The U.K. ICO’s New Guide on Data Protection for the Media

In response to the recommendation by Lord Justice Leveson in his November 2012 report into the culture, practices and ethics of the press, the U.K. Information Commissioner’s Office (“ICO”) in September 2014 published “Data protection and journalism: a guide for the media”. The new guide explains how the U.K. Data Protection Act 1998 (“DPA”) applies to journalism, advises on good practice, and clarifies the role of the ICO. It also provides technical guidance on the provisions of the DPA and sets out how the exemption for journalism under Section 32 of the DPA works.

The guide does not have any formal legal status and is not, therefore, mandatory. The idea is that it will help those working in the media to understand and comply with data protection law.

Background

In his report, Leveson LJ recommended that the ICO “should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data” see analysis at WDPR, January 2013, page 13.

The guide, issued following the ICO’s public consultation on draft guidance earlier this year see analysis by Caroline Kean, of Wiggin LLP, London, at WDPR, February 2014, page 25, responds to that recommendation. It explains how the DPA applies to journalism, sets out the basic principles and obligations, advises on good practice, and clarifies how an exemption for journalism works to protect freedom of expression. It also explains what happens when someone complains, and the role and powers of the ICO.

The ICO says that the guide is intended to help the media understand and comply with data protection law and follow good practice while recognising the vital importance of a free and independent media.

The ICO stresses that the guide is not intended to take the place of industry codes of practice. It is a guide to data protection compliance, not to wider professional standards or media regulation. It does, however, refer to existing codes, where directly relevant, to show how everything fits together.

The guide is intended for all media organisations involved in journalism, be it broadcast media, online news outlets or the press. It is aimed primarily at senior editors and other staff with compliance or training responsibilities.

The guide is divided into three main sections: 1) practical guidance (introduces some data protection basics and provides broad guidelines on the effect of the DPA in key areas); 2) technical guidance (gives an overview of the DPA with more detail on how the ICO interprets the exemption for journalism and some of the other key legal provisions); and 3) disputes (sets out the role of the ICO and what happens if someone complains under the DPA).

Section One — Practical Guidance

The guide explains that the DPA applies whenever anyone collects, retains, uses, or discloses any information about a living person. The ICO goes to pains to assert that the DPA does not prevent responsible journalism, as the main principles are flexible enough to accommodate day-to-day journalistic practices, and there is also the specific exemption to protect journalism where necessary. However, the guide explains, the media are not automatically exempt, and will need to give consideration to the data protection rights of individuals.

The guide points out that the ultimate legal responsibility will usually fall on the relevant media organisation rather than on individual employees, but employees of media organisations will still need to be aware of their DPA responsibilities, particularly day-to-day adherence, when working for a media organisation. Freelance journalists may often have their own separate obligations.

Obtaining Information

Given that much of the information collected by the media includes some personal data, the act of obtaining such information counts as “processing” under the DPA, the guide explains.

On this topic, the guide advises the media to be “open and honest wherever possible”. People should know if information is being collected about them “where it is practicable to tell them”. However, the ICO accepts that it will not generally be practicable for journalists to make contact with everyone they collect information about.

The guide also clarifies that there is no need to notify individuals if it would undermine the journalistic activity. In this regard, journalists can consider the Section 32 exemption for journalists, although notification should always be considered and at different stages of the story or investigation.

Further, the guide advises using covert methods only if the organisation concerned is confident that it is justified in the public interest. Therefore, methods such as surveillance can be used only if there is a reasonable belief that this method is necessary (in other words, it is not reasonably possible to use a less intrusive way to obtain the information) and the story is in the public interest. To decide if it is in the public interest, the detrimental effect that informing the data subject would have on the journalistic assignment must be balanced against the detrimental effect of employing covert methods on the privacy of any data subjects.

In particular, information about someone’s health, sex life or criminal behaviour should be collected only if the organisation is confident that it is relevant and the public interest in doing so sufficiently justifies the intrusion into that individual’s privacy.

