Health and Care update: ICO brings action against care homes

Published: Wednesday 16 January 2019

Following the introduction of the General Data Protection Regulation (GDPR), which applied in the UK from 25 May 2018, all organisations that process personal data must pay a fee to the ICO and are then listed on their register of data controllers.

It has been identified that the care home sector is currently underrepresented on this register. Although there are some exemptions from paying the fee, care homes do not fall into these categories due to the particularly sensitive personal information for health administration and patient care that they process.

Failure to pay the data protection fee became a civil offence under the GDPR, previously a criminal offence under the Data Protection Act 1998. The data protection regulator has sent notices of its intent to fine businesses, with those that do not facing a potential maximum fine of £600.

The Information Commissioner’s Office (ICO) has now started formal enforcement action against care homes that have failed to pay the data protection fee.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said: “We expect the notices we have issued to serve as a final demand to these businesses and that they will pay before we proceed to a fine.

“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.” For further information, the ICO’s Guide to the Data Protection Fee can be found here.