After a long wait, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), released its new draft journalism code of practice (Code) and opened it for consultation. The ICO encourages parties to submit their views on this project.
The 93-page Code covers issues that are particularly difficult for the media industry. In this article, we explain the background and scope of these issues and some of the areas where further clarification is needed.
What is the draft code and will it be legally enforceable?
The document is one of a handful of statutory codes that the ICO is required to publish under the Data Protection Act 2018. As it is a statutory code of practice, the ICO, the courts and courts are required to take this into account when considering issues that arise in relation to data protection compliance and procedures. In general, courts will give weight to statutory codes of practice, taking the approach that they should be scrutinized with care, unless there is a good reason not to do so.
One of the main purposes of the Code is to act not as a stick but as a guide to help individuals and organizations understand the laws and legal obligations under UK data protection laws in the context of journalism. Since the latest version of the Code had to be updated in accordance with the General Data Protection Regulation (GDPR), the media industry has been eagerly awaiting this latest update, and new directions like this are certainly coming. welcome.
Who is the code for? What is “journalism”?
The Code is addressed to data controllers in the field of journalism. Although it may sound narrow, “journalism” is a broad term that can cover the disclosure of information, opinions or ideas, by any means, to the public. Professional journalists and media organizations engaged in journalism (whether digital, print or broadcast, radio or TV) are covered, but so are citizen journalists.
Although the Code focuses on journalistic activity, it will also have broader value throughout the media sector. In the absence of further media specific guidance from the ICO, this document will become a primary resource and a point of reference for the broader expectations of media content.
What does the draft code cover?
The Code covers many aspects of data protection law, much of which is familiar and serves as a reminder of what organizations will already know.
The Code is particularly interesting when it seeks to provide practical advice on several key issues that can be difficult to navigate in this area. It is very useful to set the expectations of the ICO on how data controllers can balance the rights and importance of the free flow of communications and the freedom of expression and information within society. with the individual’s right to privacy and data protection. The following stand out among the key articles of the Code:
- Responsibility. Perhaps the biggest change for media organizations following GDPR is the requirement to ensure appropriate accountability for compliance. Complying with data protection organizations is not enough – compliance must be demonstrated. In the context of often fast-paced media environments, it can be difficult to determine what the expectations are in this regard and how to meet them in practice. While stressing that “you must always respect the principle of accountability”, the ICO seems to recognize the difficulties, noting that “accountability is a flexible concept”, that DPIAs are not required for every media article and that in some In this case, simple checklists and priority policies can be helpful. It is questionable, however, whether the guidance really goes far enough to define what is needed, and it may not really leave organizations with a clear picture of what a âgoodâ looks like on this front. Practical examples are missing in this section.
- Special exemption. As the special purpose exemption test for journalism, academia, art and literature changed slightly under the GDPR, updated guidelines were needed. It is encouraging that the ICO recognizes that this is a broad exemption, but otherwise there is not much really new here. While, again, the details of how journalists should demonstrate their decisions in this area will be of most interest to readers, the use of words such as “ideally”, “it will be easier to show” and âIt may be appropriateâ fail to clearly resolve organizations’ positions and may raise more questions than they answer. This is another area to be taken into account in the responses to the consultations.
- Retention. There is some welcome advice here, recognizing that in many cases it will be justifiable for journalists to retain certain personal data indefinitely.
- Legal basis. The Code goes through legal bases which may be relevant for the processing of information a little too quickly. It is mentioned that consent is problematic and that some companies use release forms, but the advice is vague and does not distinguish the differences between informed consent concepts used in the media industry and GDPR testing for consent. The legal basis for the phrase “manifestly made public” is also mentioned briefly, but without the necessary nuanced advice. For example, the Code ignores key questions such as whether the term applies to personal data that is being made public (e.g. in interviews) rather than simply taken from sources such as social media. The Code provides useful confirmation that offenders can be deemed to have manifestly disclosed information about their offense, but without clearly detailing the restrictions to which it says this is subject.
When does the consultation end?
The deadline for consultation and submission of responses is January 10, 2022. Those who wish to give their opinion can do so by filling out the form online survey online by emailing completed Word surveys to [emailÂ protected].