What is the draft Code and will it be legally enforceable?
The document is one of a handful of statutory codes the ICO is required to publish under the Data Protection Act 2018. As it is a statutory code of practice, the ICO, courts and tribunals are required to take it into account when considering issues arising in relation to data protection compliance and proceedings. Generally, the courts will give weight to statutory codes of practice, taking the approach that they should be considered carefully unless there is a good reason not to.
One of the key purposes of the Code is to act not as a stick but as a guide to assist individuals and organisations in their understanding of the laws and legal obligations under UK data protection laws in the context of journalism. Ever since the last version of the Code needed to be updated following the General Data Protection Regulation (GDPR), the media industry has been eagerly waiting for this latest update, and further guidance such as this is certainly welcomed.
Who is the code aimed at? What is ‘journalism’?
The Code is aimed at data controllers in the field of journalism. Whilst this may sound narrow, ‘journalism’ is a broad term that may cover the disclosure of information, opinions, or ideas, by any means, to the public. Professional journalists and media organisations engaged in journalism (regardless of whether this is digital, print or broadcast, radio or television content) are covered, but so are citizen journalists.
Although the focus of the Code is on journalistic activity, it will also have broader value throughout the media sector. In the absence of other media-specific guidance from the ICO, this document will become a primary resource and reference point for expectations more broadly in relation to media content.
What does the draft Code cover?
The Code covers many aspects of data protection law so much of it is familiar and serves as a reminder of what organisations will already know.
The Code is of most interest where it seeks to give practical guidance around several key issues that can be difficult to navigate in this field. It is most beneficial in setting out the ICO’s expectations of how data controllers can balance the rights and importance of the free flow of communication and freedom of expression and information within society with the individual’s right to privacy and data protection. The following stand out as among the key sections of the Code:
- Accountability. The biggest change for media organisations following the GDPR is arguably the requirement to ensure suitable accountability for compliance. It is not enough to just comply with data protection organisations: there is a need to demonstrate this compliance. In the context of often fast-paced media environments, it can be challenging to determine what the expectation is in this regard and how to comply in practice. Whilst emphasising that “you always need to comply with the accountability principle”, the ICO does appear to recognise the difficulties, noting that “accountability is a flexible concept”, that DPIAs are not needed for every media story, and that in some cases, simple checklists and overriding policies can be helpful. One might ask whether the guidance really goes far enough in setting out what is needed however, and it may not really leave organisations with a clear picture of what ‘good’ looks like on this front. Practical examples are missing in this section.
- Special purpose exemption. With the test in the special purpose exemption for journalism, academic activities, art and literature, having slightly changed under GDPR, updated guidance was much needed. It is encouraging that the ICO acknowledges that this is a broad exemption, but otherwise there is not a great deal which is truly new here. Although, again, the details around how journalists should demonstrate their decisions in this area will be of most interest to readers, the use of words such as “ideally”, “it will be easier to show”, and “it may be appropriate” fail to settle any positions clearly for organisations, and may raise more questions than they answer. This is another area to pick up in consultation responses.
- Retention. There is some welcome guidance here, recognising that, in many cases, it will be justifiable for journalists to keep certain personal data indefinitely.
- Lawful basis. The Code canters through lawful bases that may be relevant for the processing of information rather too speedily. There is mention of consent being problematic and that some companies use release forms, but the advice is vague and fails to separate out differences between concepts of informed consent used in the media industry versus the GDPR tests for consent. The lawful basis of the term ‘manifestly made public’ is also mentioned briefly but without the nuanced advice needed. For example, the Code glosses over key issues such as whether the term applies to personal data which is being made public (for example in interviews) rather than just taken from sources such as social media. The Code offers useful confirmation that offenders may be deemed to have manifestly made information about their offence public, but without then clearly detailing the restrictions it says this is subject to.
When does the consultation close?
The deadline for the consultation and submission of responses is 10 January 2022. Those wanting to provide their views can do so by completing the online survey online by emailing the completed Word surveys to journalismcode@ico.org.uk.
Client Alert 2021-271