Data protection

As of 25 May 2018, the General Data Protection Regulation applies in the UK and across Europe, toughening up the requirements of the law it replaces – and increasing the penalty for breaches of privacy.

The law itself is here.

The UK parliament has also been debating a new Data Protection Bill. Read about it on the website here.

This page will be updated in time for the next round of media law teaching at Coventry University – and as new insights emerge into the impact of the GDPR on journalism.

For now, information about the old Data Protection Act remains on the page (below) for archive purposes. The principles of the new law are very similar.



Data protection is a key topic for the 2018 first-year media law test at Coventry University. It comes up in more than one question. Students should endeavour to memorise the key points in burgundy type – not word-for-word – but need not revise (or even read) the material in pale grey type

Reinforce learning by reading the Information Commissioner’s quick guide to data protection and journalists

Note: data protection law changes in May 2018 with the introduction of the EU’s General Data Protection Regulation directive. This briefing covers the Data Protection Act 1998 in the UK as it currently stands (February 2018), based primarily on Quinn’s Law for Journalists. 

However, students who wish to brief themselves on the incoming law may find the following article helpful:

What the European Union’s GDPR means for journalists and publishers – Dave Gurney, writing in Press Gazette, says the directive brings “new rules around reader consent, profiling, portability and the right of the consumer to be forgotten.” It sets out an explanation in detail.

This briefing document will be reviewed in the light of the new directive – which will continue to affect journalists in the UK even after Britain leaves the European Union.

The Information Commissioner’s Office also publishes a short guide to data protection for journalists, based on the pre-2018 rules, here. Students are advised to read both this briefing and the ICO guide, in order to reinforce learning.

For news items on this topic, click on the Data Protection link in the left-hand column of this website.


Journalists can find their activities restricted under the Data Protection Act 1998 (sometimes when people misuse it to thwart block legitimate enquiries). Media organisations and even solo freelance journalists also have serious duties to look after information they store about people either

  • on a computer, or
  • in a filing system or other retrievable form

They can be guilty of a criminal offence if they fail in their duties in handling personal data.

The media does have some exemptions under the Act – otherwise, many stories could never be told – but journalists must take great care in publishing stories that give details of sensitive personal data.

Sometimes, journalists are wrongly refused information they need on the grounds that releasing it would breach the Act, when this is not the case. They may be able to challenge this.

Interview notes in a notebook – unless systematically filed – are unlikely to count as personal data, according to Quinn in Law for Journalists. 

But photographs can count as data.

The Information Commissioner oversees both the Data Protection Act and the Freedom on Information Act, offering advice and adjudicating in disputes.

What is personal data?

At a basic level it involves private information about people, including opinions about them – such as their family life, or their phone number. A mere mention of someone’s name in a document does not count as personal data.

The higher category is sensitive personal data. This covers:

  • race or ethnicity
  • political views
  • religious or similar beliefs
  • trade union membership
  • health
  • sex life
  • criminal record, including allegations of crime
  • legal proceedings, including outcome and sentence.

Three terms

A data subject is the person referred to in data
A data controller is the person or organisation holding the data
Processing data, in practice, means obtain, recording, holding, using or disclosing information (which includes publishing it).


Media organisations and freelance journalists who store data must

  • register as a data controller, via the Information Commissioner
  • comply with the Act when processing data (e.g. take care of it)
  • comply with the rights of data subjects

Failure to register, and give details of security measures to protect personal data, is a criminal offence.

Eight principles

The Act sets out eight principles on how data must be handled. The key points for journalists are that it must be:

  • for limited purposes (for example, only for journalism)
  • relevant and not excessive
  • accurate and up-to-date
  • kept no longer than necessary
  • kept secure
  • not transferred to countries with inadequate data protection

Another of the eight requirements is that it is processed fairly. For journalists, this likely to mean the subject has given their consent (“Is it okay if I keep a copy of your phone number?”). But if personal information has been obtained by deception, this might well breach the Act. This applied when a photographer sneaked in to the wedding of film stars Michael Douglas and Catherine Zeta-Jones.

Security matters. If a journalist loses a memory stick or laptop containing personal information, that is a breach of the Act. So is leaving information on a computer screen – in an office, say, or even on a train – where it can be read by people not entitled to see it. Intentional or reckless disclosure can result in a fine (under the Criminal Justice and Immigration Act 2008).

The eighth requirement is that information is processed in accordance with the subject’s rights. These include their right to find out what information is kept about them. It is worth pointing out that journalists also have rights to know about information that is kept on them – say, by the police or their employer.

Anyone has the right to find out what information is held about them by an organisation, by submitting a “subject access request”. This can even mean that email correspondence must be disclosed to the person it relates to.

It is important not to confuse a subject access request with a Freedom of Information request under the Freedom of Information Act. A subject access request can only be made by the person the data relates to, but the information can be sought from any organisation that might hold personal data; anyone has the right to information under the Freedom of Information Act, regardless of whether it relates to them, but only certain bodies – usually governmental or publicly-funded organisations – have to supply such information. 

The subject can also require a data controller to correct inaccuracies, or ask them to stop processing their data (that is, keeping information about them), and if necessary, press their case in court. Compensation can be sought for harm done, but pay-outs are likely to be small (£50, for Michael Douglas and Catherine Zeta-Jones).

Question: BBC radio programmes often include live interviews by telephone, and the phone numbers of interviewees are recorded on the running orders – which are then archived. BBC journalists can access these archives at any time. Has the Act been breached? The answer may depend on various factors, including whether the interviewee is told about the archiving, and whether this constitutes keeping information longer than is necessary; but also the practicality of deleting numbers, and the likelihood of journalists searching the archives for them. What if the person is interviewed anonymously, but their real identity is recorded internally? 

