In his inquiry into the culture, practices and ethics of the press, Lord Justice Leveson made a number of data protection related recommendations. One of these was that the Information Commissioner (ICO) "take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data".
In September 2014, the ICO published: Data protection: a guide for the media (Guidance), intended to help the media understand and comply with data protection law while recognising the importance of a free and independent media and the need to balance the rights of privacy with the right to freedom of expression. The ICO is at pains to point out that he has no intention of interfering with the freedom of the media and that the data protection regime is not intended to obstruct a free and fair press.
The Guidance is aimed at the press, broadcast media and online news outlets, editors, journalists (especially freelance journalists), some bloggers and non-media organisations which publish material which may qualify as journalism (and the Guidance includes a detailed discussion of what that entails). This is very much a clarification of the current rules and how they are interpreted by the ICO rather than anything new but it should provide a useful and, in most cases, reassuring summary for the media in the wake of the phone hacking scandal, the Leveson report, the regulation of the press debate and the launch of IPSO.
The Guidance is divided into three sections which cover: practical guidance; technical guidance (which deals specifically with the s32 journalism exemption); and dispute resolution.
The first section starts off by 'myth' busting. It underlines the concept that there are no hard and fast rules and that each case must be considered on its own merits. It reminds the industry that sources can be protected and that there are a number of justifications it can rely on to process personal data but warns that data protection cannot be ignored altogether on the basis of the exception for journalism. The ICO says for collection of data to be fair:
- there must be a journalistic justification for collecting the information;
- where practical, the relevant person should be told their data is being collected and what it is going to be used for (although the ICO recognises this is not always possible); and
- a person's information should only be used as they would reasonably expect.
The Guidance reminds the media that although there is a broad exception for journalism from many provisions of the Data Protection Act 1998 (DPA), there is no exemption from prosecution under s55 DPA, under which it is an offence to knowingly or recklessly obtain personal data from another organisation without its consent (e.g. by blagging, hacking or other covert measures). It goes on to say that while there is a public interest defence, the standard which needs to be met is higher than the usual exemption for journalism.
In section 2, which gives technical guidance, the ICO considers the need to balance the fundamental human rights to freedom of expression and privacy in each case and to review it repeatedly if appropriate. Connecting this balancing exercise to application of the s32 exemption for journalism is an extension of the wording in the legislation and may cause consternation but the ICO is clear that neither right automatically trumps the other. The Guidance goes on to consider the data protection principles and their application to journalism. Points of particular interest to journalists will be the acceptance that information which may not be relevant to a current story may be retained if it is of more general journalistic interest and that, in the context of journalism, it may be necessary to keep some information for long periods. In addition, the prohibition on international transfers without adequate protection will not prevent online publication provided the DPA is complied with in all other respects.
The ICO breaks the s32 journalism exception down into the following elements:
- the data is processed only for journalism, art or theatre;
- with a view to publication of some material;
- with a reasonable belief (of the data controller) that publication is in the public interest; and
- with a reasonable belief that compliance is incompatible with journalism.
One of the most difficult issues for the media is the decision about whether or not something is in the public interest, something the ICO stresses is for the media to decide rather than the ICO. The ICO emphasises the role of industry codes of practice and advises organisations to take into account:
- the general public interest in freedom of expression;
- any specific public interest in the subject matter;
- the level of intrusion into an individual's private life, including whether the story could be pursued and published in a less intrusive manner; and
- the potential harm which could be caused to individuals.
Key recommendations are that an organisation be able to demonstrate it has carefully considered the application of s32 to the particular situation, in particular by:
- having clear policies about what needs editorial approval;
- giving all staff basic data protection awareness training;
- having an inbuilt public interest check at key stages of a story;
- considering the data protection implications at key stages of a story; and
- keeping an audit trail for unusually high-profile or intrusive stories.
The Guidance reminds users that s32 does not provide exemption from:
- notification as data controller;
- the obligation to keep data secure;
- the s55 offence;
- the right to opt out of direct marketing; nor
- the right to compensation for damage and distress.
Notwithstanding any available exemptions, the ICO reminds the media that it must comply with as much of the DPA as it can.
The final section gives an outline of the ICO's enforcement powers and how it will deal with any complaints involving the media.