The ICO exists to empower you through information.

If you are reading this page, you are probably in the human health and social care sector and have recently received a letter from the ICO.

As the UK’s data protection regulator, we are contacting all organisations that appear to need to pay a fee under data protection legislation.

All businesses and other organisations that process personal information should pay the annual data protection fee, unless they are exempt. The fee applies no matter how big, or small, your business or organisation is, although not everyone has to pay the same amount.

If you've paid in the last 14 days, please ignore the letter asking you to pay. If you have paid by card or direct debit, it can take up to 24 hours to receive confirmation. You will need to renew your fee every 12 months.

What is data protection?

The information you hold about your customers and clients is one of your biggest assets. If you want to make the best use of it, you need to be aware of your responsibilities.

Data protection isn’t just about paying the fee. It is the fair and proper use of information about people. Understanding it will help you use that data effectively, so you can provide the products and services your customers want and need. It will also help you use that data safely. Mistakes can be expensive to put right. They can also be damaging to clients and threaten your reputation as a business that puts its customers first.

The UK data protection regime is set out in the Data Protection Act 2018 and the UK GDPR.

What is 'personal data'?

Personal data is information about particular living individuals. This might be anyone, including customers, clients, employees, business partners, members, supporters, business contacts, public officials, or members of the public.

It does not need to be 'private' information – information which is public knowledge, or which is about someone's professional life can be personal data too.

It includes records held electronically (such as on computers, laptops, smartphones, or cameras) as well as paper records, if you plan to put them on a computer or other electronic device or if you file them in an organised way.

Does data protection apply to me?

Yes, if you have information about people for any business or other non-household purpose.

Data protection law applies to any 'processing of personal data', so will apply to most businesses and organisations, whatever their size. But there are some exemptions from the obligation to pay.

What do I need to do?

If you have received a letter from us, quoting your Companies House registration number you must:

Our self-assessment tool will help you work out if you need to pay. We have also added some frequently asked questions below.

If you do need to pay, the online form will ask for your sector. You can choose, but are not limited, to:

  • Health, Ambulance Service, Ambulance Service
  • Health, Dentist, Dentist
  • Health, Commissioning, Clinical Commissioning Group
  • Health, General Practitioner, Doctor – GP
  • Health, Counselling and Advisory Service, Family Mediation Counsellor/Advisor
  • Health, Counselling and Advisory Service, Medical Health Counsellor
  • Representative and Arm’s Length Body, Forensic Medical Examiner/Force Medical Examiner
  • Health, Advisory Board and Panel, GP Appraisal
  • Health, Advisory Board and Panel, Legal Medical Report (Medico Legal Reports)
  • Health, Secondary Care, NHS Trust/Health Authority
  • Health, Optician, Optician
  • Health, Healthcare and Pharmaceuticals, Other Healthcare Professionals and Providers
  • Health, Pharmacist, Pharmacist
  • Membership Association, Club, Club/Society (Charitable)
  • Membership Association, Club, Membership Club (Commercial)
  • Religious, Religious Organisation, Pastoral Care
  • Social Care, Social Services, Community Rehabilitation Company
  • Social Care, Social Services, Independent Social Worker
  • Social Care, Social Services, Youth Offending Team
  • Social Care, Foster Care, Foster Care Agencies
  • Social Care, Domiciliary Care, Domiciliary Care
  • Social Care, Residential Care, Residential Care
  • Charitable and Voluntary, National Charity, Citizens Advice Bureau
  • Education and Childcare, Childminder, Childminder
  • Education and Childcare, Nursery, Playgroup and After School Club, Nursery Schools/Playgroup/After School Club
  • Education and Childcare, Training Company, Training Company
  • General Business, Supplier of Services, Lifestyle Coach
  • General Business, Supplier of Services, Other

Frequently asked questions

I have CCTV on my business premises – do I need to pay a fee?

Yes. Images of people caught on camera is their personal data.

I have a dashcam on my business vehicle – do I need to pay the fee?

If you have a dashcam that you use for work purposes on a vehicle that you use for work – even if you own the vehicle - then you will need to pay a data protection fee. Again, images of people recorded on camera – even when in their cars - will be their personal data.

I’m a nurse employed through an agency – do I need to pay?

No, if you are employed through an agency or you have set up a limited company to manage your accounts you are not required to pay the data protection fee. If you conduct private consultations with patients then you may be required to pay the fee.

