Guidance for freelances on the General Data Protection Regulations (GDPR)
Guidance on the business implications of GDPR obligations for freelances.
EU directive 2016/679 – the General Data Protection Regulation – came into effect in April 2016. A "transition period" ends on May 25, 2018. The Data Protection Bill had – in mid-April – still not become UK law. However, the GDPR obligations apply regardless of Brexit.
Although exemptions to some parts of the law apply to activities such as journalism (preparing material for publication), freelances have to comply more generally as "business entities". (Staffers – and those on short-term contracts – need to be familiar with employing organisation policies.) This interim note covers only the business implications – not separate concerns regarding the journalism exemptions or the implications for trade union activists.
Data protection law is based on several principles – those covering the nature of data, consent, data storage and security are most pertinent to freelance NUJ members (regardless of whether their work is for books, magazines, newspapers, broadcasting, new media or PR and communications).
Anyone who, for business purposes, collects and processes data that can identify another person must comply with the law and pay an annual fee to the regulator, the Information Commissioner's Office (ICO). The ICO has its own (often confusing and unhelpful) terminology.
Sole traders and directors of small companies are – because they do everything – likely to be both data controllers and data processors for ICO purposes. Freelances (whatever your corporate status – see Section 33 of the Freelance Fact Pack) should use the ICO online checklist to find that holding ("processing") information electronically (which includes using a camera or phone) because freelance work (indirectly or directly) includes:
- Accountancy and auditing
- Advertising, marketing and public relations for others
- Consultancy and advisory services
- Debt administration
- Journalism and media
- Research and
- Training
Data protection law is based on several principles. The (UK) Data Protection Act 1998, GDPR directive and Data Protection bill 2017 define "personal information" and establish that images (and sound recordings) from which someone is identifiable are data. They also stipulate that some information – such as a person's politics, sexuality, criminal record, ethnicity, faith and trade union membership – are categorised as (additionally) sensitive personal data with stronger obligations regarding disclosure. Photographs are included as data – when people can be identified both in the image and from accompanying metadata and/or captions.
The next principle is consent. The fundamental principle is that individuals must give active consent for their details to be retained and used. Obtaining active consent may not be necessary when information is gathered and retained for purposes of journalism (preparing material for publication), providing such data is still processed within the other principles. Active consent may also be unnecessary if data is processed for legitimate interests such as "reasonable" marketing activities or processing invoices. However, where sensitive information or details of a child are concerned, lawyers advise that active consent should be sought. (This then poses further questions about the authority of an adult to give such consent, its scope and the potential complexities of business arrangements between freelances and their clients.)
The data retention principle says information should only be kept for as long as "necessary". (For example, the UK HMRC requires that financial information is kept for at least six years. Copyright exists in many works until 70 years after the death of the creator – so retaining such data is "necessary". The ICO Guide to Data Protection (February 2018) says processing may be unlawful if it results in infringement of copyright, so processing should be lawful to protect copyright (although this has not been tested in the courts).
The data security principle requires information to be guarded "adequately" – so any storage medium should be at least password protected. This includes external drives, USB sticks and SD cards, including those in phones.
In effect, this probably means sole traders/freelances should have separate personal and professional e-mail accounts and keep personal and professional contact details entirely separate. Computers and back-up storage devices should not be shared (even with family members or partners who are not part of the business) unless professional files are separately password protected. Paper records are covered by data protection rules too, so Ideally these should also be secure.
Other principles cover: the purposes for which data is processed and stored; adequacy – which says it must be kept to a minimum; accuracy – which requires it to be up-to-date and everyone must allow corrections to be made; rights of individuals under data protection law and the international principle that any data transferred outside the European Economic Area must have adequate protection for the individual rights and freedoms. The "cloud" is covered too.
Everyone in business, regardless of whether they are required to pay the annual data protection fee, must draw up a clear policy of the way the observe each of the principles – and comply with the strengthened GRPR requirements.
