blog

Data Protection Policy

As a freelance journalist, I collect, store and process personal data belonging to many different data subjects. This policy describes the different data types, how and why they are collected and processed, gives an outline of the steps taken to secure them, and gives information on how to submit Subject Access Requests and other related communications. I believe it is compliant with the EU's General Data Protection Regulation (GDPR), the full text of which is available at this link.

This policy is relatively lengthy because I want it to be comprehensive, but I have tried to use plain language to make it easy to understand. If there are any queries arising, please use this website's contact page to get in touch, and I will do my best to answer.


Types of personal data collected, stored and processed:

Data collected generally fall under four different headings:

1 - email/digital, phone and physical contact details
Collection usually occurs when the subject contacts me, or when they have given me their email or other contact details (for example, by handing over a business card when meeting in person, or when that information has been published online or made available during a conference presentation: these data will be considered under GDPR as data that have manifestly been made public). Very occasionally, contact information may be passed on to me by a third party, but usually this is only where that information is similarly widely available (for example, contact information for a PR professional which may be given to me by a fellow journalist or by another PR person).

2 - further personal data included in emails received
If and when correspondence takes place, the data subject may include further personally identifiable information beyond contact details.

3 - personal data included in interviews I conduct
The purpose of my business is to research and write articles for a range of different publications. The primary means by which I obtain information for these articles is through interviews with people who have expert knowledge of the subject. These interviews are recorded, usually to a digital audio device, and are stored in an audio file format; after recording, I make a manual transcription of the interview, using a piece of software that speeds up the process, and I then output the finished transcript as a word-processor document. Each interview is therefore stored in three different digital formats. The file names will usually include the interviewee's name, and often their company or business affiliation. The interview itself may contain further personally identifiable information.

4 - financial information (bank account details, etc.)
These data are only collected from clients, to enable them to pay me; or from suppliers, to enable me to pay them.

This website collects no data on any site visitors, except for that provided via the contact page: use of this page generates an email to me which is stored and processed in the same way as all other incoming emails.

This website does not use cookies, does not carry advertising or any other third-party content which may include cookies or other data-collection technologies, and does not knowingly track site visitors for any purpose.

For some years, this website offered the option for visitors to submit email addresses if they wished to be sent email alerts when new articles were published. This service has been discontinued and the email addresses submitted for this purpose have been deleted.


Data processing and retention:

Article 6 of the GDPR outlines six bases on which the processing of personal data can be considered lawful. The basis on which this policy primarily operates is that outlined in Article 6, paragraph 1, subheading (e) - processing is necessary for the performance of a task carried out in the public interest. However, several other bases also apply to some categories of data. These are noted below. I do not rely on consent as a basis for lawful processing.

Personal data in the categories described above are stored indefinitely. The reasons for this are as follows.
  
Contact details are kept because it is the nature of my business to need to contact people at some indeterminate point in the future, when and if further information may be made known to me that could lead to a new article being written. Sometimes a follow-up story may be commissioned where I need to contact sources for updates. Deleting contact data after a given period may therefore prevent me from writing accurate and up-to-date articles. Many of my business contacts are in the PR industry and I will work with them on different stories on different occasions - I need to retain their contact details so I can approach them to help with other stories in the future.

Emails (both received and sent) are kept because, usually, email is the means of establishing contractual agreements with clients (such as confirming details of the brief for an article I supply, the terms under which it will be provided and my work licensed, the deadline, word count, fee, and other necessary details), so it is necessary for me to retain those mails in order for me to be able to verify - and, if necessary, prove - such key issues as ownership status of the work I do, payment timescales, license terms, payment rates, etc.. This means that processing of these data may additionally be covered by the legal basis cited in Article 6, paragraph 1, sub-heading (b).

