Agentless Backup is Not a Myth

Analysis Prime Minister David Cameron has expressed "serious concerns and misgivings" over bringing in laws to underpin any new body to regulate the press.

Mr Cameron told MPs that legislation backing a regulatory body underpinned by statute would "cross the Rubicon" by writing elements of press regulation into the law for the "first time". Because of this, Mr Cameron is “not convinced at this stage that statute is necessary to achieve Lord Justice Leveson’s objectives”.

Firstly, the statutory framework. In the Data Protection Act (DPA) there are defined Special Purposes that can exempt certain activities from the act, and journalism is one of them. To keep this privilege in check, there is a Special Purpose enforcement mechanism, enforced by a statutory regulator - the ICO, underpinned by a statutory appeals mechanism: the tribunal system.

Although members of the press don't take much notice of the DPA because, wrongly, they think they are wholly exempt thanks to the Special Purpose proviso in Section 32 of the law, there is a regulatory structure that applies to the personal data they process.

For instance, the Seventh Principle of the act - which handles the computer security aspect of "unauthorised or unlawful processing of personal data" - is not exempt in Section 32 and fully applies to all data processing by the press.

So, if the press lost personal data relating to an exclusive exposure of a celebrity’s peccadillos after a heavy liquid lunch on expenses that are not subject to FOI requests, that security breach would be a reportable data loss under the current data protection arrangements. Such a loss could even attract a Monetary Penalty Notice (a statutory penalty) as sensitive personal data would have been lost.

In addition, the Section 32 exemption applies to personal data processed “with a view to publication”. So personal data not subject to a “view to publication” is fully subject to the act and the Section 32 exemption does not apply. For example, when the press unlawfully obtained ex-directory numbers, they had no intention to publish these numbers, so the personal data was not held "with a view to publication" and the First Principle ("personal data shall be processed fairly and lawfully") would apply fully.

Judges already wield data protection laws against journalists

Even with the Section 32 exemption the rest of the exemption was only meant to apply up to the point of publication (see Naomi Campbell*). There are numerous court cases involving judges applying the data protection principles to press activities. The point being made is that processing by the press is already subject to a statutory framework which is legally tested.

Indeed, in the post-Leveson era, one can expect that much more processing by the press will be identified as fully subject to the statutory-based DPA.

Even the existing Press Complaints Commission’s Code of Practice has statutory status under the DPA in exactly the same form as the Ofcom Broadcasting Code (originally published by the Broadcasting Standards Commission under section 107 of the Broadcasting Act 1996). Both these codes, one voluntary and the other statutory regulated, are equated by the Data Protection (Designated Codes of Practice) (No. 2) Order 2000.

The explanatory memorandum for this order states that both codes have been designated “for the purposes of section 32(3) of the Data Protection Act 1998” and that “compliance with any of the designated codes may be taken into account when considering for the purposes of section 32(1)(b) of the act whether the belief of a data controller that the publication of any journalistic, literary or artistic material would be in the public interest was reasonable”.

In other words, personal data processed by the press is subject to a detailed statutory regime, and the current Press Complaints Commission’s Code of Practice has a statutory underpinning in relation to that processing "in the public interest".

So whatever the reason for not having a statutory provision that requires the independent regulator to be created, it is not because this is a "first" attempt.

That is why my urgent telegram message to Mr Cameron is quite simple: “Rubicon crossed. Not 'first time'. Valid excuse needed". ®

Bootnotes

* Naomi Campbell v MGN Ltd. [2002] EWCA Civ 1373 (14 October 2002) (from paragraph 108); changed the status of the S.32 exemption from that debated in Parliament.

Just a thought: could the Information Commissioner have stopped the use of ex-directory numbers by the press? And for more details of Leveson’s recommendations regarding data protection, check out the Panopticon Blog.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

What you need to know about cloud backup