The General Data Protection Regulation put fear of legal action into organisations across Europe when it was introduced in 2018: from major corporations to small sports clubs. Nearly all now have a GDPR policy.
And no wonder: the potential fines for mishandling data are 20 million euros, or 4% of your total worldwide annual turnover – whichever is bigger.
Basically, the GDPR says that personal data about people is private and can only be stored or used (or “processed”) for legitimate reasons, with strict rules.
A new UK law, the Data Protection Act 2018, will operate alongside GDPR and in some respects is even tougher. It sets out the rules for handling criminal data.
Journalism and GDPR
The good news: journalism is a “special purpose”. This means journalists have exemption from some of the rules. Without that exemption, they wouldn’t be able, say, to carry out investigations. But the media organisation must believe there is a public interest in the story it is researching. Otherwise, the normal rules apply.
What is personal data?
- Personal data is information that relates to someone who is – or could be – identified. “Relates” means it has to be “about” them.
- This could be as simple as their name, address, job, phone number, picture… but also an IP address or a cookie identifier. This may seem harmless information (perhaps less harmless in the age of identity theft). There’s more to come, though.
- If it relates to someone, it’s personal data even if it’s wrong (inaccurate).
- If it relates to a dead person, it’s no longer “personal data” under GDPR rules.
If you store or use personal information about people, you are a data processor. In an organisation, there will be a responsible person called the data controller. Someone who works alone – a freelance journalist, say – will also be a data controller, since they’ll be in charge of their own data processing.
Seven key principles
The GDPR says (translated into plain language):
- People should know you are keeping their data, and why; and they are entitled to know exactly what data you’re keeping (“lawfulness, fairness and transparency”).
- It can be collected only for “specified, explicit and legitimate purposes”.
- It should only be as much as is needed for the specified purpose, and no more – and it has to be relevant.
- It must be accurate and up-to-date.
- It can be kept kept no longer than is necessary (for the specified purposes). If it is then put in an archive, rules apply on making sure people cannot be identified from the data).
- It must be kept secure. There must be protection against it being lost or damaged – and used illegally, or in an unauthorised way. (“lawfulness, fairness and transparency”)
Transferring data abroad
The “old” Data Protection Act said personal information could only be transferred to other countries where it was highly likely to be kept secure. The protections of GDPR apply across most of Europe, but outside that area, doubts creep in. The Information Commissioner’s Office has fully assessed only a small number of countries – none of them in Africa. Even the USA and Canada had only been partly assessed at the start of 2019.
Special category data
Sensitive personal information is classed as “special category data”. For this, there are extra protections in place. Surprise, surprise: you can’t go round processing data about someone’s sex life without a very good reason. Using special category data potentially poses “significant risks to a person’s fundamental rights and freedoms,” says the Information Commissioner’s Office: “For example, by putting them at risk of unlawful discrimination.”
Special category data includes information about someone’s
- ethnic origin,
- trade union membership,
- biometrics (where used for ID purposes),
- sex life, or
- sexual orientation
…in fact, all the really interesting things that you wouldn’t necessarily want other people to know about you.
There must be an extra justification for processing special category data. The ones most likely to apply to journalists are:
- Explicit consent
- The information has been “manifestly made public” by the individual concerned
- Substantial public interest
- It is “necessary for archiving purposes in the public interest”.
Criminal offences and convictions are not on the list (they used to be, under the “old” 1998 Data Protection Act, which is no longer in force). There are now special rules in place relating to crime.
But note that GDPR is not a reason for courts to refuse to send lists of upcoming cases – known as court lists – to the media.
You must have a lawful basis for processing data. But this could be as simple as being hired to take pictures at a wedding. You should know what your legal basis is from the start, and document it. Processing the data must be “necessary”: if you can achieve your purpose without collecting the data, then you don’t have a legal basis for doing it.
There are six kinds of “lawful basis”:
- Consent: the individual has given clear consent, for a specific purpose. But they can withdraw it. “Legitimate interests” (below) gives the data processor more control.
- Contract: you need to store someone’s data to keep to a contract you have with them (or will be entering into).
- Legal obligation: to comply with the law.
- To protect someone’s life (“Vital interests)
- Public task: to perform a task in the public interest, or an official role, that has a clear basis in law (which includes journalism, and education).
- Legitimate interests: it is necessary for your legitimate interests (or those of a third party), unless there is a good reason that makes it more important to protect someone’s personal data.
The Information Commissioner’s Office has an interactive tool to help people decide what lawful basis might apply.
Questions to consider
If someone wishes to rely on legitimate interests as the lawful basis for using data – say, a photographer at a public event – then there are factors to consider.
- Would individuals expect this processing to take place? At a wedding, or a sporting event, the answer should be yes – they’d expect photographers to be there.
- What is the impact on the individual?
- Are they vulnerable?
- Is anyone likely to object?
- Are you able to stop the processing at any time, on request?
Individuals have various rights under the GDPR, including the right of access – meaning, to know what information about them is being held. The full list is here.
Personal data relating to crimes and convictions is in a category of its own. This means a lawful basis is not enough to justify processing it. These are addressed in the “new” Data Protection Act 2018. For journalists, this is straightforward: journalism is a special purpose under the law, and there is a special public interest in freedom of expression. There is a similar exemption for academic publishing.
People must be told
…that their data is being stored (except where the journalistic exemption applies). Data controllers should have a privacy notice explaining why the data is being processed.
And they can insist on erasure (for some things)
…which means they can tell you to stop processing their data and delete it. But not in all cases.
One reason the “right of erasure” does not apply is very important for journalists, photographers and broadcasters. As the ICO website says:
“The right of ersure does not apply if processing is necessary […] to exercise the right to freedom of expression and information…
[and for] “the performance of a task carried out in the public interest…”
Those are just some of the rules. The trouble is, it’s not clear yet how strict they are. An excellent blog post called The Photographer’s Guide to GDPR sets out some “pragmatic” advice… with the caveat that it’s not actually the kind of legal advice you get from an actual lawyer. Here’s a couple of screen grabs: