11th December 2019
About A year ago

Data protection is a bit complicated. Previously before the GDPR we had the Data Protection Act which required every data controller who is processing personal information to register with the ICO, unless they are exempt.
If you had a database of personal information - e.g. on microsoft outlook or your mobile phone - then that would classify as a database of personal information and you would have obligations in respect of that. But nobody ever interpreted the legislation to mean that if you have personal information on a computer or iphone then you have to register with the ICO regardless of what you are doing with it. It would be nonsense.
It comes down to what you are doing with the data. Take a look at the two links and note the phrase, "...unless you are exempt". Depending upon how you are operating and what you are doing with the data you may be exempt.
https://www.gov.uk/data-protection-register-notify-ico-personal-data
https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

David Price

15:10 PM, 11th December 2019
About A year ago

Just received a threatening letter, one of those antiquated things which come through a draughty hole in your front door, from the ICO for one of my companies, a company which does absolutely no data processing whatsoever save for the annual accounts. Just as with the TV licence I am supposed to prove my innocence, something I am not going to do, let them investigate.
Registration is a stealth tax on companies, a cash cow for the ICO and a bonanza for HMRC.

Graham Bowcock

19:16 PM, 11th December 2019
About A year ago

I too have been getting these ICO letters, but perhaps with some expectation.

I was consulting for a letting agency last year and we wrote to all their landlords last year informing that they needed to be registered. We also amended tenancy agreements so as to include a privacy notice on behalf of the landlord.

One of the worrying things about the legislation is that you can only pass information on to someone who is also ICO registered. This means your plumber, builder, electrician. You cannot pass your tenants' details (e.g. phone number) onto somebody else unless you have confirmed that that data would be held safely.

Luckily most of our work is done by one firm who comply with all legislation, so it makes things easy, but it does make it difficult to use the one man band type traders.

Luke P

23:09 PM, 11th December 2019
About A year ago

Reply to the comment left by Graham Bowcock at 11/12/2019 - 19:16
And back in the real-world, ICO nonsense or not, this is completely unworkable.

Jireh Homes

23:19 PM, 11th December 2019
About A year ago

Although the ICO blog refers to organisations, an interpretation is the registration requirement also applies to landlords as typically they hold data on their tenants. Great revenue generating policy for the Government although chances of them bringing a case against individuals / SME are extremely small as bigger fish to fry.

1 2 3 9

Leave Comments

Please Log-In OR Become a member to reply to comments or subscribe to new comment notifications.

Forgotten your password?

BECOME A MEMBER

Revised Right to rent requirments from 21st June