Contact
March 20, 2014
The deadline for responses is April 22, 2014. The draft guidance has been published further to Lord Leveson’s recommendation that the ICO ‘‘should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data’’. This recommendation, along with a series of recommendations to the Ministry of Justice for amendments to narrow the scope of the exemption in Section 32 of the Data Protection Act 1998 (‘‘DPA’’), was made in light of the evidence given to the Leveson Inquiry with regard to Operation Motorman, the now notorious investigation into the extent of the trade in data between self-employed private detectives and the press, which, on the ICO’s evidence, it felt powerless to deal with at the time (see analysis at WDPR, January 2013, page 13). Although it is expressed to be open for consultation, the guidance is said to have been formulated as a result of extensive discussions with the media, and certainly reads more as a settled guide to good practice than a consultation paper. It is therefore important that media companies that have not been part of the process to date take the time to consider whether the proposals contained in the guidance as currently drafted would be workable in practice in a real newsroom, and make submissions within the deadline, if there is going to be a meaningful consultation across the wider industry.
The ‘Compliance Mindset’
What is very clear from the guidance is that, as far as the ICO is concerned, compliance, practice and procedures are going to be of paramount importance for media companies going forward. It will not be enough to say that the Section 32 exemption — which is a defence to a claim that there has been a breach of the DPA in certain circumstances — applies simply because the media company is concerned with journalism. A media company that wants to be able to rely on Section 32 will need to demonstrate 1) that it has clear policies about what does or does not need editorial approval; 2) that all staff have had some basic data protection awareness training and it is updated regularly; 3) that the company has an in-built public interest check at key stages of a story; 4) that the company has an inbuilt data protection check at key stages of a story; and 5) that it keeps an audit trail for decisions that may be challenged. The guidance suggests that ‘‘key stages of a story’’ will include the initial decision to pursue the story, any decision to use covert methods of investigation, and final decisions on what to publish. But in a fast moving newsroom, is it realistic to expect media companies to adhere to these procedures in practice? Or is the ‘‘compliance mindset’’ something that will become second nature to journalists following the Leveson recommendations?
While the ICO is at pains to say that these checks will not need to be particularly formalised or onerous, it is clear that the companies that are best able to show they have complied with the law will be those that have policies and procedures, supported by appropriate standard checklists, in place and can demonstrate that these are used. Although the ICO says it will not be determinative, the ICO makes clear that it will have regard to adherence to such policies and compliance with the relevant industry codes, and those that can demonstrate compliance are far less likely to face a claim.
Public Interest Journalism
The guidance seeks to reassure media companies that public interest journalism will almost always be covered by the Section 32 exemption. The DPA puts the onus on the media to make their own independent decision as to whether publication is in the public interest. It is important to be conscious that it is the belief of the data controller, not the individual journalist, that counts. Accordingly, it must be shown that it has been a corporate decision that the story is in the public interest, which suggests the journalist will be required to show that there has been some editorial involvement right from the outset. The ICO recognises that there is no definitive public interest test, and that how strong the public interest is will differ from story to story. It warns that journalists should consider each case afresh: Just because comparable material has been published in the past, it cannot be assumed that it will be acceptable. As examples of public interest journalism, the ICO cites with approval the indications given in the BBC Editorial Guidelines, which include: exposing or detecting crime, exposing significantly anti-social behaviour, exposing corruption or injustice, disclosing significant incompetence or negligence, protecting people’s health and safety, preventing people from being misled and disclosing information that assists people to better comprehend or make decisions on matters of public importance.
Privacy and Free Speech
The guidance is at pains to explain that it does not have any legal force or formal status, and that decisions on individual stories will take into account the particular circumstances of the case to give effect to the need to achieve a balance between the right of privacy and the right to freedom of expression. The ICO reminds readers that the need for data protection grew from concerns about protecting the individual’s right to privacy, but that its purpose is not to ensure privacy is maintained at all costs, only to strike a fair balance between individual privacy and the wider interests of society, in particular the right to know. The ICO asserts that it will always consider the impact on freedom of expression before taking any action, and that its main focus is likely to be on the media company’s decision making processes and procedures, so that, provided that these show the media owner has thoroughly considered the issues, there is unlikely to be a breach of compliance with the DPA.
Principles in Context
The guidance emphasises that the DPA contains no absolute prohibition on disclosure, and that the key is to consider what is fair in the circumstances, having regard to the eight data protection principles, which it restates in the context of the media as follows:
Fairness: The media must act fairly and lawfully and, whenever possible, tell the parties who they are dealing with and what they are doing. The obligation extends further, so the media owner must not cause any unjustifiable harm, or do anything that the subject would not reasonably expect.
Transparency: The media owner must be clear why data is being collected and what it is intended to do with it. It cannot be used for a different and unexpected purpose later.
Quantity: The ICO defines this as follows: ‘‘Personal data must be adequate, relevant and not excessive for your purposes. In other words, you must have enough information to do the job, but shouldn’t have anything you don’t need’’.
Accuracy: Personal data must be accurate and up to date. Reasonable steps must be taken to ensure facts are correct and not misleading, and, where an individual disputes the fact, his or her view should be included.
Time limits: Personal data must not be kept longer than necessary. It is necessary to show that it has been actively considered how long the information needs to be kept, and for this to be reviewed periodically. The ICO accepts that, in appropriate cases, it might be necessary to keep detail for long periods. The important thing is to show that this has been considered, and that there is a rational basis for the decision to keep the data.
Individual’s rights: It is necessary to comply with people’s right to access a copy of their personal data, to object to processing, and to opt out of direct marketing.
Security: All media owners must have appropriate security in place. Security obligations cannot be waived by relying on the Section 32 exemption.
International transfers: Personal data should not be sent out of the European Economic Area — including via a website — without adequate protection unless it is necessary for reasons of ‘‘substantial’’ public interest.
While the Section 32 exemption will provide a defence to a claim that there has been a breach of most of the above principles, the Section 32 exemption does not apply to all the activities undertaken by a media owner. It is limited to circumstances where data is being processed for the purpose of journalism, art or literature, with a view to publication, in the public interest, where compliance with the above principles would be ‘‘incompatible’’. The ICO makes clear that, if the journalist can comply, he or she must. It is not, by any means, a ‘‘get out of jail free’’ card, and does not excuse media companies from their other obligations under the DPA.
Sources and Contacts
With regard to confidential sources, the guidance specifically confirms that the DPA requires journalists to protect the identity of their sources, and that it will usually be permitted to remove the identity of confidential sources, for example, if the subject of the story makes a subject access request. Curiously, the ICO suggests that it would not be reasonable to redact the name of a confidential source ‘‘if the requester already knows who it is’’ — hardly a confidential source in that case. The ICO confirms that the DPA is not intended to prevent journalists from keeping useful contact details, as long as they were obtained legitimately, and they review them at regular intervals and delete those no longer required. So far as the Section 55 offences of ‘‘blagging’’ — attempting to obtain information through the use of deception — and other methods of obtaining data without consent are concerned, the guidance acknowledges that there are defences, including a public interest defence, but this does assume that the media owner and the journalist are confident they will be able to convince the court after the event that their actions were justified in the public interest.
Comment
Overall, the guidance is a useful and accessible review of the most relevant parts of the DPA as they apply to media owners, but, given that it states that it has no legal force or formal status, it is difficult to see exactly what the purpose of this consultation is intended to be. Having said that, it is clear that, while the ICO repeatedly seeks to reassure media owners that it recognises the importance of public interest journalism, its repeated explanation that its assessment as to whether or not there has been a breach will be strongly determined on the basis of its review of the media company’s observation and documentation of compliance procedures at every step of every story tends to suggest that the ICO has no hands on experience of a 24 hour rolling news provider in operation. Perhaps the real purpose of the consultation period is to provide just such an opportunity.
The text of the ICO’s draft guidance is available at http://ico.org.uk/~/media/documents/library/Data_Protection/Research_and_reports/data-protection-and-journalism-a-guide-for-the-media-draft.pdlibrary/Data_Protection/Research_and_reports/dataprotection-and-journalism-a-guide-for-the-media-draft.pdf.
Caroline Kean is a Partner at Wiggin LLP, London. She maybe contacted at caroline.kean@wiggin.co.uk
This article first appeared in the Bloomberg BNA Data Protection Report, February 2014
Expertise
Topics
Wiggin's expertise, delivered direct to you
