Privacy and freedom of expression are both fundamental rights that are equally vital to our society, democracy and way of life. But they can sometimes appear to be in conflict with each other. Our data protection laws aim to reconcile these rights and achieve a crucial balance. But it is important that those organisations engaged in journalism know how to apply the requirements and exemptions in practice. 

Respecting individuals’ rights and treating their personal data within the law is vital to maintaining the public’s trust, and this applies to journalism just as much as any other purpose. Increasing the public’s trust and confidence in how their data is used is the ICO’s ultimate strategic goal.

However protecting freedom of expression, and the inherent public interest in a free press, is also crucial and something we have always recognised in our interpretation of data protection law and when using our regulatory powers.

We recognise that journalists’ activities are under increasing scrutiny and the sector is experiencing pressure imposed by new business models and competition from new platforms. Now, more than ever, it’s important that clear and practical guidance on what the law requires is readily available.

We are no stranger to the challenge of helping journalists get this balance right. In 2014, in response to a recommendation made by the Leveson Inquiry and after extensive consultation with the media sector, we produced detailed guidance on data protection and journalism under the previous Data Protection Act 1998. Whilst the GPDR and Data Protection Act 2018 (DPA2018) bring new provisions that media organisations will have to get to grips with, the basic principles remain the same.

The DPA2018 also imposes new obligations on the ICO in relation to journalism. Specifically we are required to:

  • produce a code of practice for the use of personal data in journalism,
  • create guidance for members of the public when they believe that their personal data has been misused in the course of journalism, and
  • carry out periodic reviews of how the industry is fulfilling its data protection obligations and report our findings to the Government. The code will be the benchmark from which we will measure compliance when conducting these reviews.

Today, as an initial stage in meeting our obligations, we are launching our Call for Views on the journalism code of practice.

We will use our existing media guidance as a framework to inform the code and will update the contents to reflect the requirements of the new legislation, and take account of developments in case law and the field of journalism more generally.

It is important to remember that the ICO is not alone when it comes to helping journalists live up to their obligations. We are not a regulator of press standards more generally; our focus is on data protection issues arising from the use of personal information in journalism. Other regulatory bodies, such as IPSO, IMPRESS and Ofcom already exist to police standards in the industry, and we will of course be working collaboratively with them to ensure that the code fits well within this wider framework.

Ultimately we want the code to provide journalists and media organisations with a helpful, practical toolkit to assist them in complying with their data protection obligations. Therefore we encourage journalists, media companies, civil society and campaign groups, academics, bloggers and members of the public to submit their opinions and ideas to our Call for Views by the deadline of 27 May 2019 and help us provide the practical guidance that helps strike the right balance in this important area.

Steve Wood Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.

Notes to Editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).

3. The General Data Protection Regulation (GDPR) is a new data protection law which applies in the UK from 25 May 2018. Its provisions are included in the Data Protection Act 2018. The Act also includes measures related to wider data protection reforms in areas not covered by the GDPR, such as law enforcement and security.

4. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.

5. To report a concern to the ICO go to ico.org.uk/concerns.