On many occasions, email is the only means by which I have contact with a person or company, and by which they update me with changes to their contact and other details: therefore my archive of emails has become my main contact-information database. Identifying other personal data in emails and deleting only the mails that contain those additional details would have to be done manually, by reading and reviewing the contents of every email sent and received, which would be impractical (and indeed perhaps impossible) for a sole-trader business. If anyone wishes to request deletion of specific emails, please get in touch via this site's "contact" page and give details of the email(s) in question, including the date sent (if the full date is unknown, please at least give the month and year).

Interview recordings and transcripts are kept for three reasons.
- Firstly, in case a legal objection arises to an article I have written or a query is raised over copyright, I need to keep accurate records of interviews in order to be able to prove that my reporting is accurate and to prove the copyright status of the work I produce. While there is a time limit on libel actions, in certain jurisdictions this limit starts not from the date of initial publication but the date on which an online version of the article is first accessed by the complainant; also, my work is occasionally re-sold through syndication agencies so an old article could be republished at some point in the future and that new publication would re-set the clock on potential libel action. Copyright exists for the life of the author plus 70 years, so retention for this purpose is necessary beyond my lifetime. This is covered by the lawful processing basis outlined in the GDPR's Article 6, paragraph 1, subheading (c)
- Secondly, and particularly in the case of my writing about music, there may be commercial interest in archive interview material to which I own the copyright, and writing articles based on archive material is a significant source of business to me. This processing is, I believe, lawful under Article 6, paragraph 1, subheading (f), in addition to those in subheading (e). Article 89 of the GDPR, which covers processing for archival purposes in the public interest, may also apply to this processing
- Thirdly, my archive of past interviews is routinely used by me as research for new articles. I often end up conducting further interviews with the same interviewees, or on the same topics with other interviewees, and retaining access to previously obtained material ensures that new interviews are as well-informed as possible, resulting in better and more accurate understanding and reporting of the subject.

If and when guidance is issued by the Information Commissioner's Office which contradicts my understanding of the lawful bases for my processing and retention of these data, or if case law refines or alters this understanding, I will update this policy and my processes accordingly. 

Financial details are kept to enable me to be paid by clients, and for me to be able to pay suppliers.

Data sharing:

Apart from where required by the publishing process, or to comply with my legal and/or regulatory obligations, or to facilitate payments to and from my business, no personal data are sold, shared, divulged or passed on to any third party without express and specific permission of the data subject.

The publishing process involves me submitting personally identifiable information on interviewees to editors and publishing companies. Usually, the only information shared with them will be those details included in the final draft of the article to be published. Very occasionally, fact-checkers or sub-editors may request corroboration of information contained within the articles I produce, and, if necessary, I may supply them with contact details of a PR person or other intermediary in order to obtain that confirmation. Designers at magazines and websites sometimes request PR contact details to source photographs and other imagery to accompany the articles I produce. Since PR professionals are in business to manage the public profiles of their clients through interaction with media professionals, and because contact details for them are usually made public through websites, business cards, industry-wide mailouts, and other methods, I generally do not check with those PR people before passing on their contact details to anyone else involved in the publishing process. If any PR professional objects to this, please let me know, and I will ensure such information is never shared without specific permission.

Since I first began working as a journalist in the late 1980s, I have never been asked by an editor or publisher to share direct contact details for an interviewee or source. If I am ever asked to do this I will refuse.

I will never divulge the identity of any interviewee or source who has requested anonymity. When working with anonymous interviewees I will usually seek to establish a certain baseline of information I am able to publish, to give the reader some means of understanding what weight and authority to assign to the material (eg saying that the information came from "an industry insider" or "a source familiar with the matter"). If an editor requires some additional information before publishing work written by me that is based on interviews with anonymous sources, I will only confirm the level of detail agreed at the time of the interview with the interviewee, and will not divulge any additional details that could lead to a third party being able to derive the identity of the individual.

Financial details are shared with my bank and other financial-services providers solely for the purposes of paying bills and receiving payments from clients. These data are not used for any other purpose, and will never be shared with any other entity than those involved in the monetary transaction for which they have been supplied.

Data security:

All data are stored securely, using appropriate and up-to-date technologies. I do not disclose the precise details of my security arrangements. An outline of my data-security processes is as follows.