Medico-Legal reporting – do I need to pay?

Yes, a medico-legal report which is written by a doctor or another health professional for legal proceedings that is the written evidence of a medical expert witness would require you to pay a data protection fee.

Private hospital – do we need to pay?

Yes, if you are holding medical records about your patients, you would be required to pay the fee.

I’m a practice manager of a medical practice – do I need to pay?

No, as a practice manager you are the data processor and do not determine how data is being processed.

We are a medical practice/doctor’s surgery - do we need to pay?

Yes, if you are holding medical records about your patients, you would be required to pay the fee.

I am a locum doctor – do I need to pay?

This would depend on your relationship with the medical practice as to whether you are a data controller or data processor.

I am a healthcare professional/consultant providing services such as audiology, acupuncture, dermatology, physiotherapy, and chiropractic – do I need to pay?

If you are responsible for the medical records held including any treatment and care received, you would be required to pay the fee.

I am the principal of a dental practice – do I need to pay a fee?

If the principal of a practice has responsibility and control of the patient records in the practice, they would be required to pay a data protection fee.

I am a medical/ dental practice manager – do I need to pay a fee?

In general, a self-employed practice manager is usually a data processor as they do not determine how the personal information is processed. They will usually act on instruction from the data controller, i.e., the principal of the practice, when processing personal information. If you are an employee, you will be covered by your employer’s fee and you will not be required to pay your own.

My dental practice is a partnership – do all partners have to pay a fee separately?

If you're in a partnership and each partner is responsible for the processing and security of their own patient information, which they would take with them if they left the practice, then each partner would need to pay a separate fee.

I am a dental associate or dental hygienist – do I need to pay a fee?

It is not possible to give a definitive answer as there are a number of arrangements between dentists and dental hygienists, but there are a number of questions that might clarify whether a dental hygienist is a data controller and needs to pay a fee:

  • Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
  • Do you have a patient list separately from the practice in which you treat patients that would follow you if you left?
  • Do you treat the same patient at different practices?
  • If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?

If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to pay the ICO a data protection fee.

I provide counselling services – do I need to pay?

If you are providing a counselling service and holding personal information electronically you are required to pay a fee.

We are a company that provides therapy, such as occupational, speech and language and animal assisted therapy – do we need to pay

If you are responsible for the medical records held including any treatment and care received, you would be required to pay the fee.

We are an aesthetics clinic/wellness centre – do we need to pay?

If you are providing services which require you to record your client’s medical history and maintain a record of treatments and aftercare you would be required to pay the data protection fee.

We are fertility clinic – do we need to pay?

Yes, if you provide fertility test and treatments and hold medical records about your patients you are required to pay a fee.

We provide adoption services – do we need to pay?

Yes, as an adoption agency you will be holding detailed adoption records and reports and would be required to pay a data protection fee.

We carry out medical research – do we need to pay?

If you are processing personal data for the purpose of medical research, determining the information that is collected and the manner which it is processed, you are required to pay a data protection fee.

However, if the data collected is anonymised, and you can not ever identify a living individual through unique identifiers, then you would not be required to pay the fee. Please see our guidance on anonymisation.

We are a citizens advice bureau – do we need to pay?

Yes, providing consultancy and advisory services is not an exempt purpose for processing personal data, you would be required to pay the fee.

Although you may be set up as a not-for-profit organisation, there is an exemption for not-for-profit organisations, it would be unlikely you could meet the criteria for this exemption, as it specifies regular contact.

My organisation is a registered charity – do I need to pay?

This would depend on what personal data you were processing and why. A registered charity would only pay the lowest fee tier of £40. Our self-assessment tool will help you determine if you are required to pay a fee.

How do I know if my company can claim the not-for-profit exemption – we don’t make a profit?

To meet the criteria for the not-for-profit exemption the organisation:

  • be established as a not-for-profit organisation, which may be stated in your constitution/articles
  • only process information necessary to establish or maintain membership or support
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
  • you only hold information about individuals whose data you need to process for this exempt purpose
  • the personal data you process is restricted to personal information that is necessary for this exempt purpose
  • only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration

The organisation would not be exempt

  • if you are responsible for CCTV
  • if you provide additional services outside of the organisations aims/objectives that can’t be covered by the other exemptions
  • if you trade and share in personal data

We are a community interest company – do we need to pay?

Community interest companies are unlikely to be able rely on the not-for-profit exemption and you must determine which level of fee you are required to pay.

You can complete the self-assessment tool to determine this.

My society/support group holds information about our members – do we need to pay?

The administration of membership records is not an exempt purpose for processing personal data and would require a fee to be paid. If you are set up as a not-for-profit organisation, please take our self-assessment tool to see of you are required to pay the fee.

If you have CCTV for the purpose of crime prevention on or in the premises this would require your society or support group to pay the fee.

We provide a rehabilitation service, such as drugs and alcohol misuse and mental health illness – do we need to pay?

Yes, if you are providing special healthcare services and holding medical records electronically on your patients/clients you are required to pay a fee.

We are a nursing home/residential care – do we need to pay?

Yes, if you provide a nursing service to your patients/residents such as bespoke care plans and hold their medical records electronically, you are required to pay the fee.

If you have CCTV for the purpose of crime prevention on or in the premises this would require you to pay the fee.

We provide domiciliary care and/or nursing services – do we need to pay?

If you provide healthcare services such as bespoke care plans, assistance in their home, companionship and hold service users medical records electronically you are required to pay a data protection fee.

Does a company offering healthcare, supported living, educational and other social services need to pay a fee?

If you provide any of these services to individual clients, you would be required to pay a fee.

I am a chemist – do I need to pay?

If you provide pharmacy services, products, prescriptions, and advice you would need to pay a fee.

We are a day care/nursery – do we need to pay?

Yes, if you take digital material/photographs of the children; hold and process the child’s progress, learning and development or use the contact details to send updates via texts, emails on the child’s progress and development throughout the day you are required to pay the fee.

Afterschool club – do we need to pay?

Yes, if you are holding records for children attending the club, you would be required to pay the fee.

However, if the afterschool club is ran by the school itself then fee would not be required.

I’m a childminder – do I need to pay?

A childminder does have to pay the data protection fee if they:

  • take digital material/photograph of a child.
  • hold and process the child’s progress, learning and development; or
  • use the contact details to send updates via texts, emails on the child’s progress and development throughout the day.

We are a healthcare agency – do we need to pay?

Yes, collecting personal information and creating client profiles then referring and placing applicants for employment would require you to pay a data protection fee.
You would not be able to rely on the staff administration exemption.

We are a paramedic/medical rescue service – do we need to pay?

Yes, if you are providing a healthcare service and are holding medical records electronically you would be required to pay the data protection fee.

We provide event medical services – do we need to pay?

If you are providing or carrying out risk assessment, witness statements and first aid training and hold personal information electronically you are required to pay the fee.

I hold events, such as workshops, exhibitions, fairs, and conferences- do I need to pay?

Yes, if you hold details of attendees, exhibitor information, provide counselling to individuals and advertising for other business services (sole traders and partnerships) then you would be required to pay a fee.

My organisation provides training – such as first aid and holistic therapies – do I need to pay?

Yes, you would be required to pay the fee if you are holding training records electronically, including emailing progress reports and providing certification.

My company is dormant – do I need to pay?

It depends. If your business is dormant and you are not processing personal data electronically, then you’re not required to pay the fee.

However, some businesses and professionals are required to retain some personal data after they cease trading or practicing, as required by industry guidelines. If this applies to you then you probably will need to pay.

Please visit our self-assessment tool to check.

I have a limited company but I’m a sole trader – who needs to be registered?

This depends on who the data controller is, and which entity has the relationship with the client. You will need to determine who is the legal person responsible for the personal data held.

If your limited company is set up for the sole purpose of processing your own accounts through, then this would not require a fee.

I’m unsure if I am data controller or a data processor – how do I determine this?

It is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organisation has data protection responsibility.

You may find the following guidance useful:

To determine whether you are a data controller you need to ascertain which organisation decides:

  • to collect the personal data in the first place and the legal basis for doing so;
  • which items of personal data to collect, i.e. the content of the data;
  • the purpose or purposes the data are to be used for;
  • which individuals to collect data about;
  • whether to disclose the data, and if so, who to;
  • whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
  • how long to retain the data or whether to make non-routine amendments to the data.

We can only provide guidance and advice, ultimately it is the Data Controllers decision as to whether a registration is needed.

More information

There is more information about the data protection fee on our website.

There is also lots of information for sole traders and smaller businesses on our SME web hub, to help you understand data protection and how it can help you safely make the most out of the personal data you hold.