Following the Leveson inquiry, there has been some discussion, and confusion, over the obligations of the media under the Data Protection Act 1998 (‘DPA’) and the extent to which the media are restricted by it. In his report, Lord Justice Leveson recommended that the Information Commissioner’s Office (‘ICO’) should “take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data”. In response, the ICO last week published practical guidance (‘the Guidance’) for the media on their obligations under the DPA. The Guidance is available here and a brief summary is provided below.
Media organisations or self-employed individuals who handle personal data need to be aware of their obligations under the DPA. These obligations include a duty to notify the Information Commissioner of the handling of personal data and comply with eight DPA principles, including the lawful and fair collection of data and the requirement that the data collected be accurate, relevant and not excessive for journalistic purposes.
Much of the confusion surrounding the DPA is in regard to section 32 of the DPA which provides an exemption from key provisions of the DPA for journalism (though, notably, not the notification requirement or security measures for the protection of personal data). The purpose of the exemption is to safeguard the right to freedom of expression, as set out in Article 10 of the European Convention of Human Rights. The requirements for the exemption to apply are that: (i) the processing be undertaken with a view to the publication of any journalistic material; (ii) the data controller must reasonably believe that, having regard to freedom of expression, publication would be in the public interest; and (iii) the data controller must reasonably believe that, in all the circumstances, compliance with the provisions of the DPA are incompatible with the journalistic purpose. In essence, there must be a reasonable argument that the public interest justifies what would otherwise be a breach of the DPA. The Guidance makes clear that the onus is on the media to make their own independent decisions on whether publication is in the public interest and that they will need to be able to justify their decision. The Guidance also highlights that organisations will need to explain why compliance with the relevant DPA principles is not compatible with the journalistic purpose, noting that “there must be a clear argument that the provision in question presents an obstacle to responsible journalism…compliance must be more than just an inconvenience”.
In practice, media organisations are recommended to provide data protection training to employees; have clear policies about what needs editorial approval; contemplate data protection implications throughout the journalistic process and ensure that the public interest is considered throughout that process.