17 March 2018

This advice has been updated and corrected. The previous version repeated a misleading technicality about registration.

Data protection and freelances

THE EU's General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. What effects will it have on freelance journalists?

You are, in the terms of the legislation, a "data controller" - whether you are a writer or a photographer or even a sub-editor or picture editor. You hold "personal data" on people - known as "data subjects". All data controllers must appoint a "data protection officer". That would be you.

You will still have to pay a fee and notify an address

The requirement to register in the UK Data Protection Act 1998 remains on the UK statute book until 26 May 2018. The government has put rules before Parliament to continue this requirement. Under them you will have to pay a fee of £40 a year to fund the Information Commissioner's Office (ICO) - and provide a contact address, which will still be published. See advice from the ICO.

The UK government has also introduced the Data Protection Bill 2017-9 which, when passed, will set out principles similar to the GDPR regardless of what may or may not happen about Brexit. We'll update our advice when it is passed. (EU Regulations take direct effect without separate UK legislation, but the GDPR leaves some details to Member States - see below.)

You must protect all your data

The GDPR strengthens the requirement to protect your data and gives it sharper teeth. In practice, all your computers and other storage devices, including paper files, must be protected by strong passwords or strong physical locks, as appropriate. That includes backup disks and thumb drives.

You should inform the Information Commissioner and (in some circumstances) your data subjects if there is a breach of security. This may pose problems if, for example, you are required to show your data by border guards: recall the advice of the Committee to Protect Journalists on crossing the US border, which boils down to "don't". We are seeking more advice on this.

When informing them you can and must take steps to ensure that you do not compromise anyone else's privacy!

Journalism is protected

Apart from the requirement to protect data, other requirements of the GDPR are covered by an "exemption" to protect the human right of free expression and information. This means that journalism which you "reasonably believe" to be in the public interest trumps them. (Note that though a record of a star leaving a club the worse for wear at 3am may interest some members of the public, the courts may not find that it is "in the public interest".)

The GDPR leaves most details of these exemptions to member states: so the provisions of the 1998 Act apply for now.

Subject access requests

Not least as a consequence of publicity about the GDPR, you may receive "subject access requests" seeking to know what information you hold on a data subject, or requests to correct data you hold. Whether these are a form of bureaucratic harassment to make the story just too much work would be a matter for the court in each case.

You will almost always be justified in invoking the exemptions for free expression to avoid giving any information. You must give individual reasons for each request (more guidance to follow). If you were to supply any information, you would be able and obliged to "redact" it so that you do not give out information about anyone else.

Journalists sometimes make subject access requests, for example to discover what data are held on us by law enforcement or other bodies. We are not yet aware of any changes to the procedures for doing this.

The ‘right to be forgotten’

A consequence of every data subject's right to correct data held on them is the "right to be forgotten" currently being made famous by former Formula 1 boss Max Mosley, arguing that reports about him are out-of-date. Interestingly, Article 17(3)a of the Regulation states explicitly that EU Member States shall ensure that journalism is exempted from this.

Cleansing data

Generally, the obligation to cleanse data and purge that which is no longer required will be covered by the journalism exemption: you may want to contact someone at any time in future, for example. Do delete dead contacts.

Your mailing list and website

If you run a mailing list, for example to alert potential clients, you need their explicit consent to be on it. Your website needs explicit consent to set (almost all) cookies.

Questions arising

A large part of the point of the meeting was to elicit questions to put to lawyers. These are the major issues:

  1. Photographs are "personal data" - can we confirm absolutely that the requirement to obtain consent to process data, in particular, will be exempted when they are taken for the purposes of news reporting?
  2. Will anything change for photographers who are doing commercial or Public Relations work, who in many circumstances already need to get "model release" forms signed?
  3. Can we work up a skeleton response to "Subject Access Requests"? Probably this should advise members to respond that they do not have to tell requesters anything about data they hold for the purposes of news reporting
  4. What are the implications of the proposed exemption of data related to "immigration control" from the scope of the CDPR in the UK? Can we ask MPs to strengthen the journalism exemption to trump even requests under the Regulation of Investigatory Powers Acts? (There is of course an issue for journalists who are asylum seekers or otherwise need information about their own immigration procedures: Green Baroness Jenny Jones has written about these in the New Statesman as has solicitor Daniel Carey.)
  5. What does mitigation of a breach mean for a journalist? For example, what happens once a breach has been reported to the ICO?
  6. In particular, how is it possible to mitigate a breach caused by immigration officers demanding access to data as a condition of entry to, say, the US?
  7. What is the liability for data protection issues arising from work in the course of employment - and can contracts entered into by self-employed journalists shift the client's liability onto the freelances?
  8. Backing up words or pictures to "cloud storage" appears to be a "data transfer" - what steps can journalists take to stay within the law if they absolutely have to do this? (The Freelance recommends not doing it.)