Processing sensitive personal data

Under Section 2 of the Act, it is legal to process sensitive personal data if the subject has

  • given explicit consent, or
  • deliberately made the information public themselves

A later order (2000) adds that journalists can legally disclose sensitive data in the public interest, in order to expose any proven or alleged

  • unlawful act
  • dishonesty, malpractice, seriously improper conduct, incompetence or unfitness of any person, or
  • mismanagement or failure in service

Exemptions for the media

“…it will be obvious that there are many situations in which the media cannot comply with the Data Protection Act and still do their jobs effectively. For example, no form of investigative journalism would be possible if reporters had to tell the subjects of their stories every bit of information they held on them and the subject had to consent before the material could even be looked at, let alone published.” – Quinn, Law for Journalists

Section 32 of the Act gives special exemptions to allow journalists to breach the terms of the Act. Three conditions must all be met:

  • processing is with a view to publication of journalistic or literary material
  • the data controller reasonably believes that publication is in the public interest, AND
  • the data controller reasonably believes it is impossible to comply with the Act

If those conditions are met, the media does not have to:

  • obey the rules on processing (handling) data, except the requirement to store it securely
  • let subjects know what data is kept on them
  • stop processing data where it might cause harm or distress
  • delete or put right data that is incorrect, or expressions of opinion based on incorrect data

Legal action under the Act can be stayed (put on hold) while the Information Commissioner decides whether the conditions for journalistic exemptions have been met – but only where stories have yet to be published. Otherwise, people could use the Act to block publication.

The Information Commissioner’s own quick guide for journalists says the commissioner’s office (ICO) does not have to agree that publication is in the public interest; only that the media organisation reasonably believed it to be so.

That is one giant leap backwards from the state of play under the existing act. At present, if personal data is processed only for journalism (or for academic inquiry), and its publication can be deemed to be in the public interest, then journalists are exempt from rules that prohibit such personal inquiries.

In common with jurisdictions elsewhere in the world, journalistic exemption has been considered fair and reasonable. How can journalism work otherwise? How can power be held to account if that power is able to stifle investigations into itself?

Without wishing to be unduly pompous about a trade that, sadly, is not held in the highest public esteem, the whole point of journalism in a democracy stands to be undermined by this new data protection clause. Sinners could well escape proper scrutiny.

Note also that there is a public interest in upholding freedom of expression. This might mean that although a story might not be “in the public interest” in its own right, it is generally against the public interest to restrict the freedom of the media to publish stories. This principle also applies in other areas of the law: for instance, it is grounds to oppose a court injunction.

In assessing a public interest justification, the ICO may consider whether a story complies with either the Ofcom Code (for broadcasters) or the Editor’s Code (for print and online publishers). These both require efforts to be accurate and fair.

Case study: the Court of Appeal found the journalistic exemption did apply when the Mirror revealed that the model Naomi Campbell had a drug problem, even though this breached the rules on sensitive personal data. This was because she had previously denied having a drug problem; the story corrected a false claim by a public figure.

Case study: Michael Stone, who killed a mother and her daughter while being treated for mental health problems, tried to block publication of an inquiry report because it disclosed private medical information. The High Court found a clear public interest in full disclosure. 

Unlawfully obtaining data – a new defence

It is an offence under the Data Protection Act to obtain personal data by unlawful means. However, the Criminal Justice and Immigration Act 2008 gave a new defence to this for journalists who could show they were acting for journalistic (or literary) purposes, in a genuine belief that they did so in the public interest.

Protecting sources

Some people and organisations might try to use the Act to force a journalist to expose their sources – say, by demanding access to information about them that was leaked by a whistle-blower.

But Clause 14 of the Editors’ Code of Practice says:

Journalists have a moral obligation to protect confidential sources of information.

Some protection is provided by Section 7(4) of the Act, which says information should not be released if it relates to another individual and identifies them (unless they consent).

Nonetheless, if a request is made by a data subject, the journalist may have to disclose the data held but with names and other identifying details withheld (“redacted”). Note that the information would not need to be released if it can be shown that the journalistic exemptions apply.

Towards the end of 2014, a campaign was mounted after it emerged that police were using another law to inspect the phone records of journalists, without having to obtain consent from a judge – apparently in order to hunt down whistle-blowers who had leaked stories to the press. Ironically, this was the same law (the Regulation of Investigatory Powers Act, or RIPA) that was used to jail the first convicted phone hackers. Read more here. In 2015, it was established that the act should not have been used in this way and that police should apply to a judge for access to journalists’ phone records.

In March 2016, Home Secretary Theresa May unveiled proposed revisions to RIPA that would greatly extend police powers to obtain personal information. The media dubbed it a “snooper’s charter”. Read more here.

The Guardian said of the Investigatory Powers Bill: “…its impact on the human rights of the British people would be monumental… It is not only democracy that the government has treated with contempt but the British public.”

Example of a data breach

There’s quite an interesting story here.

More – if you’re really interested

Data protection is an increasingly important area of the law for journalists, especially in the wake of the scandals involving phone hacking and payments to public officials for confidential information. The law column on the HoldTheFrontPage website commented on this in 2014, here

All freelance journalists should understand the need to register – for a fee – as data controllers, if they intend to store information about their contacts, for instance.

Lord Leveson, in his report on press ethics, recommended a number of measures to toughen up data protection laws – and take away some of the exemptions for the media.

Read his proposals in the executive summary of his report, here (paragraphs 48-66 – page 38 onwards)
















Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: