Posted by: John Brace | 15 July 2019

Were Merseyside Police processing some personal data unlawfully between 9th September 2018 and 25th September 2018 due to late payment of £2,900 fee to ICO?

Were Merseyside Police processing some personal data unlawfully between 9th September 2018 and 25th September 2018 due to late payment of £2,900 fee to ICO?


Merseyside Police paid their £2,900 fee to ICO (the Information Commissioner’s Office) late in 2018 and risked a fine for doing so.

Internal emails shared with this blog last Friday when I exercised a right granted under the Local Audit and Accountability Act 2014 to audit their 2018-19 financial records show that ICO reminded Merseyside Police on 29th July 2018 with a deadline of 8th September 2018.

However the payment was not made until the 26th September 2018.

It is therefore possible that Merseyside Police was processing certain classes of personal data unlawfully between 9th September 2018 and 25th September 2018.

26th September 2018 was the date that ICO issued a press release stating that it was taking formal enforcement action against 34 unnamed organisations in the public and private sectors for late payment and sent out notices of intent to fine.

Merseyside Police had 21 days to respond to such a notice of intent (if one was issued to it), if a notice of intent had been issued and not resulted in payment it could have been fined up to a maximum of £4,350 in addition to the £2,900 amount.

As a result of late payment Merseyside Police lost the opportunity for a £5 reduction through paying on time by direct debit.

*** refer to redactions made on either grounds of personal information (such as names, email addresses, phone numbers etc) or commercial confidentiality and have been done to the documents before we received them.


From: ***********
Sent: 21 September 2018 12:19
To: Corporate Support
CC: ************
Subject: FW: Data Protection fee – Reminder to renew ICO:00010510349
Attachments: DD Instruction Form.pdf

Importance: High

Hi ***** – per your email of 11:01hrs 21/09/2019, please see the details from the ICO email of 29/07/2018. We are now late in paying this, and as shown below, we could be fined up to £4,350 on top of the £2,900 which is payable. Earliest possible attention would be appreciated.


Merseyside Police and Police & Crime Commissioner
Tel. 0151 *** ****

From: ***********************
Sent: 01 August 2018 09:27
Subject: FW: Data Protection fee – Reminder to renew ICO:00010510349

Hi ***** below is our statutory requirement to pay the new annual ICO fee of £2,900 to the ICO. This replaces the previous registration and fee.

This must be paid prior to 08/09/2018. Failure to do so is an offence and may incur a fine of up to £4,350 in addition to the fee still remaining payable.

Please approve this payment and process it to Finance for the fee to be paid. Methods of payment are described in the email below.


Merseyside Police and Police & Crime Commissioner
Tel. 0151 *** ****

From: Registration Team Queue
Sent: 29 July 2018 01:57
To: ******************* ************************
Subject: Data Protection fee – Reminder to renew ICO:00010510349

Organisation name: Chief Constable Merseyside Police
Order reference number: 04a96072045b
Reference: Z4888071

Dear ****** *******

Data protection fee – renewal date – ACTION REQUIRED

Your registration as a data controller under the Data Protection Act 1998 (DPA98) will expire on 08/09/2018. You are legally required to either:

  • renew your registration, or

  • cancel your registration if your circumstances have changed and tell us why you no longer need to be registered.

Changes to the law

Due to the data protection regime in force from 25 May 2018, you will no longer be required to ‘notify’ or pay a fee under the DPA98. But you will be required to pay a new data protection fee under the Data Protection (Charges and Information) Regulations 2018.

Changes to the fee

Under the new regulations, you must still pay an annual fee, depending on your size or turnover, but this will now be £40, £60 or £2900. VAT is nil in all cases.

Based on the information we have, we believe that you are now required to pay £2,900.00 under the new regulation. However, you should use our assessment tool ( to confirm how much you need to pay and contact us immediately if you think we have got our assessment wrong.

How to pay

You can pay the data protection fee in any of these ways:

Direct debit – the best way to make sure you always renew on time. Just complete the enclosed instruction and post it, with a copy of this letter, to the address below. Please don’t email the instruction to us as we can’t process mandates received electronically. Payments made by direct debit will automatically receive an annual £5 reduction.

Online – you can pay securely online with a debit or credit card on our website ( Please note you will need the reference and order reference shown above.

Cheque – make your cheque payable to the Information Commissioner. Put your reference (shown above) on the back and send it to the address below, with a copy of this letter.

Please send cheques and direct debit instructions to: Data Protection Fees, Information Commissioner’s Office, Wycliffe House, Water lane, Wilmslow, Cheshire, SK9 5AF.

Changes to the sanction

Failure to pay the data protection fee will be addressed through a fixed penalty.

If you process personal data for any of the non-exempt purposes and you either don’t pay the fee, or you don’t pay the correct fee, you will be breaking the law and could be fined up to £4,350 (on top of the fee you have to pay).

It is important that we receive all payments or cancellation requests on time, as 14 days after expiry, we will send notice of our intention to issue a fixed penalty notice, which you will have the opportunity to respond to.

Changes to the information we collect

Under the new regulations, you no longer have to tell us about the personal data you process. However, if you are required to have a Data Protection Officer (or you otherwise choose to appoint one), you should tell us about this, preferably at the same time as you pay your data protection fee.

To find out if you need to appoint a Data Protection Officer please see our Guide to the GDPR – Data Protection Officers.

For more information about any of the other changes described in this email, please see our Guide to the data protection fee.

If you need to contact us, please call us on 0303 123 1113, or email You’ll need your reference and your security number, which we sent to you when you first applied.

Yours sincerely

Deputy Chief Executive Officer
Information Commissioner’s Office

==== Merseyside Police Email Gateway ====
Click here to report this email as spam

If you click on any of the buttons below, you’ll be doing me a favour by sharing this article with other people.


  1. Looking at this, i just see this as another form of tax,
    Data proctection fee! if you don’t pay your breaking the law! as this would be a govement run thing and the police are funded by tax payers whats the point, if they are late and are fined the tax payers loses out, just more red tape ****

    • It’s how the part costs of the regulator ICO are funded.

      A bit like how the BBC is funded through TV licence fees.

      Yes it is like a tax, it’s just not called a tax though.

      If the police are late paying and then have to pay more or are fined, then the overspend on the original budget has to be made up by them from elsewhere (eg reserves).

      But a police force shouldn’t be breaking the law anyway.