Keeping up to data

TO THE multiple skillset that the successful freelance journalist must already rely on we must add another: being a better "data controller".


Mike Holderness gathers the questions

A new Regulation from the EU will sharpen the teeth of our liability for the data we hold on other individuals. We are responsible for safeguarding that data and using it responsibly.

The General Data Protection Regulation (GDPR) comes into force on 25 May. It could have a significant effect on freelance workloads and the NUJ is preparing detailed advice for members. In a step towards producing it, London Freelance Branch in February held a discussion led by Freelance editor Mike Holderness.

He explained that everybody holding personal information must keep it "under lock and key, with good password protection", on all devices and backups, and up-to-date. As Mike said: "This is about data, not computers. Records on paper must be physically under lock and key."

Individuals seeking to find out what is held on them can already make "subject access requests" to see it, and to know what use we are going to make of it. But they don't necessarily have to be told.

The good news is that journalism is exempt from this requirement, provided we reasonably believe it to be in the public interest - which might not cover everything that journalists do; Mike warned that "a record of a star leaving a nightclub the worse for wear at 3am" may not qualify for the exemption.

If you do supply information, you must "redact" it to protect other people if the documentation contains information on them.

We are likewise free of the duty to periodically delete all data no longer in use; it is recognised that journalists may well need to go back to old contacts from years ago if a subject comes up. It is though, Mike said, a good idea to be able to show that you keep your data up-to-date.

If freelances run mailing lists for their work, they must secure the explicit permission of everybody to be on those lists.

As data controllers, we are also, as sole operators, the "data protection officers" responsible for implementing the requirements that do apply, such as preserving and checking the data, and notifying the authorities if things go wrong.

If there is a "breach" of your data - if your phone or laptop is stolen or seized by immigration offices, for instance - you must inform the Information Commissioners' Office (ICO). Mike conceded he did not know what could happen then: "it's one of the questions we need the answers to," he said.

The Union is collecting questions to put to the lawyers it has on standby with expertise on data protection. Quite separate UK laws deal with the authorities' power to look into our phones or computers.

Or, why should people have the right to know what information we hold on them and what we were thinking of doing with it? On this Mike said: "They don't have that right, but there is the danger is that people will make 'requests' as a form of harassment, not least because of GDPR publicity." When all the questions have been answered, he intends that the Union will produce guidance for members to use in response to such requests.

  • Members at the meeting raised interesting questions, which we will put to lawyers. See the guidance at which will be updated as we get answers to these. For some, including the precise effect of the Subject Access Request rules on photographers who are doing documentary or PR work rather than news, the answer may be "we have to wait for the court cases".