Information Commissioner's Office
Blog: Helping us strike the right balance between journalism and data protection
Privacy and freedom of expression are both fundamental rights that are equally vital to our society, democracy and way of life. But they can sometimes appear to be in conflict with each other. Our data protection laws aim to reconcile these rights and achieve a crucial balance. But it is important that those organisations engaged in journalism know how to apply the requirements and exemptions in practice.
Respecting individuals’ rights and treating their personal data within the law is vital to maintaining the public’s trust, and this applies to journalism just as much as any other purpose. Increasing the public’s trust and confidence in how their data is used is the ICO’s ultimate strategic goal.
However protecting freedom of expression, and the inherent public interest in a free press, is also crucial and something we have always recognised in our interpretation of data protection law and when using our regulatory powers.
We recognise that journalists’ activities are under increasing scrutiny and the sector is experiencing pressure imposed by new business models and competition from new platforms. Now, more than ever, it’s important that clear and practical guidance on what the law requires is readily available.
We are no stranger to the challenge of helping journalists get this balance right. In 2014, in response to a recommendation made by the Leveson Inquiry and after extensive consultation with the media sector, we produced detailed guidance on data protection and journalism under the previous Data Protection Act 1998. Whilst the GPDR and Data Protection Act 2018 (DPA2018) bring new provisions that media organisations will have to get to grips with, the basic principles remain the same.
The DPA2018 also imposes new obligations on the ICO in relation to journalism. Specifically we are required to:
- produce a code of practice for the use of personal data in journalism,
- create guidance for members of the public when they believe that their personal data has been misused in the course of journalism, and
- carry out periodic reviews of how the industry is fulfilling its data protection obligations and report our findings to the Government. The code will be the benchmark from which we will measure compliance when conducting these reviews.
Today, as an initial stage in meeting our obligations, we are launching our Call for Views on the journalism code of practice.
We will use our existing media guidance as a framework to inform the code and will update the contents to reflect the requirements of the new legislation, and take account of developments in case law and the field of journalism more generally.
It is important to remember that the ICO is not alone when it comes to helping journalists live up to their obligations. We are not a regulator of press standards more generally; our focus is on data protection issues arising from the use of personal information in journalism. Other regulatory bodies, such as IPSO, IMPRESS and Ofcom already exist to police standards in the industry, and we will of course be working collaboratively with them to ensure that the code fits well within this wider framework.
Ultimately we want the code to provide journalists and media organisations with a helpful, practical toolkit to assist them in complying with their data protection obligations. Therefore we encourage journalists, media companies, civil society and campaign groups, academics, bloggers and members of the public to submit their opinions and ideas to our Call for Views by the deadline of 27 May 2019 and help us provide the practical guidance that helps strike the right balance in this important area.
Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
- The General Data Protection Regulation (GDPR) is a new data protection law which applies in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.
- Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
- To report a concern to the ICO go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
ICO fines home security company for making thousands of nuisance calls14/06/2019 09:10:00
The Information Commissioner’s Office (ICO) has fined Smart Home Protection Ltd £90,000 for making nuisance calls to people registered with the Telephone Preference Service (TPS).
Former customer services officer fined after unlawfully accessing personal data10/06/2019 17:20:00
A former customer services officer at Stockport Homes Limited (SHL) has been found guilty of unlawfully accessing personal data without a legitimate reason to do so.
G20 Side Event - International Seminar on Personal Data05/06/2019 12:25:00
Speach given yesterday by the ICO at the G20 Side Event – International Seminar on Personal Data.
Blog: Counting the cost of accessing environmental information04/06/2019 11:10:00
Blog posted by: Gill Bull, Director of Freedom of Information, 03 June 2019.
When it comes to explaining AI decisions, context matters03/06/2019 12:25:00
Alex Hubbard, Senior Policy Officer at the ICO, looks at some of the key themes identified in the ICO and The Alan Turing Institute’s interim report about explanations of AI decisions.
Blog: GDPR – One Year on31/05/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 30 May 2019.
Blog: ICO regulatory sandbox29/05/2019 12:25:00
Work begins on creating ICO Sandbox short list as application period closes.
Known security risks exacerbated by AI24/05/2019 09:25:00
As part of our AI auditing framework blog series, Reuben Binns, our Research Fellow in Artificial Intelligence (AI), Peter Brown, Technology Policy Group Manager, and Valeria Gallo, Technology Policy Adviser, look at how AI can exacerbate known security risks and make them more difficult to manage.