Fees
Although "registration" is not universally required by the GDPR, anyone (apart from a few very specific exceptions) must pay an annual data protection fee to the ICO. For business entities turning over less than £632,000 a year or with fewer than 10 staff, this is £40 a year (or £35 using direct debit).
Fees come into effect when existing registrations end. They have to be paid online, a process that takes about 15 minutes the first time. You will need: a credit/debit card; details about the organisation(s)/individual(s) you are registering, such as a Companies House number (if applicable), name, address. The ICO sends out e-mail reminders and receipts.
The ICO will publish a list of everyone who pays the fee.
NUJ advice
Anyone keeping information about another person for professional reasons must obey the law – and pay the annual data protection fee. An e-mail address that includes someone's name is considered an identifier – and enough to bring a sole trader within the scope of the law. (The fee is not payable if you only collect data for your own staff administration, advertising, marketing and public relations, accounts and records. However, you still have to obey the rest of the law.)
All traders should have data protection policies covering how they meet each of the principles. This should be published on business websites and be available on request. (A sample is attached, however the NUJ cannot accept any legal responsibility for its veracity.) This should be edited for individual purposes and circumstances.
Freelances not wishing to make their home addresses publicly available can use the NUJ's London headquarters as their contact address. To arrange this, e-mail [email protected] with "data protection address request" in the subject field.
Privacy policies
NUJ members with websites should publish a data protection statement. (This is subject to revision when the Data Protection bill becomes law and further advice becomes available from the ICO.)
(Name) respects the privacy of website users.
(Name) is based in the UK and uses and retains information for business and professional purposes in line with UK data protection regulations.
(Name) may use Google Analytics. Google Analytics generates statistical and other information by using cookies on users' computers. This information is helps create usage reports. Google stores this information. Google's privacy policy is available. (Similar clauses need inserting to cover other external data functions.)
Personal information
(Name) will only use personal information to:
- Provide specifically requested information (ie answer your e-mails or contact you when necessary),
- send you communications we/I think may interest you, and
- carry out our legitimate business that may include providing communications services for others, consultancy and advisory services, education, training and preparing information with a view to publication.
Please inform us/me if you do not wish to receive any of our communications.
Consent
Consent is sought wherever and whenever possible and required. However, some information may be held for journalistic purposes (this will be clarified when the Data Protection Bill completes its passage through Parliament, which will establish the exemption covering journalism, literature and art) where consent is not required,
Disclosures
(Name) will only disclose personal information where we are/I am required to do so by law.
Information security
(Name) takes reasonable technical and organisational precautions to prevent the loss, misuse or alteration of personal data. All information provided is stored on secure (password- and firewall-protected) servers and devices. (Name) cannot guarantee the security of data sent over the internet.
Data protection policy amendments
(Name) may update this policy from time to time by posting revisions here. Please check here occasionally for any changes.
User rights
Users may request copies of personal information held by (Name), subject to
- providing appropriate evidence of identity – such as a copy of the photo pages of a passport certified by a solicitor or bank plus a copy of a (utility) bill showing your current address.
(Name) may withhold information within legal limits.
By e-mailing (Name), you authorise (Name)to retain such personal information within the scope of current legislation.
Other websites
(Name) accepts no responsibility for the content, privacy policies or practices of other websites.
Updating information
Please inform (Name) if personal information needs correcting or updating.
Questions
Queries about this policy and data retention should be sent to:
email address _____________ or by post to:
Data Controller, (Name), then address or
c/o National Union of Journalists, Headland House, 72 Acton Street, London WCIX 9NB
The data controller is (name). The data protection fee number is .
NOTE: This information is for guidance only. Neither the NUJ nor the author(s) can accept liability/responsibility for its completeness or accuracy.Where doubt exists, qualified advice should be sought.
This advice was prepared on 12 April 2018 and is believed to be correct at that time. The Data Protection Bill still before Parliament will clarify some aspects of the 'journalistic exemption'. This guidance is based on original works by Adam Christie, Mike Holderness and Tamsin Allen. It may not be reproduced without permission.