In May 2018, the UK law protecting people’s private information was overtaken by a much tougher law introduced by the European Union. It will remain part of the law in England and Wales even after Britain leaves the EU.
It is called the General Data Protection Act but is widely known by its initials, GDPR.
“Personal data” means any information about someone that is personal to them. Storing, publishing or using someone’s personal data in some way is known as “processing” it.
Under the Data Protection Act, organisations had to take special care with “sensitive” personal data such as sexual orientation, political views, and personal health. If stored – say, in a filing system or on a computer – it must be kept secure.
GDPR requires the same or greater care for ALL personal data. “Sensitive” data is now known as “special category” data.
All data must be stored securely, and kept only for as long as it is needed for the purpose for which it was collected. People must now be told that information about them is being stored and “processed”. They have a right to know how it is being protected, and they can demand to see it – and have it corrected if it is wrong.
They may well have a
Most importantly, there is a new “right to be forgotten”, which means people can insist, say, that their personal information is removed from the internet, or from a filing system (unless there is a valid reason for it being there). This happened at Coventry University within days of the new law coming in.
The fines for data breaches can run into millions of pounds (for large corporations). Even small organisations, such as community sports clubs, are taking it seriously.
GDPR affects bloggers, including students: permission may be needed to show someone’s picture on a blog, and if a blog had followers and subscribers before the new rules came in, then the site owner should contact them to let them know what data is kept on them, and how it is being kept secure.
Private data can include an email address.
The media had exemptions under the Data Protection Act to make it possible to run stories about people. GDPR also allows exemptions for journalists, but we won’t really know how much freedom news organisations have until this has been tested in the courts.
A key point is that journalists must be able to demonstrate that they believe their story is in the public interest, and that it would not be possible to run it without breaching the normal rules about keeping and using private data. If someone had a right to know they were being investigated, and a right to stop a news organisation “processing” their private information, they could block the story. This is not what the law intends – hence the exemption.
The key point to remember here is that the journalist or editor must be able to show that they reasonably believed their story was in the public interest – not that it actually was. This can only be a matter of opinion and in the fast-paced world of news reporting, journalists cannot seek official confirmation before publishing.
A key change in the law is that people may now be able to object if they appear in the background of a photograph or video, even if it has been shot in a public place, such as in a city centre or at a concert.
Under the old Data Protection Act, there was generally no right to privacy in this situation.
If someone’s face appears in a picture, that is “personal data”.
Photographers and videographers should ideally carry consent forms, and get them signed by anyone who appears in shot. It is also suggested that they put up signs to warn people that filming is taking place.
It remains to be seen whether anyone will really be able to insist that they be removed from the background of photographs.
For more advice, read David Banks’s guidance on the Centre for Community Journalism website, here.