The Data Protection Act 1998 regulates how personal information about individuals (not companies) is collected and used.
PLEASE NOTE THAT AS OF MID-2017 DATA PROTECTION LAW IN THE UK IS UNDERGOING WHOLESALE REVISION TO ALLOW FOR THE IMPLEMENTATION OF THE EUROPEAN UNION’S GENERAL DATA PROTECTION REGULATION (THE ‘GDPR’). WE WILL UPDATE THIS SECTION OF THE HANDBOOK ONCE THIS NEW LAW IS FINALISED.
Personal information or 'personal data' means any information which relates to a living individual (the data subject) who can be identified from that information and which is either 'processed' electronically or, if manual, is held in a structured system e.g. a card index. 'Processed' is carefully defined in the Act but includes virtually any use of the information, including obtaining and simply holding the information.
Personal data would include personal information such as addresses, email addresses, and telephone numbers that programme-makers and broadcasters collect and handle for whatever reason, for example when people enter programme competitions or request programme support material. It also includes information that is collected about people for use in programmes, for example information about contributors, including footage of them, whether or not they have consented to take part, see 'Journalistic Exemption' below.
Section 55 of the Act makes it an offence to gain unauthorised access to such data, punishable by a fine. For example unauthorised access to confidential databases, telephone accounts and bank records is an offence. Section 55 would cover activities such as 'blagging' - impersonating a legitimate party, or otherwise to deceive the information holder, in order to gain personal data. Section 55 is subject to a public interest defence.
Data Protection Principles
The Act contains a number of principles that people 'processing' personal data must comply with and provides even greater protection to 'sensitive personal data' which is information deemed so sensitive it can only be processed in very narrowly prescribed circumstances, for example information about an individual's racial or ethnic origins or relating to their sexual life.
In summary, in order to comply with Data Protection legislation, all personal data that broadcasters or programme-makers hold about individuals must be:
- collected and used fairly and lawfully
- processed for limited, lawful purposes
- adequate, relevant and not excessive in relation to the purpose for which it is being processed
- accurate and, where necessary, kept up to date
- not be kept for longer than is necessary for the use for which it was collected
- processed in accordance with the rights of the subject, under the Act
- stored safely and securely
- not be transferred to countries outside of the EU, unless adequate protection is ensured.
Rights of the Data Subject
Individuals have a number of rights in relation to information that organisations hold about them. These include a right to find out whether a particular organisation holds information about them, if so what that information is, the purposes why it is being held, who it is or may be disclosed to and who the source of the information is ("subject access request"). If information held is incorrect, the data subject has the right to have the information corrected and to claim compensation. The data subject is also able to require the organisation holding the personal information to stop processing it on the grounds that it would cause or be likely to cause substantial and unwarranted damage or distress to him or another.
If an organisation is found to have processed information in a way which is incompatible with the Act, the Data Commissioner can serve an enforcement notice requiring compliance. Failure to comply with such a notice is an offence.
Clearly, without special protection, Data Protection legislation could have a very damaging effect on the activities of the media so, to protect legitimate activities, the Act contains an exemption for 'journalistic, literary or artistic' purposes. This states that personal information which is processed only for journalistic (or literary or artistic) purposes is exempt from the following key provisions of the Act, amongst others: the data protection principles as outlined above (except the one requiring the information to be kept secure); subject access requests; and, the subject's right to prevent processing where likely to cause damage, distress. However, the exemption only applies if the processing is done with a view to publication of material which has not previously been published.
Once a programme has been broadcast, therefore, programme-makers and broadcasters will likely have to comply with the data protection principles and may have to comply with any subject access requests where relevant. In addition, the journalistic exemption only applies if the broadcaster reasonably believes that publication would be in the public interest and that, in all the circumstances, to comply with the rules of the 1998 Act would be incompatible with journalistic purposes. If programme-makers receive any subject access requests from individuals or their legal advisers, programme-makers must alert their commissioning editor and programme lawyer immediately. Strict legal deadlines are in place for responding to subject access requests.
Channel 4 together with the BBC, ITV, Five, S4C and Pact has issued two sets of guidelines to assist producers - The Producers' Data Protection and Security Guidelines which can be found here and the Production Crew General Notes which can be found here.