About this code

You must generally comply with the requirements of data protection law when you use personal information for journalism. In a lot of cases, this is straight-forward.

You can, however, apply the journalism exemption when you meet certain criteria. When you apply it, you no longer have to comply with specific requirements of data protection law.

You can apply the exemption to most requirements as specified in the highlighted boxes at the start of each section of the code.

To apply the exemption, you must:

use personal information for a journalistic purpose;
act with a view to the publication of journalistic material; and
reasonably believe both that:
- publication would be in the public interest; and
- complying with a specific requirement would be incompatible with your journalistic purpose.

See Apply the journalism exemption for more information.

1.1 This is a statutory code of practice under the Data Protection Act 2018 (DPA 2018).

1.2 This code applies to anyone using personal information for journalism. However, it is mainly for media organisations and journalists including the press, broadcasters, and online media outlets.

What is personal information?

Personal information is any information about a living and identifiable person, that is, or will be, stored on a digital device or kept in an organised way. Personal information means the same as “personal data” in the UK General Data Protection Regulation (UK GDPR).

1.3 This code is about data protection law. It does not concern press standards in general but is intended to complement industry codes.

1.4 This code will help you understand what data protection law says, focusing on its key principles. It will help you comply effectively with the law in practical ways, explained where possible in a journalism context, taking into account the special public interest in freedom of expression and information.

1.5 To help you understand what the law says, we say must in the code when doing something is a legislative requirement. However, you no longer have to comply with specific requirements when the journalism exemption applies.

1.6 To help you comply with the law, we say should when something is good practice, not a legislative requirement. If you choose to take a different approach, you must be able to demonstrate that your approach complies with the legislation.

1.7 We must review this code and how personal information is used for journalism periodically.

1.8 Further information is set out in the code’s supporting Reference notes, which are not part of the code itself. These also link to our wider guidance to help you comply with data protection law.

Reference notes

These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.

How do these reference notes help us?

These reference notes support the Data protection and journalism code of practice (the code), but they are not part of the statutory code itself. They cover each section of the code and use the same numbering as the code to make cross-referencing easier. They contain, where relevant:

Further details about the legislation

These notes set out legislative wording more fully, as appropriate. However, they are not exhaustive and do not set out all the legislative requirements. They refer to key legislative provisions if you need further detail about what the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) say.

Further good practice and reading

These notes include some examples of good practice to help you consider some different ways to comply. There are likely to be various other ways you could also comply. The notes also refer to some further information from our UK GDPR guidance and resources intended to help you understand and comply with the code without necessarily having to refer to our wider guidance. However, this is not exhaustive. Further reading is below is you need more detail.

Case law examples

These notes include some case law examples to help you understand how the courts have considered data protection and privacy issues in areas relevant to the code. Although not all personal information is private, privacy is an important part of data protection law.

Where considered relevant and helpful, the case law examples cover:

data protection law, including the previous data protection regime;
misuse of private information actions; and
human rights law.

You should consider each privacy law and case outcome separately on its own merits, but you may nonetheless find these examples help you to understand and apply the code.

1.1 Statutory code of practice and data protection law

Statutory code of practice

The DPA says that we must prepare a code of practice to help people comply with data protection law and good practice when using personal information for journalism.

If someone complains about how you have used their personal information, the ICO, courts and tribunals must take this code into account once it is in force, where relevant.

Courts and tribunals will generally follow the guidance in statutory codes of practice and give weight to it unless there is a good reason not to do so.

If you do not do what this code says you should do, you will need to be able to persuade us or the courts that you have nevertheless complied with the law.

Data protection law

The code contains practical guidance for organisations and people using personal information for journalism under the UK GDPR and the DPA 2018. We may refer to this collectively as “data protection law”.

Data protection law applies to organisations using personal information that operate within the UK. It also applies to organisations outside the UK that offer goods or services to people in the UK.

Following the UK’s exit from the European Union (EU), the EU GDPR was incorporated into UK law, with amendments so that it works in a UK-only context. The GDPR as amended is referred to in the code as the UK GDPR. It sits alongside the DPA 2018, which has also been amended.

1.2 Code's application and using personal information

Code's application

The code is mainly for media organisations and journalists using personal information for journalism. This includes press agencies and freelance journalists providing stories to media organisations.

When we say ‘you’ in the code, we are mainly addressing the person with the main legal responsibility for complying with data protection law (ie senior management of the media organisation). However, in practice, various people within an organisation have some data protection responsibilities. So this code will help anyone using personal information for journalism, including journalists.

We also recognise that journalism is not limited to media organisations or the journalists they employ. The code also applies more broadly to other groups and people, including campaign groups or members of the public using personal information for journalism.

Using personal information

Personal information does not need to be private. Anything about a person can be personal information – even information that is public knowledge or about someone’s professional life (eg a job title).

Personal information does not need to be factual. For example, opinions about a person can be personal information.

Information is not personal information if it is:

a paper record that you do not plan to put on a digital device or organised file (eg handwritten notebooks);
information about a deceased person; or
truly anonymous – if you can still identify someone from the details or by combining it with other information, it is personal information.

In the code, we refer to personal information, which means the same as “personal data” in data protection legislation. We also refer to “using” personal information in the code. This means the same as “processing” it in the legislation. Using personal information means anything that you do with it, including collecting, recording, storing, publishing, sharing or deleting it.

1.3 Code's relationship with industry codes

Media standards are covered by other industry codes including:

This code is generally well-aligned with industry codes and is designed to complement industry guidance. Core journalistic values and data protection have a lot in common so complying with industry codes will help you to comply with data protection law. Where relevant to data protection, we will take industry codes of practice into account and work with industry bodies as appropriate.

1.4 Data protection principles

Data protection law, and this code, focuses on seven key principles to:

take responsibility for complying with the principles and be able to demonstrate you comply;
keep personal information secure;
use personal information lawfully, fairly and transparently;
use accurate personal information;
use personal information for a specific purpose;
use only the personal information that you need; and
keep information only for as long as you need it.

1.7 Review

We must review how personal information is used for journalism under the DPA 2018. The first review period began on 25 May 2018 and ran for four years. We must begin a review within six months from the end of the first review period and submit a report to the Secretary of State within 18 months from when the review was started. Subsequent review periods are five years long.

These periodic reviews will inform the code in due course and help us to evaluate how it is working in practice. We will also keep the code under general review and update it where necessary in line with changes to law, guidance or other relevant developments.

Key legal provisions

DPA 2018 section 124 - duty to prepare a journalism code of practice
DPA 2018 section 125 – approval of codes
DPA 2018 section 126 – publication and review of codes
DPA 2018 section 127 - legal effect of the code
DPA 2018 section 178 - review of processing of personal data for the purposes of journalism