Finding out that the media has confidential information about your organisation from a leak can feel devastating.
The fall-out can include significant reputational damage and serious legal problems, as one professional sport governing body has recently discovered.
The body started an investigation after receiving allegations of wrongdoing involving two high profile professional athletes at one of their clubs.
However, someone leaked details of the investigation to the media who published stories detailing the allegations, claiming they were in the public interest because of their seriousness and because they involved professional athletes who were in the public eye.
The athletes themselves were furious that the newspapers got hold of these allegations and demanded to know whether there had been a deliberate leak or a data breach.
Now, the governing body has a huge dilemma.
Does it admit that someone leaked the details and that running these stories is allowed even though the body doesn’t yet know who did it?
Or, should it just inform the Information Commissioner’s Office (ICO) that there has been a personal data breach?
The ICO is likely to have an excellent case for acting and the governing body could face a substantial fine for the breach.
That could also pave the way for costly civil action against the body by the athletes.
It could be facing a substantial fine, significant damages, and the expense of court costs.
What does the UK law say about data privacy and journalism?
Article 85 of the General Data Protection Regulation (GDPR) says there is a need to reconcile the rights of a data subject and the right to freedom of expression and journalism. Essentially, each country can create its own variations, called derogations.
In the UK’s Data Protection Act (DPA) 2018 schedule one allows the disclosure of personal information for journalism subject to meeting certain criteria.
They include if there have been unlawful acts and dishonesty by the data subject, malpractice, unfitness or incompetence of a person, or mismanagement in the administration of an association or body, all provided there is substantial public interest.
The media may process the information based on the schedule two of the DPA 2018.
It says personal data can be released for “special purposes” including journalism if the controller reasonably believes that the publication of the material would be in the public interest.
In determining whether publication would be in the public interest, the data controller must consider the special importance of the public interest in the freedom of expression and information.
The data controller must take into account these codes of practice and guidelines: the BBC editorial guidelines; Ofcom’s broadcasting code; the editors’ code of practice.
There are many other issues which may need to be taken into account when personal data is released such as whether the individuals named are under age, whether the data is special category such as medical records or information about criminal convictions, the right to information rectification, the right to erasure, and the need to consult the ICO before high risk processing.
Given that complexity, it’s vital that both the organisations who suffer a leak to the media and the journalists who wish to use the information get professional advice from an experienced data protection specialist before they devise their plan of action.
What is personal data?
This is defined as data which could identify an individual, including names, addresses, email addresses, banking details, credit card numbers, and IP addresses.
GDPR says personal data like this must be collected, stored, processed, and destroyed securely.
Special category data requires a higher level of data protection. This includes information about political opinions, ethnicity, religion, medical information, data about criminal convictions, and biometric information.
How should a personal data breach be handled?
GDPR says that organisations must inform the relevant authority within 72 hours of discovering a personal data breach, where feasible.
In the UK, that’s the ICO.
In the most serious cases, the data subjects themselves should also be informed directly.
Every organisation should have robust processes to detect and investigate personal data breaches.
You can find out more here.
If someone deliberately leaks information to the media, could that be a data breach?
Yes, it could be. GDPR says deliberate action by data controller or processor is a breach, as is accidental action.
So, an organisation in the UK must report it to the ICO and within 72 hours of becoming aware of it.
It will then investigate, and it could impose a penalty if it finds a breach where there is no mitigation for journalism in the public interest. Although the ICO doesn’t always issue a penalty, the investigation is likely to prove disruptive.
When a breach is reported, the ICO will look at who is affected by a personal data breach, how many people are involved, what the consequences are for them, and take into account whether the organisation reported the matter to it swiftly.
Could damages be claimed even when there is no provable financial loss or distress from a breach?
A recent case in the says yes, it is possible.
In October 2019, the Court of Appeal issued a ruling in the case of Lloyd v Google which said that damages can be awarded for loss of control of data.
This particular case comes under the Data Protection Act 1998 (the DPA) but the principle will hold under the current legislation and applies even if there is no monetary loss and no provable distress.
After the precedent set by this case, it’s likely that GDPR and DPA 2018 will be interpreted in this way too.
Richard Lloyd is bringing a class action against Google on behalf of more than four million people affected by the Apple iPhone Safari Workaround between 2011 and 2012, claiming browser generated data was taken without consent.
The October 2019 ruling meant his case could go ahead without proving specific damage to each individual because each person lost the same thing of value, their data, in the same way.
What’s the take-away?
Without knowing who leaked the information and what the leaker’s motivations were, the sporting body is facing an extremely difficult choice.
The decision it makes must be informed by the fine detail of the situation and expert legal advice on data protection.
It’s important to remember that the legislation is complicated, with different regulations and legal precedents impacting on one another.
It’s easy to make a situation such as a leak to the media a whole lot worse by acting without getting good advice.