blog

Data Protection Policy

As a freelance journalist, I collect, store and process personal data belonging to many different data subjects. This policy describes the different data types, how and why they are collected and processed, gives an outline of the steps taken to secure them, and gives information on how to submit Subject Access Requests and other related communications. I believe it is compliant with the EU's General Data Protection Regulation (GDPR), the full text of which is available at this link.

This policy is relatively lengthy because I want it to be comprehensive, but I have tried to use plain language to make it easy to understand. If there are any queries arising, please use this website's contact page to get in touch, and I will do my best to answer.


Types of personal data collected, stored and processed:

Data collected generally fall under four different headings:

1 - email/digital, phone and physical contact details
Collection usually occurs when the subject contacts me, or when they have given me their email or other contact details (for example, by handing over a business card when meeting in person, or when that information has been published online or made available during a conference presentation: these data will be considered under GDPR as data that have manifestly been made public). Very occasionally, contact information may be passed on to me by a third party, but usually this is only where that information is similarly widely available (for example, contact information for a PR professional which may be given to me by a fellow journalist or by another PR person).

2 - further personal data included in emails received
If and when correspondence takes place, the data subject may include further personally identifiable information beyond contact details.

3 - personal data included in interviews I conduct
The purpose of my business is to research and write articles for a range of different publications. The primary means by which I obtain information for these articles is through interviews with people who have expert knowledge of the subject. These interviews are recorded, usually to a digital audio device, and are stored in an audio file format; after recording, I make a manual transcription of the interview, using a piece of software that speeds up the process, and I then output the finished transcript as a word-processor document. Each interview is therefore stored in three different digital formats. The file names will usually include the interviewee's name, and often their company or business affiliation. The interview itself may contain further personally identifiable information.

4 - financial information (bank account details, etc.)
These data are only collected from clients, to enable them to pay me; or from suppliers, to enable me to pay them.

This website collects no data on any site visitors, except for that provided via the contact page: use of this page generates an email to me which is stored and processed in the same way as all other incoming emails.

This website does not use cookies, does not carry advertising or any other third-party content which may include cookies or other data-collection technologies, and does not knowingly track site visitors for any purpose.

For some years, this website offered the option for visitors to submit email addresses if they wished to be sent email alerts when new articles were published. This service has been discontinued and the email addresses submitted for this purpose have been deleted.


Data processing and retention:

Article 6 of the GDPR outlines six bases on which the processing of personal data can be considered lawful. The basis on which this policy primarily operates is that outlined in Article 6, paragraph 1, subheading (e) - processing is necessary for the performance of a task carried out in the public interest. However, several other bases also apply to some categories of data. These are noted below. I do not rely on consent as a basis for lawful processing.

Personal data in the categories described above are stored indefinitely. The reasons for this are as follows.
  
Contact details are kept because it is the nature of my business to need to contact people at some indeterminate point in the future, when and if further information may be made known to me that could lead to a new article being written. Sometimes a follow-up story may be commissioned where I need to contact sources for updates. Deleting contact data after a given period may therefore prevent me from writing accurate and up-to-date articles. Many of my business contacts are in the PR industry and I will work with them on different stories on different occasions - I need to retain their contact details so I can approach them to help with other stories in the future.

Emails (both received and sent) are kept because, usually, email is the means of establishing contractual agreements with clients (such as confirming details of the brief for an article I supply, the terms under which it will be provided and my work licensed, the deadline, word count, fee, and other necessary details), so it is necessary for me to retain those mails in order for me to be able to verify - and, if necessary, prove - such key issues as ownership status of the work I do, payment timescales, license terms, payment rates, etc.. This means that processing of these data may additionally be covered by the legal basis cited in Article 6, paragraph 1, sub-heading (b).

On many occasions, email is the only means by which I have contact with a person or company, and by which they update me with changes to their contact and other details: therefore my archive of emails has become my main contact-information database. Identifying other personal data in emails and deleting only the mails that contain those additional details would have to be done manually, by reading and reviewing the contents of every email sent and received, which would be impractical (and indeed perhaps impossible) for a sole-trader business. If anyone wishes to request deletion of specific emails, please get in touch via this site's "contact" page and give details of the email(s) in question, including the date sent (if the full date is unknown, please at least give the month and year).

