ico-logo-blue-grey-370x229Five days ago, the Conservatives outlined their plans for implementing the Leveson Recommendations (the Recommendations”) by creating an independent panel, established by Royal Charter, to verify that any new press regulator is effective. Yesterday, the Information Commissioner put a spanner in these works; he has published outline plans for his own voluntary Code of Practice and is consulting on its possible content.

This blog explains why an ICO Code of Practice, if eventually published, could help aggrieved data subjects, and why I expect it to be opposed by the press.

Both Labour and the Liberal Democrats disagree with the Mr. Cameron’s preferred voluntary system of press regulation. Many MPs from these Parties want a statutory underpinning of the regulatory structure by statute whilst the Prime Minister believes that this could threaten the freedom of the press. The ICO’s Code of Practice would be a voluntary Code; there is no statutory underpinning of the Code but, as will be seen, any future Parliament could decide to underpin.

The press and also many MPs continue to (deliberately) conflate statutory regulation of the press (e.g. as in full state control) with statutory underpinning of the regulatory regime that applies to the press (e.g. because many argue that the old voluntary system of regulation has palpably failed). The ICO’s Code of Practice, if there were to be a failing of the press to comply with a decision of any non-statutory press regulator could therefore come into play. To some extent the ICO’s Code would therefore create a fall-back position for aggrieved data subjects.

Readers of the blog already know that I think you can have statutory underpinning of the Recommendations via very modest changes to the definition of “Special Purposes” under the Data Protection Act (see references). The advantage of my approach is that you do not change the balance between press freedom and privacy that the press has readily accepted since 1998.

The ICO’s approach in his outline voluntary Code of Practice similarly does not disturb this balance. So it is interesting to speculate how such a Code of Practice could work for the press, even assuming no change to the Section 32 exemption.

As is well known, this Section 32 exemption is pretty wide: it includes all the Data Protection Principles except the Seventh Principle (dealing with security), the right of access and objection. This exemption applies so long as the press-related data controller believes that the special importance of the public interest in freedom of expression is served by the processing of personal data, and that the processing of such data is with a view to publication.

Section 32(3) states that when considering whether “the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice”. Clearly any Code of Practice that concerns the press, produced by the ICO, is going to be highly relevant to the publication in question.

So this explains one reason why the ICO is thinking of producing a Code of Practice; the existing DPA provides that one can be created and the Press Complaints Commission (PCC) Code is set to disappear. A second reason is that the ICO was expressly criticised in Leveson for not using his enforcement powers against the press; a Code of Practice is the current Commissioner’s response to that criticism. A third reason is that the ICO’s Code is likely to exist well before the new regulatory framework is established; in this way, the ICO can influence events.

However, there is a sting in the tail here. If the eventual ICO Code is designated by the Secretary of State (as is the current PCC Code of Practice: by SI 2000 No. 1864) then, in theory, serious non-compliance with the Code is likely to bring enforcement action by the ICO beyond that of any new press regulator.

Of course, the current Secretary of State might not designate the ICO’s Code, but it only needs one future Secretary of State to designate the Code, then it becomes an important component of the press regulatory regime.

The ICO’s Code has picked up the approach used by Mr Jay during the cross examination of the current and previous Commissioners at Leveson. Mr Jay employed a simple argument to state that the Section 32 exemption did not apply in many circumstances; his argument goes as follows:

  • Does the Section 32 exemption apply to any personal data processed by the press with “a view to publication”? Answer “yes”.
  • When the press obtains an ex-directory number (for hacking purposes), is it likely that the press would publish the ex-directory number? Answer, of course, “no”.
  • It follows that with regards to ex-directory numbers, there is no “view to publication” of personal data and so the Section 32 exemption does not apply.

Now, if you expand Mr Jay’s line of argument, you can understand the implication of the questions posed by the ICO  in the chapter in the proposed Code which focuses on the section 32 exemption. These questions (followed by my comments) are as follows:

  • When does the exemption apply? (Comment: here the ICO is implying that the exemption does not apply to some processing of personal data by the Press);
  • Where section 32 does apply, what rights and obligations flow from the Data Protection Act? (Comment: here the ICO is saying that data subject rights and all Principles can apply to some personal data processed by the Press);
  • Are there minimum standards of good practice which apply to the handling of personal data in all cases? (Comment: here the ICO might have fair and lawful obtaining in mind);
  • When is personal data processed only for the special purpose of journalism? (Comment: here the ICO is implying that personal data such as contact telephone numbers may not be processed for the special purpose of journalism);
  • When is processing undertaken with a view to publication of any journalistic material? (Comment: here the ICO is implying that personal data that do not have a view to publication cannot claim the exemption);
  • When is it reasonable to believe that publication would be in the public interest? (Comment: here the ICO is implying that personal data that are processed not for a public interest purpose cannot claim the protection of the S.32 exemption)
  • When is it reasonable to believe that compliance with a relevant provision of the Data Protection Act would be incompatible with the special purpose of journalism? (Comment: here the ICO is implying that fair processing practices are often compatible with the special purpose of journalism so no exemption is needed)
  • What role can other codes of practice play when considering the above? (Comment; the Privacy Notice Code and perhaps Codes in connection with surveillance or telephone monitoring come into mind).

It is worth noting that the ICO’s proposed Code would make an explicit reference to the Human Rights Act and its role in defining the “relationship between data protection and freedom of expression, demonstrating how the two concepts co-exist; and explaining why high standards of information-handling are not inconsistent with the freedom of the press”. This means that unlawful processing (and the link with Article 8 and all the case-law in this area) is very strongly in play (see references).

For this reason, in particular, I suspect the press will oppose the Commissioner’s Code and will try to discredit it. However, they may find it hard to do because they have accepted the current data protection arrangements since 1998. Any ICO Code is voluntary, and the press are as free to ignore the ICO Code as it has its own PCC Code. In addition, if designation of the PCC’s own Code of Practice a decade ago was not opposed by the Press, why should the ICO one be opposed?

Finally, Leveson was adamant that the data protection regime should be strengthened; any taking away of the Code of Practice provisions in Section 32 would signal the Government’s intent to further weaken the Leveson Recommendations.

The idea of a Code based on data protection can work; so get engaged in the consultation.

This post originally appeared on the Hawktalk Blog and is reproduced with permission and thanks