You may have received a letter recently from the ICO. After several TeamUp customers asked us about this we spoke with the ICO and got the lowdown on why you have been asked to pay, whether you have to, and exactly what data is triggering health and fitness businesses to fall into one of their monitored categories.
The Information Commissioners Office was set up to handle the complexities of the new data regulations surrounding GDPR. Their role is actually to support business owners like you and they are an organisation that is developing a range of measures to help you.
Although Brexit has meant a switch to UK-led data practises, it's effectively exactly the same thing. Even though there is talk of changing the rules, the reality is that to trade with the EU, the basic principles of GDPR will continue to have to be followed for the foreseeable future.
According to the Data Protection (Charges and Information) Regulations from 2018, SMEs, small businesses, and sole traders have a legal responsibility to pay this fee in order to protect their data. The regulations require every business that processes personal information, unless exempt, to pay the data protection fee to the ICO.
ICO wants to ensure that all data is shared and processed with 'confidentiality, integrity, and availability'. Working together with the National Cyber Security Centre (NCSC), they assist you in making sure all of your online security measures are secure and safe in order to store and keep the data you have received.
Names, addresses, birth dates, payments, these details shared by customers are considered personal data, and every time a new customer provides you with this information or engages with your website, social media, the newsletter they are sharing data. This sharing of data helps you in turn provide a better customer experience, get to know your customers, and have their information on hand in case of emergency.
Typically most small and medium companies will pay £40 or £60 a year.
This is where it gets slightly trickier. Most health and fitness businesses will receive a letter from the ICO asking for payment. This doesn't necessarily mean you have to pay. However, as we'll explain, it probably does.
The ICO have produced a self-assessment questionnaire. We went through all options and talked through the outcomes with the ICO to get the lowdown from your perspective.
If you’ve received a letter from the ICO, you need to either pay your fee promptly or let the ICO know you’re exempt, so we can update our records. If you’re not sure if you’re exempt, you can take an online self-assessment at ico.org.uk/fee-checker.
The crux of the issue is the type of data that the ICO expect health and wellness businesses to collect.
The three main issues from your point of view are:
If you only collect the data that is strictly necessary for your business operation, that data isn't seen as medical in nature, and you don't have CCTV security then you can notify the ICO that you are exempt.
Paper-based ParQs or medical information that is never sent electronically (and that includes being attached to an email, even if it's just for internal use) do not qualify. You are fine to continue with this.
The crux is that for most businesses, collecting this data electronically is going to improve efficiency to a point where it's worthwhile to be registered and pay the fee. If you collect sensitive information then the additional protection you get from the ICO is also a valuable thing for you and your business.
The simple answer is that the ICO would love for you not to pay and to improve your data collection to focus only on what is essential.
Here are the simple things you can do to avoid paying:
On the other hand, you can simply pay and benefit from the simplicity of collecting the data you need as well as the advice and protection from the ICO.
The industry is due for some soul searching about what data it collects, how long it holds it for, and why that is necessary. For example, insurance companies ask for data holding for 6 years in line with the statute of limitations (how long you can be sued for), but that is in conflict with the expectations of the data regulators.
A good takeaway from this process is to evaluate your data collection and ask yourself what you really need. Is date of birth actually informative? Is gender? Do you need to store this information or should your programs and packages explain their requirements so customers can self-select?
The less data you hold, the less exposed you are as a business. As regulations and the environment around data tightens, it's good to keep that in mind and let it inform your future decisions.
We'll continue working with the ICO to keep clarity on the issue and to highlight the needs of the industry. The responses we've had so far suggest a forward-looking and positive organisation that wants to help the business community.
Thanks for reading!