The guide reminds the media that the exemption does not protect them from prosecution under Section 55 of the DPA, which states that it is an offence knowingly or recklessly to obtain personal data from another organisation without its consent (e.g., by blagging, hacking or other covert methods). There is a public interest defence to this offence, but currently this holds the media to a stricter standard than the usual exemption for journalism. The guide stresses that the media should, therefore, be confident about their public interest justification before using such methods.

Retaining Information

The guide reminds the media that the DPA does not stop information from being retained, provided it was obtained legitimately. It recognises that contact details and background research are a vital journalistic resource. However, retaining such data amounts to “processing” under the DPA and, therefore, triggers the provisions contained within the DPA.

The DPA does not impose a limit on the length of time that data can be retained. Media organisations can take some comfort from the ICO’s acknowledgment that contact details and background research are a vital journalistic resource. However, the guide advises that organisations should review retained information from time to time to ensure that it is still up to date and relevant. Any data no longer needed should be deleted. Organisational policies should specify whether certain categories should be reviewed more regularly, e.g., very sensitive types of information or information relating to children.

The guide reminds the media that they must keep information about people secure. This means that reasonable steps must be taken to retain people’s information securely and prevent it being lost, stolen or misused. Particular care should be taken when out of the office — phones, laptops and memory sticks containing personal data and information should be locked, password protected and encrypted where possible.

Publication

Even where information has been fairly obtained and retained, media organisations will need to consider separately what information it is fair to publish, the guide says. The ICO wants the media to consider how much personal data it is necessary to publish to report the story properly, balanced against the level of intrusion into the life of the data subjects, and the potential harm this may cause.

The public interest in publication should be assessed by someone at an appropriate level, depending on the story, although the ICO recognises that senior editorial or expert input will usually not be needed for day-to-day stories.

According to the guide, publication is likely either to be fair and to comply with the DPA or to fall within the journalism exemption if it can be shown that someone at an appropriate level considered that the public interest in publication outweighed individual privacy in the circumstances of the case, and can give good reasons for this view when challenged.

Accuracy

The guide reminds the media that the DPA requires them to record details correctly and take reasonable steps to check the facts. Stories should also clearly distinguish between fact and opinion, and if the individual disputes the facts, this should be stated.

Responsible journalists will always take care to ensure reports are accurate and not misleading, which means the organisation should be able to comply in the vast majority of cases, the guide states. It warns that the ICO “would not expect you to fall back on the exemption very often, as it is hard to argue it is in the public interest to publish clearly inaccurate stories or to retain clearly inaccurate information without making reasonable checks”.

However, the exemption may be available if, for example, the story is urgently in the public interest and the short deadline makes a complete accuracy check very difficult. However, as with any use of the exemption, the organisation will be required to show that proper thought was given by someone at an appropriate level as to what checks might be possible, whether publication could be delayed for further checks, the nature of the public interest at stake and that the decision to publish was, therefore, reasonable.

Subject Access Requests

Here, the guide advises having a process in place for handling subject access requests. Consideration must always be given as to whether the information (or any of it) can be provided without undermining journalistic activities. A response must be provided within 40 calendar days.

It may be possible to rely on the journalism exemption to refuse the request if the information is being held in connection with the publication of a story that is in the public interest and responding to the request would be incompatible with journalism. However, there is no automatic exemption, and if any of the information requested can be provided, this should be done.

The guide advises recording the reasons for a decision not to comply with a request, as the ICO may, if the person complains, ask for evidence that the request was properly considered and reasons as to why it was decided that providing the information would undermine journalism.

Confidential Sources

Here, the guide explains that the DPA allows for the redaction of the identity of confidential sources when responding to a subject access request. Information on individuals who are sources need be disclosed only if that individual consents, or if it is reasonable to do so. In most cases, the guide states, it is unlikely to be reasonable to disclose confidential sources.

