Data protection & freelancesnote

DON'T PANIC. The EU General Data Protection Regulation (GDPR) came into force, as you may have noticed, on Friday 25 May. But there's little for freelance journalists to worry about.

Many of us have been bombarded with anxiety-inducing messages about compliance, from people trying to sell us compliance services. In fact, not much has changed. Much of the variable-quality advice floating around is about things that any small business, including a freelance journalist, might do to market yourself, such as keeping an email list. We'll deal with that briefly: but we'll focus on the area that's been ignored: journalism.

THE anxiety-inducing advice focuses on the need for a generic business to get consent to process information. But processing data with consent is only one thing that the GDPR allows. Another is processing it for the purposes of journalism. For everything you do for the purposes of journalism, this is what matters, not consent.

So: what effects will the GDPR have on freelance journalists?

You are your own ‘data controller’

You are, in the terms of the legislation, a "data controller" - whether you are a writer or a photographer or even a sub-editor or picture editor. You hold "personal data" on people - known as "data subjects". Data controllers must appoint a "data protection officer". That would be you.

You will still have to pay a fee and notify an address

Under the Data Protection Act 1998 you were required to register as a data controller. The UK government has made regulations to continue this requirement. You must pay a fee of £40 a year to fund the Information Commissioner's Office (ICO) - and provide a contact address, which will still be published. See advice from the ICO.

Any NUJ member who has a problem with their home address appearing on a publicly-accessible register should contact the Membership Department for further advice.

The UK government also introduced the Data Protection Bill 2017-9 which, now it's an Act sets out principles similar to the GDPR regardless of what may or may not happen about Brexit. (EU Regulations take direct effect without separate UK legislation, but the GDPR leaves some details to Member States - see below.) At a late stage the House of Commons inserted a clause into the Bill requiring the Information Commissioner to produce "practical guidance in relation to the processing of personal data for the purposes of journalism" (and the House of Lords approved this: see Amendment 55 here). This amendment was part of the manoeuvring about dealing with the phone-hacking scandal. We will update our advice as guidance develops.

You must protect all your data

The GDPR strengthens the requirement to protect your data and gives it sharper teeth. In practice, all your computers and other storage devices, including paper files, must be protected by strong passwords or strong physical locks, as appropriate. That includes backup disks and thumb drives.

You must inform the Information Commissioner's Office (ICO) if there is a breach of security and should do so within 72 hours. In some circumstances the ICO can ask you to inform your data subjects. This may pose problems if, for example, you are required to show your data by border guards: recall the advice of the Committee to Protect Journalists on crossing the US border, which boils down to "don't".

If you do inform a data subject you can and must take steps to ensure that you do not compromise anyone else's privacy!

Journalism is protected

Apart from the requirement to protect data, other requirements of the GDPR are covered by an "exemption" to protect the human right of free expression and information. This means that journalism which you "reasonably believe" to be in the public interest trumps them. (Note that though a record of a star leaving a club the worse for wear at 3am may interest some members of the public, the courts may not find that it is "in the public interest".)

Subject access requests

Not least as a consequence of publicity about the GDPR, you may receive "subject access requests" seeking to know what information you hold on a data subject, or requests to correct data you hold. Whether these are a form of bureaucratic harassment to make the story just too much work would be a matter for the court in each case.

You will almost always be justified in invoking the exemptions for free expression to avoid giving any information. You must give individual reasons for each request. If you were to supply any information, you would be obliged to "redact" it so that you do not give out information about anyone else.

Journalists sometimes make subject access requests, for example to discover what data are held on us by law enforcement or other bodies. We are not yet aware of any changes to the procedures for doing this.

The ‘right to be forgotten’

A consequence of every data subject's right to correct data held on them is the "right to be forgotten" currently being made famous by former Formula 1 boss Max Mosley, arguing that reports about him are out-of-date. Interestingly, one thing that the Regulation do not give member states "flexibility" on is that Article 17(3)a explicitly states that they shall ensure that journalism is exempted from this.

You do not have to comply with "right to be forgotten" requests.

Cleansing data

Generally, the obligation to cleanse data and purge that which is no longer required will be trumped by the journalism exemption: you may want to contact someone at any time in future, for example. Do delete dead contacts.