I do not use any cloud-computing services to store any data (though sometimes data are transferred to me via services such as Dropbox: this will be at the sender's choice, and responsibility for uploading them to their chosen service, and deleting them thereafter, is theirs and not mine). All data are stored by me, on devices I own. This limits the amount of possible connections to my digital data and therefore reduces the exposure of those data to the risk of unauthorised access. Risk is minimised further by removing older data from devices connected to the internet wherever practical and possible.

Emails, interview recordings and transcripts, and financial data are stored on a desktop computer that is connected to the internet most of the time it is in use. The desktop computer's hard drive is encrypted and protected by a strong password, a firewall is in use, the internet connection goes through a Virtual Private Network to anonymise and encrypt data in transit, and a regularly updated anti-malware system is installed and operating at all times.

Emails, Interview recordings and transcripts are additionally stored on an encrypted, password-protected device used as an on-site backup. This device is never connected to the internet, and backups are only made when the computer is offline. A second such device is stored at a remote location: it too is never connected to the internet, and information is backed up to it only when the computer it is backing up is offline. Strong locks and insurance-compliant physical security measures are in place where the desktop computer is stored. Off-site backups are stored in a location with significantly higher levels of physical security.

Data are also stored on a laptop computer. Data held on this device are deleted from it after the project they are being used for is no longer currently active. The laptop is encrypted and password-protected, so that, in the event of the laptop being lost or stolen, the chances of a third party being able to access any of the data stored on it are as low as I can possibly make them.

Until I download emails to my desktop computer, those emails are stored on servers either owned or managed by my email service provider. That service provider has assured me that their data-security processes are compliant with GDPR and that data are stored on servers physically located within the UK. To limit the risk of unauthorised access to my email account, two-factor authentication is required to access my email account.

Email addresses and other contact information for work projects may additionally be stored in an electronic address book within my email account, hosted by my email service provider, so that I have access to contact details while away from my office. I believe this offers a higher level of security than storing those data on my laptop computer, or by writing them into a physical address book. These data are protected by my service provider's digital security systems, and can only be accessed via the email account's two-factor authentication system.

A limited amount of data - names and telephone numbers - is stored on my mobile phone. The phone is not a smartphone and these data cannot be accessed by anyone who is not in possession of the device. 

Subject Access Requests:

If a data subject wishes to obtain copies of the data I hold on them, please send a Subject Access Request via this site's contact page. Under the GDPR, I have 30 days to respond to Subject Access Requests. Such requests will be assessed on a case-by-case basis.

There are certain exemptions granted to those processing data for the purpose of journalism, and for data held for archival purposes in the public interest. It may not be compulsory for me to divulge details of data held, or to edit, amend or delete them.

If you are a data subject and believe that I am holding data on you that I have no lawful basis for holding or processing, please get in touch using this website's contact page to specify the data in question and request their deletion. Similar exemptions may apply to those relating to Subject Access Requests. I will assess and respond within 30 days.

last updated: May 25th, 2018

google technorati

posted: 25/05/2018 | comments »

blog

The Taranis Mystery

February 5, 2014

The Taranis remotely piloted air vehicle, pictured during its flight test programme conducted in the last few months of 2013, at an undisclosed location. All photos on this page courtesy of BAE Systems

The British defence industry started to peel back the veil of secrecy from one of its most intriguing projects today - but what was said was overshadowed by what wasn't. Taranis is a remotely piloted air system designed to prove that British industry is capable of developing a high-tech combat aircraft that could be flown by remote control while exhibiting the sort of reduced visibility to radar that has hitherto been the preserve of expensive and advanced American (and, latterly, Chinese) airframes. The fact that the aircraft has flown successfully, and not only met but exceeded its creators' expectations in a series of tests conducted late last year, is a great news story for the British defence industry. That the programme should remain shrouded in an excessive blanket of classification means that it's a story that is frustratingly difficult to tell. ... more »

google technorati

posted: 05/02/2014 | comments »

