If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to use personal information transparently. This section of the code sets out what the legislation says and how to comply when you are not applying the exemption (See Apply the journalism exemption).
What does the legislation say?
6.1 You must use personal information transparently. In particular, you must provide privacy information to people including:
- why you are using the personal information;
- how long you expect to keep it; and
- where relevant, who you will share it with.
6.2 If you obtain personal information from the person it is about, you must provide privacy information to them unless they already have it.
6.3 When you obtain personal information from a source other than the person it is about, you do not need to provide privacy information in some circumstances (see 6.3 in Reference notes). For example, if it would be impossible, involve disproportionate effort, or seriously impair your journalistic objective.
6.4 You must provide privacy information to people at the time you collect their personal information from them unless they already have it.
6.5 If you obtain personal information from a source other than the person it relates to, you must provide privacy information to them within a reasonable period of obtaining it and no later than one month. If you plan to communicate with the person or disclose the information, you must provide privacy information at the latest at the time of the first communication or when you disclose the information, including by publishing it.
6.6 The privacy information you provide must be concise, easy to understand in clear and plain language and easily accessible.
6.7 You must bring any new uses of a person’s personal information to their attention before you use it for that purpose (see also Use personal information for a specified purpose).
6.8 You must regularly review and update privacy information, when needed.
How do we comply?
6.9 If you obtain personal information from the person it is about, there are no exceptions to the requirement to provide privacy information, unless you have already provided it to them. However, the journalism exemption may apply if you reasonably believe it would be incompatible with your journalistic purpose to provide privacy information (See Apply the journalism exemption).
6.10 However, there are exceptions available if you obtain information from a source other than the person it relates to. This includes if it would be impossible or would involve disproportionate effort. For example, you do not have relevant contact details and could not reasonably obtain them, or you have used a large number of different sources.
6.11 You also do not need to provide privacy information if it would seriously impair your journalistic purpose. This gives you an alternative means of protecting your journalistic purpose other than applying the journalism exemption.
6.12 You should actively provide privacy information. For example, you can put a privacy notice on your website, as long as you make people aware of it and give them an easy way to access it.
6.13 There are different ways to provide privacy information. You should think about who it is for to help you decide the best way to communicate the information.
6.14 You should take particular care to write clear, age-appropriate privacy notices for children or other groups who may be more at risk of harm and less able to understand what will happen to their personal information and what rights they have.
Reference notes
These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.
6.1 Privacy information
Privacy information includes:
- why you are using the personal information;
- your lawful basis for using the information;
- who you will share it with;
- how long you will keep it for; and
- details about people’s rights.
You can read a full checklist of the privacy information you must provide in our UK GDPR guide and resources below.
6.3 Exceptions to providing privacy information
When you obtain personal information from a source other than the person it is about, you do not need to provide privacy information if:
- the person already has the information;
- providing the information would be impossible;
- providing the information would involve a disproportionate effort;
- providing the information would make it impossible or seriously impair your ability to achieve your objectives;
- you are required by law to obtain or disclose the personal information; or
- you are subject to an obligation of professional secrecy regulated by law that covers the personal information.
6.13 Ways to provide privacy information
There are different ways to provide privacy information, including for example:
- a layered approach;
- dashboards;
- just-in-time notices;
- icons; and
- mobile and smart device functionalities.
6.14 Privacy notices for children
In the case of children, it is even more important to present the information clearly and in an age-appropriate way. For example, graphics, cartoons and videos to appeal to children.
Key legal provisions
UK GDPR article 5(1)(a) – the lawfulness, fairness and transparency principle
UK GDPR articles 13 and 14 – right to be informed