Section Two — Technical Guidance

This section of the guide gives an overview of the DPA with more detail on how the ICO interprets the underlying legal provisions, in particular, the Section 32 exemption.

The guide explains that the right to respect for privacy under Article 8 of the European Convention on Human Rights (“ECHR”) and the right to freedom of expression under Article 10 of the ECHR are both important rights, and neither automatically trumps the other. The ICO maintains that the DPA protects people’s information privacy, but also recognises the importance of freedom of expression, aiming to strike a fair balance. The guide seeks to reassure the media that the ICO must consider the importance of freedom of expression when deciding how best to use its powers in the public interest.

The Journalism Exemption

The guide sets out that the purpose of the exemption under Section 32 of the DPA is to safeguard the right to freedom of expression afforded by Article 10 of the ECHR. Subject to certain limitations discussed below, Section 32 can exempt from the requirements of the DPA personal data that is processed solely for the purposes of journalism.

The scope of the exemption appears broad. It can disapply almost all of the DPA’s provisions, and gives the media significant leeway to decide for themselves what is in the public interest, the guide says. Media organisations must be able to justify their actions in the public interest and on the merits of each case.

The exemption breaks down into four elements:

The Data is Processed Only for Journalism, Art or Literature

There is no definition of “journalism” in the DPA, and the ICO interprets it broadly. Journalism will clearly cover all output on news, current affairs, consumer affairs or sport. Taken together with art and literature, the ICO considers it is likely to cover everything published in a newspaper or magazine, or broadcast on radio or television. In other words, it covers the entire output of the print and broadcast media, with the exception of paid-for advertising.

This was confirmed by the U.K. Supreme Court in Sugar (Deceased) v BBC [2012] UKSC 4, in which the court also confirmed that journalism would cover a wide range of activities, loosely grouped into production (including collecting, writing and verifying material), editorial, publication or broadcast, and management of standards (including staff training, management and supervision).

“Journalism” also covers citizen journalists’ blogs intended as public interest journalism.

If an organisation uses the same information for any other purpose, the exemption cannot apply.

With a View to Publication

Provided the ultimate aim is to publish, all background information collected as part of a journalist’s day-to-day activities might be exempt, even if the details are not included in any final article or programme and even if no story is actually published or broadcast. In this context, “publish” means “make available to the public or any section of the public”. However, the guide states that the exemption will not apply to anything that is not an integral part of the news-gathering and editorial process.

With a Reasonable Belief that Publication is in the Public Interest

The onus is on the media to make independent decisions on whether publication is in the public interest or not. The ICO expects the media to be able to explain their reasons for believing publication is in the public interest and to evidence an appropriate decision-making process.

There is no definition of “public interest” in the DPA. Each case must, therefore, be considered on its own merits. Any consideration of the public interest should ultimately aim to strike an appropriate balance between freedom of expression and privacy rights.

The ICO advises organisations to take into account: 1) the general public interest in freedom of expression; 2) any specific public interest in the subject matter; 3) the level of intrusion into an individual’s private life, including whether the story could be pursued and published in a less intrusive manner; and 4) the potential harm that could be caused to individuals.

It is reassuring to see the ICO recognises an inherent public interest in freedom of expression itself, regardless of the specific content of the story. However, it stresses this does not automatically mean that publication is always in the public interest.

Any consideration of what is in the public interest must involve an element of proportionality, the guide says. It notes that media organisations should not make a general assumption that the private life of a public figure is always the subject of sufficient public interest to justify publication. Whether publication of this type of material is in the public interest in any particular case is likely to depend on a variety of factors, such as: 1) the role and profile of the individual; 2) the extent to which the individual has courted publicity or held himself/herself out as a role model; 3) the significance of the story to the organisation’s audience; and 4) how intrusive or damaging the story is likely to be to the subject or to any other individuals associated with the story.

Another key point is that it is the data controller who must reasonably believe that publication is in the general interest. Who the data controller is will depend on how the organisation allocates responsibilities. In some cases, the data controller might be an individual journalist, if the organisation in question has allocated the responsibility of applying the public interest test directly to its journalists. In that case, it will be the journalist’s belief that counts.

