You cannot apply the journalism exemption to the requirement to keep personal data secure. However, if you meet the criteria to apply the exemption, you no longer have to comply with the specific requirement to tell people affected by a data breach when there is a high risk (see Apply the journalism exemption).
What does the legislation say?
3.1 You must keep personal information secure. To do this, you must have appropriate, proportionate security measures, and update them when needed.
What is a security measure?
Security measures include cyber-security, organisational measures, and physical security.
3.2 To decide what measures are appropriate and proportionate, you must consider the same factors you do when you are demonstrating how you comply (see Demonstrate how you comply). However, you must also consider the available technology and the cost of security measures.
3.3 You must be able to restore personal information if there is a security incident as soon as possible (eg a backup system).
3.4 You must ask anyone acting on your behalf to demonstrate they can keep personal information secure (see Be clear about roles and responsibilities).
3.5 You must keep a record of personal information breaches and tell us as soon as possible if the breach is likely to cause harm to someone.
What is a personal information breach?
A personal information breach occurs if personal information is used in an unauthorised or unlawful way, is accidentally lost, destroyed, or damaged.
3.6 You must tell anyone affected by the breach if there is likely to be a high risk.
How do we comply?
3.7 The code’s guidance about demonstrating how you comply is also generally applicable to security (see Demonstrate how you comply).
Managing risks
3.8 To decide what security measures are appropriate and proportionate, you should consider significant risks and factors, such as:
- your organisation’s premises and computer systems;
- who has access to personal information; and
- any personal information a third party uses on your behalf.
3.9 In some cases, a security breach could pose a risk to someone’s physical health and safety. For example, if a breach could identify a journalist’s confidential source. In that case, you should have strong security measures, including strict measures controlling access.
3.10 Reviewing and updating your security measures should include scanning for network vulnerabilities to prevent risks developing that compromise your security.
Implementing security measures
3.11 There are a wide range of low-cost and easy to implement cyber-security solutions. You should consider common techniques such as encryption and password protection. You should also secure physical locations.
Working flexibly and travel
3.12 Journalism often relies on remote working and portable devices. You should consider how you keep your IT equipment secure, especially portable media and devices. You should consider the increased security risks if you allow employees to work remotely or use their own devices for work purposes.
3.13 If your employees are travelling with personal information, you should train them to follow fundamental security advice and be aware of common security issues.
Reference notes
These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.
3.13 Travelling with personal information and common security issues when travelling
Travelling with personal information
If you are travelling with personal information, fundamental security advice includes:
- check Foreign Office travel advice, if going overseas;
- only take what you need;
- keep devices and papers with you and store them securely; and
- lock or power off your device when you are not using it.
Common security issues when travelling
Common security issues when travelling with personal information include:
- discussing confidential information;
- allowing people to overlook a screen; and
- writing down or telling someone your password.
Key legal provisions
- UK GDPR article 5, paragraph 1(f) – the security principle
- UK GDPR article 25 – data protection by design and by default
- UK GDPR article 28 – requirement for processors to provide “sufficient guarantees”
- UK GDPR article 32 – security of processing
- UK GDPR article 33 and 34 – notification of personal data breaches
Further reading