IOLIS Legal Services

3 August 2020

How should your organisation handle a leak to the media?

Finding out that the media has confidential information about your organisation from a leak can feel devastating.

The fall-out can include significant reputational damage and serious legal problems, as one professional sport governing body has recently discovered.

The body started an investigation after receiving allegations of wrongdoing involving two high profile professional athletes at one of their clubs.

However, someone leaked details of the investigation to the media who published stories detailing the allegations, claiming they were in the public interest because of their seriousness and because they involved professional athletes who were in the public eye.

The athletes themselves were furious that the newspapers got hold of these allegations and demanded to know whether there had been a deliberate leak or a data breach.

Now, the governing body has a huge dilemma.

Does it admit that someone leaked the details and that running these stories is allowed even though the body doesn’t yet know who did it?

Or, should it just inform the Information Commissioner’s Office (ICO) that there has been a personal data breach?

The ICO is likely to have an excellent case for acting and the governing body could face a substantial fine for the breach.

That could also pave the way for costly civil action against the body by the athletes.

It could be facing a substantial fine, significant damages, and the expense of court costs.

What does the UK law say about data privacy and journalism?

Article 85 of the General Data Protection Regulation (GDPR) says there is a need to reconcile the rights of a data subject and the right to freedom of expression and journalism. Essentially, each country can create its own variations, called derogations.

In the UK’s Data Protection Act (DPA) 2018 schedule one allows the disclosure of personal information for journalism subject to meeting certain criteria.

They include if there have been unlawful acts and dishonesty by the data subject, malpractice, unfitness or incompetence of a person, or mismanagement in the administration of an association or body, all provided there is substantial public interest.

The media may process the information based on the schedule two of the DPA 2018.

It says personal data can be released for “special purposes” including journalism if the controller reasonably believes that the publication of the material would be in the public interest.

In determining whether publication would be in the public interest, the data controller must consider the special importance of the public interest in the freedom of expression and information.

The data controller must take into account these codes of practice and guidelines: the BBC editorial guidelines; Ofcom’s broadcasting code; the editors’ code of practice.

There are many other issues which may need to be taken into account when personal data is released such as whether the individuals named are under age, whether the data is special category such as medical records or information about criminal convictions, the right to information rectification, the right to erasure, and the need to consult the ICO before high risk processing.

Given that complexity, it’s vital that both the organisations who suffer a leak to the media and the journalists who wish to use the information get professional advice from an experienced data protection specialist before they devise their plan of action.

What is personal data?

This is defined as data which could identify an individual, including names, addresses, email addresses, banking details, credit card numbers, and IP addresses.

GDPR says personal data like this must be collected, stored, processed, and destroyed securely.

Special category data requires a higher level of data protection. This includes information about political opinions, ethnicity, religion, medical information, data about criminal convictions, and biometric information.

How should a personal data breach be handled?

GDPR says that organisations must inform the relevant authority within 72 hours of discovering a personal data breach, where feasible.

In the UK, that’s the ICO.

In the most serious cases, the data subjects themselves should also be informed directly.

Every organisation should have robust processes to detect and investigate personal data breaches.

You can find out more here.

If someone deliberately leaks information to the media, could that be a data breach?

Yes, it could be. GDPR says deliberate action by data controller or processor is a breach, as is accidental action.

So, an organisation in the UK must report it to the ICO and within 72 hours of becoming aware of it.

It will then investigate, and it could impose a penalty if it finds a breach where there is no mitigation for journalism in the public interest. Although the ICO doesn’t always issue a penalty, the investigation is likely to prove disruptive.

When a breach is reported, the ICO will look at who is affected by a personal data breach, how many people are involved, what the consequences are for them, and take into account whether the organisation reported the matter to it swiftly.

Could damages be claimed even when there is no provable financial loss or distress from a breach?

A recent case in the says yes, it is possible.

In October 2019, the Court of Appeal issued a ruling in the case of Lloyd v Google which said that damages can be awarded for loss of control of data.

This particular case comes under the Data Protection Act 1998 (the DPA) but the principle will hold under the current legislation and applies even if there is no monetary loss and no provable distress.

After the precedent set by this case, it’s likely that GDPR and DPA 2018 will be interpreted in this way too.

Richard Lloyd is bringing a class action against Google on behalf of more than four million people affected by the Apple iPhone Safari Workaround between 2011 and 2012, claiming browser generated data was taken without consent.

The October 2019 ruling meant his case could go ahead without proving specific damage to each individual because each person lost the same thing of value, their data, in the same way.

What’s the take-away?

Without knowing who leaked the information and what the leaker’s motivations were, the sporting body is facing an extremely difficult choice.

The decision it makes must be informed by the fine detail of the situation and expert legal advice on data protection.

It’s important to remember that the legislation is complicated, with different regulations and legal precedents impacting on one another.

It’s easy to make a situation such as a leak to the media a whole lot worse by acting without getting good advice.

Do you need more expert legal advice on data protection legislation? Please call us on 029 2000 2339 or email contact@iolis-legal.com.

Recent Posts

Why you should use an independent person to conduct a workplace investigation

There exists in an employment contract an implied obligation to not act in a manner likely to destroy or seriously damage the relationship of confidence and trust without reasonable and proper cause. This relationship can become imperilled when an allegation has been made against an employee and this needs to be investigated. In a recent […]

Read more
Why will every toy seller in the UK soon need to up their game about data protection?

These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the Nintendo Switch. Or they might ask for Artie 3000, a drawing robot […]

Read more
5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more

Does your UK business need support? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
6 October 2021
Why you should use an independent person to conduct a workplace investigation
There exists in an employment contract an implied obligation to not act in a manner likely to destroy or seriously damage the relationship of confidence and trust without reasonable and proper cause. This relationship can become imperilled when an allegation has…
Read More
26 January 2021
Why will every toy seller in the UK soon need to up their game about data protection?
These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the…
Read More
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
IOLIS Legal Services is a trading style of IOLIS Ltd. Regd in England & Wales. Company Number 11968202. Regd office: International, House, 10 Churchill Way, Cardiff CF10 2HE. Total paid up share capital £10.
© 2020 IOLIS Ltd. | Website designed, hosted, and maintained by Jötnar Systems