There is no reason not to keep your archives of articles, drafts, sketches - and photographs. Not least, they are essential to the process of law, in proving your authorship.

Your mailing list and website

The exemption for journalism may not apply to everything you do. It may help to think of yourself as more than one person: a journalist and a business, for example. And of course many journalists also do work that could be classed, for example, as public relations.

For the avoidance of doubt: GDPR does not apply to data processing "by a natural person in the course of a purely personal or household activity" with no connection to a professional or commercial activity - so that's a third "you" (at least) who is outside its scope.

If you run a mailing list, for example to alert potential clients about your business in general, you need their explicit consent to be on it. Ask yourself: "do I ever email more than 10 random people promoting my business in general?". If the answer is "no" you need do nothing. If you email specific people plugging a particular photo or a particular feature proposal, we would say that's journalism and exempt.

Of course you may already have a record of them giving consent, in which case there is no need to ask again. If you do not have a record of consent, you would be safest to drop them a line asking them to reply if they don't mind hearing from you again.

Your website needs explicit consent to set (almost all) cookies.

Questions arising

A large part of the point of the meeting was to elicit questions to seek further advice. These are the major issues:

  1. Photographs are "personal data" - can we confirm absolutely that the requirement to obtain consent to process data, in particular, will be exempted when they are taken for the purposes of news reporting?
    • We can confirm this - pending the results of any court cases that set precedents.
  2. Will anything change for photographers who are doing commercial or Public Relations work, who in many circumstances already need to get "model release" forms signed?
    • The requirements of the 1998 Act are pretty much unchanged.
  3. Can we work up a skeleton response to "Subject Access Requests"? Probably this should advise members to respond that they do not have to tell requesters anything about data they hold for the purposes of news reporting
    • We're working on this. Any NUJ freelance member who receives an SAR should in the first instance contact the Freelance Office.
  4. What are the implications of the proposed exemption of data related to "immigration control" from the scope of the GDPR in the UK? Can we ask MPs to strengthen the journalism exemption to trump even requests under the Regulation of Investigatory Powers Acts?
    • There is of course an issue for journalists who are asylum seekers or otherwise need information about their own immigration procedures. Green Baroness Jenny Jones has written about the immigration exemption in the New Statesman, as has solicitor Daniel Carey. Labour and Scottish Nationalist members of the House of Lords Committee revising the Bill made a strong case against this exemption, and lost the vote 9:10, as they did on most of the sensible proposals they put to the Committee. So the Commons didn't get another vote on the matter.
  5. What does mitigation of a breach mean for a journalist? For example, what happens once a breach has been reported to the ICO?
    • We await the advice from the ICO.
  6. In particular, how is it possible to mitigate a breach caused by immigration officers demanding access to data as a condition of entry to, say, the US?
    • We await the advice from the ICO. Indeed, we shall be putting this to the ICO in the consultation on the advice.
  7. What is the liability for data protection issues arising from work in the course of employment - and can contracts entered into by self-employed journalists shift the client's liability onto the freelances?
    • We're almost certain that anything you do as a "servant" of a data controller (to use the term in the 19th-century legal precedent on liability for railway accidents) is the data controller's responsibility. If you are engaged for one day as a "worker" under the direction of a client you are almost certainly acting as a "servant". But as with everything to do with worker status, this will be settled on a case-by-case basis.
  8. Backing up words or pictures to "cloud storage" appears to be a "data transfer" - what steps can journalists take to stay within the law if they absolutely have to do this? (The Freelance recommends not doing it.)
    • We continue to recommend not doing it. Use boring physical devices you can lock away.

Versions

12 February 2018

First version, discussed at the February 2018 Branch Meeting.

17 March 2018

This advice has been updated and corrected. The previous version repeated a misleading technicality about registration.

15 May 2018

The House of Commons inserted a clause into the Data Protection Bill, and the Lords have approved this Amendment 55, which requires the Information Commissioner to produce "practical guidance in relation to the processing of personal data for the purposes of journalism" - following consultation which ought to include the NUJ. More later...

22 May 2018

Revised with introduction and draft answers to the questions.