ICO consults on new draft journalism code of practice

The question

How can the ICO’s proposed new code help journalists balance their data protection obligations whilst maintaining the public interest and their freedom of expression?

The key takeaway

The code will provide a framework for journalists to help them understand and comply with the UK GDPR. It does not concern press conduct or standards in general. 

The background

The Data Protection Act 2018 (DPA) requires the ICO to produce a number of statutory codes, including the journalistic code of practice. It is primarily focused on controllers whose primary purpose for processing personal data is journalism, but it will also have relevance to other controllers (non-professionals) that process data for the purposes of journalism.

The development

The new guidance aims to bring journalistic data protection practice in line with the UK GDPR. It provides practical guidance on ten key requirements journalists need to cover. These are:

1. Balancing privacy rights with journalism: This section explains what is meant by journalism and explains the special purposes exemption.
2. Be able to demonstrate compliance: Accountability is key, which is why this section includes an explanation of Data Protection Impact Assessments (DPIAs) and when they’re needed (which is not for every story but for the overall type of processing).
3. Keep personal data secure: This includes consideration of the heightened security risks that could arise by virtue of the work that journalists undertake (eg risks of remote working, use of portable devices etc).
4.  Justify your use of personal data: Considerations include processing personal data fairly by considering what a person would reasonably expect in the circumstances and whether the processing would cause any unwarranted harm.
5. Take steps to ensure the personal data is accurate: This explains that taking reasonable steps to make sure personal data is accurate is fundamental to both journalism and data protection, and how this can be achieved.
6. Process personal data for specific purposes: Data should only be processed for specific reasons that are compatible with the initial purpose. Processors should be wary of creeping into territory in which data is processed for a new purpose that is not compatible or acknowledged.
7. Use the right amount of data: You must make sure that you have sufficient personal data to do what you need to do, that it is relevant, and not excessive. Essentially, this reinforces the principle of data minimisation.
8. Decide how long to keep data: It may be difficult in a journalism context to know when or if a piece of information will be useful in the future. The code contains guidance on how to take a considered and justifiable approach.
9. Be clear about roles and responsibilities: This includes guidance on understanding the respective roles of journalists and third parties who process data on their behalf.
10. Help people to exercise their rights: This includes practical guidance on individuals’ request for access to, and erasure of, their data.

The code also addresses the appropriate approach journalists should take when handling disputes and enforcement of GDPR breaches in this context. In particular, the code helps journalists in understanding public interest defences available to them for offences under the DPA.

It is important for journalists to understand that the special purposes exemption is not a silver bullet. The code should also hopefully assist them in establishing greater processes/measures to ensure compliance and understanding on its use. 

Why is this important?

The existing code was written in the wake of the Leveson enquiry in 2014 and does not deal with many of the changes brought in by the GDPR. The new code is an important step forward.

Any practical tips?

The consultation closes on 10 January 2022. The ICO is encouraging feedback by completing an online survey at journalismcode@ico.org.uk.