In May 2018, the UK law protecting people’s private information was overtaken by a much tougher law introduced by the European Union. It will remain part of the law in England and Wales even after Britain leaves the EU.
It is called the General Data Protection Act but is widely known by its initials, GDPR.
It has made a lot of organisations, from universities to small sports clubs, very, very twitchy. Mainly because of the MASSIVE fines they can be given for getting it wrong.
There are also some rules that seem a bit extreme – a picture that identifies someone is personal data, even if they just happen to get caught in the background – but some people are urging a commonsense approach. Their message: don’t panic. All the same…
However, there is an exemption for data that is gathered for journalistic purposes. Without this it would be very difficult for the media to publish anything without people’s formal consent – even people being exposed for wrongdoing.
And GDPR (and the Data Protection Act 2018) actually widens the exemption given for the “special purpose” of journalism – reflecting the view that there is a public interest in freedom of expression. Read more here.
“Personal data” means any information about someone that is personal to them. Storing, publishing or using someone’s personal data in some way is known as “processing” it.
Under the Data Protection Act, organisations had to take special care with “sensitive” personal data such as sexual orientation, political views, and personal health. If stored – say, in a filing system or on a computer – it must be kept secure.
GDPR requires the same or greater care for ALL personal data. “Sensitive” data is now known as “special category” data.
All data must be stored securely, and kept only for as long as it is needed for the purpose for which it was collected. People must now be told that information about them is being stored and “processed”. They have a right to know how it is being protected, and they can demand to see it – and have it corrected if it is wrong.
Most importantly, there is a new “right to be forgotten”, which means people can insist, say, that their personal information is removed from the internet, or from a filing system (unless there is a valid reason for it being there). This happened at Coventry University within days of the new law coming in.
The fines for data breaches can run into millions of pounds (for large corporations). Even small organisations, such as community sports clubs, are taking it seriously.
GDPR affects bloggers, including students: permission may be needed to show someone’s picture on a blog, and if a blog had followers and subscribers before the new rules came in, then the site owner should contact them to let them know what data is kept on them, and how it is being kept secure.
Private data can include an email address.
The media had exemptions under the Data Protection Act to make it possible to run stories about people. GDPR also allows exemptions for journalists, but we won’t really know how much freedom news organisations have until this has been tested in the courts.
A key point is that journalists must be able to demonstrate that they believe their story is in the public interest, and that it would not be possible to run it without breaching the normal rules about keeping and using private data. If someone had a right to know they were being investigated, and a right to stop a news organisation “processing” their private information, they could block the story. This is not what the law intends – hence the exemption.
The crucial thing to remember here is that the journalist or editor must be able to show that they reasonably believed their story was in the public interest – not that it actually was. This can only be a matter of opinion and in the fast-paced world of news reporting, journalists cannot seek official confirmation before publishing.
A key change in the law is that people may now be able to object if they appear in the background of a photograph or video, even if it has been shot in a public place, such as in a city centre or at a concert.
Under the old Data Protection Act, there was generally no right to privacy in this situation.
If someone’s face appears in a picture, that is “personal data”.
Photographers and videographers should ideally carry consent forms, and get them signed by anyone who appears in shot. It is also suggested that they put up signs to warn people that filming is taking place.
It remains to be seen whether anyone will really be able to insist that they be removed from the background of photographs.
And a photography blog – cited by the Centre for Community Journalism – argues that in places where people should expect a photographer to be present, such as a wedding or a sports event, then taking photographs is covered by the “legitimate interest” justification (as long as the pictures aren’t embarrassing – seriously).
For more advice, read David Banks’s guidance on the Centre for Community Journalism website, here.
Scroll down the same page for lots of other good advice on GDPR.