This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.


By the Media, Entertainment & Sport group of Bird & Bird

| 5 minutes read

ICO’s Press Play: navigating journalism and data protection

After several drafts and amendments, on February 1 2024, the ICO’s Data Protection and Journalism Code of Practice has finally been approved and issued, coming into force on 22 February 2024.

A press of the past

Well over a decade has passed since the ‘News International’ scandal, which saw allegations of police bribery, phone hacking and the exercise of improper influence to obtain stories. The scandal saw the News of the World shuttered, newspaper editors in the dock, and the resignation of high-ranking police officials.

What followed was the Leveson Inquiry, where a significant number of individuals appeared at the Royal Courts of Justice to give accounts of their privacy rights being infringed, and the damage caused to their reputations and mental wellbeing as a result. This called into question the UK’s long-standing conventions of press self-regulation, bringing scrutiny to relationships between the press, the public, police and politicians, and the broader cultural and ethical issues associated with the media industry.

Lord Justice Leveson rejected calls for full statutory regulation of the press, but his report did find the existing ‘Press Complaints Commission’ were “constrained by serious structural deficiencies” with “very limited power to investigate complaints”. He further found that “the twin failure of both the self-regulatory system and the industry to address these problems is itself evidence that there has been no real appetite for an effective and adequate system of regulation from within the industry, in spite of a professed openness to reform and self-criticism. It is difficult to avoid the conclusion that the self-regulatory system was run for the benefit of the press not of the public.” This led to him calling for the establishment of a new independent body, with a more robust system of oversight and sanctions, as well as the tightening of legal data protection provisions.

The ICO’s data protection and journalism code of practice

The UK’s Information Commissioner’s Office (‘ICO’) role in the regulation of the press was expanded through the introduction of the GDPR and the Data Protection Act 2018 (the ‘DPA 2018’). By virtue of section 124 of the DPA 2018, on 1 February 2024, the ICO published its final version of the Data Protection and Journalism Code of Practice (the ‘Code’), along with accompanying reference notes, providing practical guidance on how to comply with data protection laws and good practice in a journalism context. The Code itself does not make any changes to journalists’ data protection obligations, nor does it concern media standards more broadly, instead it is aimed at reminding journalists of their existing data protection related responsibilities and clarifies current journalistic exemptions set out in the DPA 2018. It also aimed at compliance professionals, lawyers, senior editors and data protection officers in the press, broadcasting and online media outlet space, interpreting what data protection laws look like for such organisations and individuals in practice (particularly through their “How do we comply?” sections of the Code).

The Code focusses on three key areas: the application of data protection principles in a journalism context, the journalism exemption under data protection law, and the status and enforceability of the Code.

Application of data protection principles

Part 2 of the DPA 2018, and Chapters 2 and 3 of the UK GDPR set out data protection principles that must be adhered to when processing personal data. The Code walks through some of these key data protection principles and how these can be complied with in the context of journalism. Most notable  is the principle of ‘accountability’ (i.e. the ability to demonstrate compliance with all other data protection principles such as (but not limited to) transparency, security and accuracy of data). This reminds journalists and the press more broadly of their responsibility to implement and develop processes and policies which ensure compliance to the Code, and as a result, with data protection laws. For instance, specific risk assessments will have to be conducted when processing criminal offence data or personal data of children.

Journalism exemption: the balance between privacy and freedom of information

The DPA 2018 contains a special exemption for journalists, excluding them from certain data protection obligations and restrictions when it can be shown that their data processing is carried out with a view to publication of material which is in the public interest (DPA 2018 Schedule 2, part 5, paragraph 26). The Code adopts a layered approach into explaining this exemption, and achieves this by:

  1. First, stating the law within section 1 itself;

“To apply the exemption, you must:

    • use personal information for a journalistic purpose;
    • act with a view to the publication of journalistic material; and
    • reasonably believe both that:
      • publication would be in the public interest; and
      • complying with a specific requirement would be incompatible with your journalistic purpose.”
  2. Then, prefacing each section of the Code with whether the journalism exemption applied (or not) and how;
  3. In its own section (Section 13), providing narrative on each limb, such as how ‘reasonable belief’ is determined in the context of the journalism exemption (even noting that forming a reasonable belief will often include editorial discretion); and
  4. Finally, signposting readers to corresponding sections in the reference notes which comprises additional narrative, examples, other codes and case law.

Although the Code aims to balance privacy rights and the freedom of information, it is evident from the Code’s narrative on the journalism exemption that it is ultimately sympathetic to the reality of journalism – where often information will be collected (and subsequently used for stories) without the knowledge of the individual.

Status and enforceability of the Code

In 2014, following the Leveson Inquiry, the ICO published its first ‘Data protection and journalism: a guide for the media’, however, the guidance had no legal force. In contrast, the new Code explicitly states that as a statutory code of practice, the Courts are expected to take into account its provisions where relevant to proceedings and will expect that journalists have considered it carefully “unless there is a good reason not to do so”.

From an enforcement perspective, the ICO can take formal enforcement action in relation to breaches of the UK GDPR and DPA 2018 in respect of journalistic activities. However, they note their limitations in this area within the Code, specifically noting “there are specific and strong protections for journalism and various restrictions and safeguards built into the law” that protect the industry. These protections, restrictions and safeguards are derived from the DPA 2018 with the key legal provisions set out in Section 14 of the reference notes, and include:

  • Available defences relating to public interest justifications that may apply in certain circumstances (ss170-173 DPA 2018);
  • Reviewing the extent to which the processing of personal data for the purposes of journalism complied with data protection laws and the Code(s178 DPA 2018); and
  • The ICO being restricted from providing information, enforcement and penalty notices under certain circumstances where personal data is processed for the purposes of journalism (s143, s152, s156 DPA 2018).

It will be interesting, in time to come, to observe how the media industry incorporates these additional considerations into their practices to ensure compliance with the Code.


data protection, journalism, united kingdom, publishing