The ICO will expect organisations to be able to show that there was an appropriate decision-making process in place at the relevant time. However, what is appropriate will depend on the case. For example, for more high-profile, intrusive cases, it would be appropriate for there to be more editorial involvement in the decision-making process.

The guide points out that the exemption requires only a reasonable belief, which gives more leeway than other exemptions and “reflects the importance of a free and independent media”. The ICO does not have to agree that publication was in the public interest, provided the data controller’s belief was a reasonable one.

Finally, the ICO will also take compliance (or not) with relevant industry codes of practice (such as the Editors’ Code of Practice, the Office of Communications’ (“Ofcom”) Broadcasting Code and the BBC’s Editorial Guidelines) into account, but is not bound by the decisions of industry bodies.

With a Reasonable Belief That Compliance is Incompatible with Journalism

Organisations must be able to show a clear argument that the DPA provision in question presents an obstacle to responsible journalism. The detrimental effect compliance would have on journalism against the detrimental effect non-compliance would have on the rights of the data subject must be balanced against each other. Compliance must be more than just an inconvenience, and it is not enough simply to assert that compliance is not standard industry practice. Specific consideration must be given to each case, and organisations cannot rely on a blanket policy. Further, organisations must be able to justify their use of the exemption in respect of every provision of the DPA not complied with. Again, the focus is on the reasonable belief of the data controller.

Section 32 does not exempt the media from all of the DPA. It does not provide an exemption from:

• notification — media organisations will still need to register with the ICO;

• security — media organisations must always have adequate security measures to protect personal data;

• the Section 55 offence — journalists and media organisations will not be exempt from prosecution if they unlawfully obtain, disclose or procure information in breach of Section 55. However, there is a public interest defence within Section 55 itself;

• the right to opt out of direct marketing; and

• the right to compensation for damage and distress — individuals have the right to claim compensation through the courts if they have suffered damage or distress as a result of a breach of the DPA.

Section Three — Disputes

The guide explains that the ICO considers complaints and has the power to take enforcement action for serious breaches, although its powers are more restricted in cases affecting the media. The ICO can also prosecute criminal offences under the DPA, for example, a Section 55 offence or for processing personal data without notifying the ICO.

However, the ICO cannot prevent publication or award compensation.

The guide says that the ICO will always consider the impact on freedom of expression carefully before deciding to take any action against the media. It will also seek to work with industry bodies and refer issues to them wherever appropriate.

The guide also reminds the media that individuals can also make DPA claims for compensation directly through the courts.

Comment

The DPA has been around for quite some time but has recently gained greater prominence in media circles. Its critics argue that the increased use of the DPA against media organisations forms part of a wider trend, in which legislation not originally designed with the media in mind has been refocused on the press, in an attempt to control the media and access the information they hold.

The DPA is a fairly dense piece of legislation that is unlikely to be very familiar to many. The ICO guide helps to draw out the most important elements of the DPA and highlights what provisions are relevant to the media.

However, the guide does not provide complete clarity. There is still room for dispute and debate around the interpretation of many elements of the DPA.

For example, in what circumstances will compliance with the DPA be “incompatible” with journalistic purposes? Would it be sufficient if compliance disrupted, or added a level of greater difficulty to, the journalistic endeavour? Similarly, when is processing “only for the purposes of journalism”? Does the exemption apply to journalism designed to support a political campaign, for instance?

These are examples of some of the issues that the guidance hasn’t resolved.

It is likely that disputes around the definition of some provisions, including those mentioned above, will end up before the ICO and/or the courts.

Until then, media organisations will have to be alert to the uncertainties within the DPA and tread carefully around the grey areas that are ripe for challenge.

Sarah Branthwaite is a Solicitor at Wiggin LLP, London. She may be contacted at sarah.branthwaite@wiggin.co.uk.