We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Leveson And Data Protection?

Leveson And Data Protection?

Ross McKenzie

The royal charter underpinning a system of press regulation has received much of the headline attention following the Leveson Inquiry. However, the report of the Leveson Inquiry also recommended that the regulator of the Data Protection Act (“DPA”), the Information Commissioner’s Officer (“ICO”), should take steps to provide guidelines for the press to observe when processing personal data. 

In response to this recommendation, the ICO have published a draft guidance note titled “Data Protection and Journalism: A Guide for the Media”. (Accessible from here) The ICO is seeking views on the draft up to 22 April 2014. 

You may be wondering what does data protection have to do with the press, particularly when much of the focus by the press during the Leveson Inquiry was related to voicemail hacking?

The DPA regulates the processing of information relating to a living individual, known as “personal data” which is stored on a digital device or in a organised filing system. The scope of what is personal data is also very wide and can include things like a photo, a phone number, even opinions or intentions about a person and also even voicemails.  With that in mind, it can be seen how relevant the DPA really is for the press given that the very vast majority of stories reported are all about people whether they be celebrities or your next door neighbour.

The ICO’s proposed guidance should be a useful reference point for the media because it helpfully pulls in relevant examples when discussing the various aspects of the DPA. It doesn’t set out any new rules since that’s for parliament.

If you work in the media industry, I would recommend having a look at the guidance in detail for the specifics, but some interesting points worth flagging up include that:

  • If you’re publishing a story about an individual, you should get their consent.
  • Where consent can’t be secured, you need to decide if the publication is necessary for “legitimate interests” which includes whether the story is in the public interest when balanced against an individual’s right to privacy.
  • Importantly, the guidance underlines that the default setting is “not publication”. There has to be a justification. If there’s a serious impact on an individual’s private life by publishing, then there would need to be a significant public interest to justify publication.
  • If the story involves sensitive personal data, explicit consent from the individual concerned is essential.
  • The guidance notes that existing industry codes of practice can be helpful in determining what’s in the public interest however it will not automatically mean that other industry codes of practice will apply in the same way for the DPA.
  • A detailed discussion of the “journalism exemption” contained in the DPA is provided by the guidance. This exemption sets out how the principle of freedom of expression can be used in limited circumstances to disapply a provision of the DPA to legitimise the publication of a story. It’s not a blanket exemption.
  • The guidance underlines that the decision to publish a story is that of the organisation publishing the story. Not the journalist. The requirement to comply with the DPA falls on the publisher.
  • Any decision to publish should be made in line with clear policies and should involve inbuilt public interest and data protection checks by management.
  • Decisions should be logged to keep an audit trail.

The guidance is of course subject to change following the consultation, but it seems to form a good reference point for the media when considering the DPA.

I’d like to hear from you if you have any views on the guidance, so please get in touch on this or any other data protection relation queries. 

Ross McKenzie
Senior Solicitor