New guidance on Data Protection obligations for the media

The ICO has released new guidance on media obligations to comply with the Data Protection Act 1998 ("DPA"). Following the Leveson inquiry, it was recommended by Lord Justice Leveson that steps should be taken by the Information Commissioner's Office ("ICO") to provide advice on the appropriate principles and standards that should be observed in the media.

The ICO published its new guidance at the beginning of September and the full guidance can be found at guides/data-protection-and-journalism-media-guidance.pdf

In summary, all organisations or individuals who handle personal data need to be aware of their obligations under the DPA. These include a duty to notify the ICO of the handling of personal data and to comply with the eight DPA principles, which in brief, are to:

1. Process Personal data fairly and lawfully.

2. Obtain Personal data only for specified and lawful purposes, and not to further process it in any manner incompatible with those purposes.

3. Ensure Personal data is adequate, relevant and not excessive in relation to the purposes for which it is processed.

4. Keep stored Personal data accurate and up to date.

5. Only keep Personal data for the length of time necessary.

6. Process Personal data in accordance with the rights of data subjects under this Act.

7. Take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, and

8. Not transfer Personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Much confusion has arisen recently regarding the use of an exemption to the DPA provisions to safeguard the right to the freedom of expression (s32 of the DPA). The requirements for the exemption to apply are: (i) that the processing be undertaken with a view to the publication of any journalistic material and (ii) the data controller must reasonably believe that the publication would be in the public interest and (iii) the data controller must reasonably believe that compliance with the provisions of the DPA are incompatible with the journalistic purpose.

So when is a publication of Personal data in the public interest?

Unfortunately, there is no set answer to this question. The ICO's guidance makes it clear that the media should make their own decisions as to whether publication of Personal data is in the public interest and justification for any decision is provided. Therefore it will be required for the media to consider each use of Personal data on a case-by-case basis.

To assist in making a decision regarding whether the use of Personal data is in the public interest, the ICO has recommended all media organisations should provide data protection training to employees, have clear policies about what needs editorial approval, and ensure that the public interest is considered throughout the process.

Send us a message