The long anticipated publication of a statutory data protection code for Journalism took a step closer to being realised with the closure on 24 January 2022 of the Information Commissioner's Office (ICO) consultation on its Draft Journalism Code of Practice (Code). When finalised the Code will replace the ICO's now outdated guidance for media (Guidance).
Weighing in at over 93 pages, the Code is more than a cursory overview of the considerations relevant when processing personal data for the purposes of journalism. There are key differences between the Guidance and the Code, with the Code adopting a more practical approach with detailed consideration of the tensions between competing rights, and an analysis of the application of the journalistic exemption (which we look at in more detail here.
Origin and legal status
Following the 2012 report of the Leveson Inquiry into phone hacking and press standards, the ICO published the Guidance setting out views on standards for the media to help them comply with data protection law (under the Data Protection Act 1998). The Guidance had no legal force.
The Code is required to be published by the ICO under the Data Protection Act 2018 (DPA 18). As a statutory code, the ICO, courts and tribunals will be required to take the Code into account when considering data protection compliance and data protection issues in legal proceedings. Courts will rarely depart from statutory codes unless there is good reason to.
Audience
Both the Code and the Guidance apply to those involved in processing personal data for the purposes of journalism including media organisations, freelancers and citizen bloggers. However, whereas the Guidance was targeted particularly at senior editors and other compliance staff generally, the Code specifically identifies lawyers, data protection officers and senior editorial staff as its main audience.
Accountability
The Code incorporates the updated legal concept of accountability, requiring journalistic organisations to not only comply but to evidence compliance in practice. The ICO suggests that the key to ensuring compliance is to foster an internal compliance culture with "strong leadership" and a "positive tone from the top".
As part of this focus on accountability, the Code underlines the importance of documentation, including conducting Data Protection Impact Assessments (DPIAs) where processing involves higher risk. However, this obligation does not mean a DPIA is needed for every story likely to involve high risk processing; a general DPIA for overall types of processing (eg special investigations journalism) is likely to be enough. Further, where a DPIA concludes there are risks that cannot be mitigated, the Code acknowledges that consulting the ICO may be impossible or unrealistic under certain circumstances. In such cases the special purposes exemption may apply, removing the requirement to consult.
Lawful basis for processing
The Code considers the lawful basis relevant to both personal data and special (sensitive) category data but could say more about identifying the appropriate Article 6 lawful basis for processing personal data. Reference is made to reliance on legitimate interests and/or consent and there is some useful material on when consent would not be relevant, but more examples of the lawful grounds likely to be relevant to specific processing activities would be helpful if the Code is to avoid raising more questions than it answers in this area.
In the case of the lawful basis for special category data processing, the Code has more to say, reflecting the broader scope of the substantial public interest condition within the DPA 18 relevant to "Journalism in connection with unlawful acts and dishonesty".
This condition applies if processing consists of the disclosure of personal data for the special purposes (including journalism) and is carried out in connection with the following (whether alleged or established):
- the commission of an unlawful act by a person
- dishonesty, malpractice or other seriously improper conduct of a person
- unfitness or incompetence of a person
- mismanagement in the administration of a body or association, or
- a failure in services provided by a body or association.
In a similar way to the tests that form part of the special purposes exemption for journalism, this can be relied upon by showing that:
- the processing is necessary for reasons of substantial public interest
- carried out with a view to the publication of the personal data by any person
- it is reasonably believed that publication of the personal data would be in the public interest.
The Code helpfully puts this into context, explaining that this condition is particularly useful in cases of whistleblowing, as it can be used to justify the disclosure of personal data by a controller to a journalist and may also be of general relevance when processing personal data of criminals alongside another basis such as consent or where such data has been manifestly made public by the subject.
Other specific provisions relevant to how journalists process the personal data of criminals and those under investigation include:
- that where a conviction is 'spent' under the Rehabilitation of Offenders Act 1972, former criminals will likely and reasonably expect a right to privacy, even where such personal data was made public in the past
- that subjects of criminal investigations will generally (but not always) have a reasonable expectation of privacy because of the stigma attached and the damage that could be caused to their reputation.
This section will be of particular interest to journalistic organisations, as it addresses the outcomes of the Cliff Richard and ZXC v Bloomberg cases.
Investigative journalism
The Code acknowledges in certain investigative contexts that journalists may be able to mislead people about their identity or intention by relying on the special purposes exemption, where the journalist plans to use undercover or intrusive covert methods to get a story. However, journalists should be aware that the more intrusive the activity, the more difficult it will be to justify such activities as being in the public interest. Where the processing concerns special category data, the ICO emphasises the need to keep appropriate records of decision making.
Transparency
The Code dedicates more attention to the role of transparency than the Guide does. It takes the practical view that it will not always be reasonable (or even possible) to provide an individual with privacy information in the course of performing journalistic activities, specifically referring to situations where the individual's contact details are unknown or where giving information would undermine journalistic purposes in some way and where the special purposes exemption may be relied upon.
Accuracy
Both the Guidance and the Code state that accuracy is core to the practice of journalists' work. However, only the Code provides practical examples of how to achieve this, outlining the following examples:
- policies to set out a clear process for checking facts and sources
- an accuracy checklist or flowchart to support journalists in their work, and/or
- systems to record inaccuracies and monitor recurring themes.
The Codes specifically addresses 'sources of information', noting that higher levels of risk are associated with internet sources, social media or other user-generated content. And that the onus is on the journalistic organisation to ensure information relied on is accurate, even where the information was sourced from another news provider.
Retention
Whereas the Guidance addressed retention generally, the Code considers this specifically from a journalism standpoint. The Code reiterates that there is no specific time limit on how long personal data can be retained and that in each case it should be proportionate to the journalistic purposes for which it has been collected. In this regard, the Code goes so far as to consider that research and background information, such as contact details, can be so vital to journalism that they "may" be kept indefinitely.
With that said, the Code explains that retention times will vary on a case by case basis, and journalists should generally be guided by the nature of the public interest concerned or any risks associated with retaining or deleting the information.
Finally, the Code considers the right to erasure in the context of news archives. It explains the strong, general public interest in the preservation of such archives, as they contribute significantly to the public’s access to information about past events and contemporary history which (depending on the context) will generally be a weighty factor in favour of preservation of personal data within news archives.
Next steps
The Code serves as a significant step forward with its real value being found where practical advice and examples are provided that relate specifically to journalism.
The ICO is currently considering contributions to its recent consultation on the draft Code but the final version (expected later this year) is unlikely to differ substantively. Journalistic organisations should start to assess and benchmark the Code's requirements against their internal policies and practices.