blog

Happy New Year - Now Sod Off

January 2, 2014

Freelancing often feels like this. Highway 375, Nevada, 2006

A long-standing New Year's resolution of mine is to get at least three new clients. Between those whose magazines or websites close down entirely, those who have less space to fill or budgets to pay out, and those that decide to cut out freelance contributions and/or payments completely, there's always some attrition - and even if you just do one piece for a new client, it's a big help to know that you have another outlet you can turn to if the right idea happens along at the right time. So normally, come early January, I'm thinking about how to get new work: yet no sooner has 2013, easily the worst year in my entire career, bid its unlamented adieu, than I'm reading an email from someone I've worked for before, telling me I won't be doing so again. The reason? Because I'd had the temerity to ask for the money they owed me. ... more »

google technorati

posted: 02/01/2014 | comments »

blog

How to Make Sense of the U.K.'s F-35 Buy: Hire Better Sub Editors

September 15, 2013

Two F-35Bs during ship-board testing on the USS Wasp, August 2013. All photos on this page (c) Lockheed Martin, taken from this Flickr set.

Anyone who's taken even a cursory interest in Britain's procurement of the Joint Strike Fighter is likely to have had their head in a spin for the past few years. But one aspect of The World's Biggest Defense Program... Ever! (TM) has been gnawing away at me above all others. Finally, during the death throes of the 2013 edition of the huge bi-annual defence equipment exhibition/arms fair DSEI, I had my epiphany: in the space of one phone conversation, the mists cleared, and it all makes sense. Well, sense of the kind that prevails in the middle of the convoluted Venn diagram connecting the defence industry to government policy, and the requirements of all concerned to stay on-message at all times. ... more »

google technorati

posted: 15/09/2013 | comments »

blog

"If You Don't Know the History of the Author You Don't Know What You're Reading"

June 7, 2013

Click on the flyer for more info and tickets. Flyer used by permission of The Garage

I don't get that excited about gigs any more really - probably a consequence of middle age and so forth - but any chance to see the great KRS-ONE is something to savour (for my thoughts on previous gigs by him, please see here). And when a show by The Teacha is billed as a celebration of the 40th anniversary of hip hop, the lure is all that bit stronger. Coincidentally, I was recently going through some old interview tapes and found one with Kris from 2004, where I was speaking to him about the birth of hip hop and the culture's pre-record days. Some pieces from this conversation appeared in an oral-history feature I did for Mojo on the block-party era, but most of it hasn't been published before. Here's the complete transcript. ... more »

google technorati

posted: 07/06/2013 | comments »

blog

A Bit More Little Barrie

August 12, 2012

Virgil Howe, Barrie Cadogan, Lewis Wharton: photo courtesy of Greengab PR

My piece on Little Barrie in today's Sunday Times Culture section had to be cut to fit a smaller space than originally planned. Here's the full-length version: ... more »

google technorati

posted: 12/08/2012 | comments »

blog

In Search of the Radar Pioneers of WW2

May 23, 2012

A departure from normal service hereabouts, but a very worthwhile one, I hope you'll agree. I've just received an email from the Association of Royal Air Force Fighter Control Officers, who are asking folks with websites to publish the following text. It ought to be fairly self-explanatory. I don't imagine either of my regular readers were involved in running the Dowding System during the early 1940s (and, in the process, developing the basis of the Quick Reaction Alert system still in use to defend Britain from airborne attack today), but maybe someone you know knows someone who has a relative who might have been. My success rate with getting pieces on this site to "go viral" isn't quite at TMZ levels, but every little helps. And if anyone wants to re-post this on other sites, please go right ahead - the text below is copyright-free, as are the images, and I'm perfectly happy for this bit to get copied elsewhere too. Just this once, mind. Anyway, here's the appeal:... more »

google technorati

posted: 23/05/2012 | comments »



1 2 3 4 5 6 7 8 9 10 11 12 13 »

Recent articles

    follow me on Twitter

    Archive

    home

    about/contact

    features

    photo gallery

    reviews

    mailing list