In this article, the founder of DPAS Nigel Gooding examines the role of Public Interest in data protection. This is in the context of the recent release of footage relating to the former Health Secretary.
One of the challenges of being an Information Rights Law geek is that everyone has a challenge for you at a party. This is the opposite of barristers who practice in Criminal Law rarely find people asking them for help with an up-and-coming GBH prosecution over a glass of warm merlot over the wedding breakfast table.
This weekend my challenges invariably came from friends who opined “How can the Sun newspaper illegally obtain CCTV film of a minister of the crown snogging an employee in his office? There must be some GDPR issues in this?”
To break down the answer I always break down the answer into a logical flow as follows.
- Is this personal data? Answer: yes, as the location and pictures identify “natural persons”. Practitioners need to address personal data issues before any other.
- Who is the Data Controller? In this case, we will assume that the Data Controller is the Department for Health for now, not a third-party spying.
- Did the Data Controller/Data Subjects permit to share of the pictures? We assume no.
- Did the Sun newspaper have a legal basis to publish the information that they acquired without the permission of the Data Controller?
The issues are as follows:
- The Sun newspaper published personal data without the permission of the data controller (assuming it was not a covert spying operation)
- That the Sun did not have a legal basis to publish the information under GDPR and the 2018 Data Protection Act.
Section 170 s.1 of the Data Protection Act
Section 170 s.1 of the Data Protection Act 2018 makes outlines where it can be a criminal offence to do several things.
- It is an offence for a person knowingly or recklessly—
- to obtain or disclose personal data without the consent of the controller,
- to procure the disclosure of personal data to another person without the consent of the controller, or
- after obtaining personal data, to retain it without the consent of the person who was the controller of the personal data when it was obtained.
However s.170 provides a safeguard for whistleblowing journalists in sections 2 and 3 whereby the law clearly outlines the words:
- It is a defence for a person charged with an offence under subsection (1) to prove that the obtaining, disclosing, procuring or retaining:
- was necessary for preventing or detecting crime,
- was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
- in particular circumstances, was justified as being in the public interest.
It is also a defence for a person charged with an offence under subsection (1) to prove that—
- the person acted in the reasonable belief that the person had a legal right to do the obtaining, disclosing, procuring or retaining,
- the person acted in the reasonable belief that the person would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it, or
- the person acted—
- for special purposes,
- with a view to the publication by a person of any journalistic, academic, artistic or literary material, and
- in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.
Publishing in the Public Interest
If the decision is taken to publish in the public interest, it’s likely to be because the story would do one of these things:
- Correct a significant wrong or breaking of the law
- Bring to light information affecting public well-being and safety
- Improve the public’s understanding of, and participation in, the debate about a big issue of the day
- Lead to greater accountability and transparency in public life
So The Sun’s lawyers would have undertaken a balancing exercise of the public interest in favour of publication. This would be in the knowledge that if the information was given to them for reward by a third party, then the defence of publication in the public interest would provide further prosecution under sections 4 and 5 of the Data Protection Act whereby:
(4) It is an offence for a person to sell personal data if the person obtained the data in circumstances in which an offence under subsection (1) was committed.
(5) It is an offence for a person to offer to sell personal data if the person—
- has obtained the data in circumstances in which an offence under subsection (1) was committed, or
- subsequently obtains the data in such circumstances.
So The Sun would have ensured that there was a legitimate public interest in this story, enabling them to publish, and further supported by an exemption from many of the requirements of GDPR that reside in Schedule 2 Part 5 s.28 of the Data Protection Act 2018.
The exemption supports publication “in the public interest” for journalistic purposes. This also restricts the right to compensation (GDPR Article 85.2). The publication is required to follow codes of practice where they exist.
The Sun lawyers would have also undertaken a review of their obligations under the common law torts of Confidentiality, unlikely to be an issue here. The fairly new tort of misuse of private information and the Article 8 Human Rights issues related to the party’s privacy.
The public interest test in a Minister of the Crown breaking the law is likely to be the key to successful unchallenged publication. The subsequent hounding of the partners and children of the two involved in the “embrace” is not part of the same “public interest” and would need a new assessment if personal data were used to justify publication.
The purpose of the law is to ensure journalistic reporting can carry on and the press is free without legislative burden to publish following an assessment of the public interest. As we get to know more about the case, the covert filming of an employee at work is another matter and one I will address later this week as we glean more information on who exactly was the Data Controller in this case.
 The codes of practice and guidelines are (a)BBC Editorial Guidelines; (b)Ofcom Broadcasting Code;(c)Editors’ Code of Practice.
We do offer a CCTV audit if this is something your organisation is concerned about. You can read more about the lawful use of CCTV in the workplace here.
Get in touch with us via our contact form or call 0203 3013384 if you would like to find out more information.
by Nigel Gooding, LLM (Information Rights Law & Practice)
Nigel is founder of the Data Privacy Advisory Service, and he plays a vital part in our success. Due to his extensive experience, Nigel is recognised as a leading expert in the industry.