Interview recordings and transcripts are kept for three reasons.
- Firstly, in case a legal objection arises to an article I have written or a query is raised over copyright, I need to keep accurate records of interviews in order to be able to prove that my reporting is accurate and to prove the copyright status of the work I produce. While there is a time limit on libel actions, in certain jurisdictions this limit starts not from the date of initial publication but the date on which an online version of the article is first accessed by the complainant; also, my work is occasionally re-sold through syndication agencies so an old article could be republished at some point in the future and that new publication would re-set the clock on potential libel action. Copyright exists for the life of the author plus 70 years, so retention for this purpose is necessary beyond my lifetime. This is covered by the lawful processing basis outlined in the GDPR's Article 6, paragraph 1, subheading (c)
- Secondly, and particularly in the case of my writing about music, there may be commercial interest in archive interview material to which I own the copyright, and writing articles based on archive material is a significant source of business to me. This processing is, I believe, lawful under Article 6, paragraph 1, subheading (f), in addition to those in subheading (e). Article 89 of the GDPR, which covers processing for archival purposes in the public interest, may also apply to this processing
- Thirdly, my archive of past interviews is routinely used by me as research for new articles. I often end up conducting further interviews with the same interviewees, or on the same topics with other interviewees, and retaining access to previously obtained material ensures that new interviews are as well-informed as possible, resulting in better and more accurate understanding and reporting of the subject.

If and when guidance is issued by the Information Commissioner's Office which contradicts my understanding of the lawful bases for my processing and retention of these data, or if case law refines or alters this understanding, I will update this policy and my processes accordingly. 

Financial details are kept to enable me to be paid by clients, and for me to be able to pay suppliers.

Data sharing:

Apart from where required by the publishing process, or to comply with my legal and/or regulatory obligations, or to facilitate payments to and from my business, no personal data are sold, shared, divulged or passed on to any third party without express and specific permission of the data subject.

The publishing process involves me submitting personally identifiable information on interviewees to editors and publishing companies. Usually, the only information shared with them will be those details included in the final draft of the article to be published. Very occasionally, fact-checkers or sub-editors may request corroboration of information contained within the articles I produce, and, if necessary, I may supply them with contact details of a PR person or other intermediary in order to obtain that confirmation. Designers at magazines and websites sometimes request PR contact details to source photographs and other imagery to accompany the articles I produce. Since PR professionals are in business to manage the public profiles of their clients through interaction with media professionals, and because contact details for them are usually made public through websites, business cards, industry-wide mailouts, and other methods, I generally do not check with those PR people before passing on their contact details to anyone else involved in the publishing process. If any PR professional objects to this, please let me know, and I will ensure such information is never shared without specific permission.

Since I first began working as a journalist in the late 1980s, I have never been asked by an editor or publisher to share direct contact details for an interviewee or source. If I am ever asked to do this I will refuse.

I will never divulge the identity of any interviewee or source who has requested anonymity. When working with anonymous interviewees I will usually seek to establish a certain baseline of information I am able to publish, to give the reader some means of understanding what weight and authority to assign to the material (eg saying that the information came from "an industry insider" or "a source familiar with the matter"). If an editor requires some additional information before publishing work written by me that is based on interviews with anonymous sources, I will only confirm the level of detail agreed at the time of the interview with the interviewee, and will not divulge any additional details that could lead to a third party being able to derive the identity of the individual.

Financial details are shared with my bank and other financial-services providers solely for the purposes of paying bills and receiving payments from clients. These data are not used for any other purpose, and will never be shared with any other entity than those involved in the monetary transaction for which they have been supplied.

Data security:

All data are stored securely, using appropriate and up-to-date technologies. I do not disclose the precise details of my security arrangements. An outline of my data-security processes is as follows.

I do not use any cloud-computing services to store any data (though sometimes data are transferred to me via services such as Dropbox: this will be at the sender's choice, and responsibility for uploading them to their chosen service, and deleting them thereafter, is theirs and not mine). All data are stored by me, on devices I own. This limits the amount of possible connections to my digital data and therefore reduces the exposure of those data to the risk of unauthorised access. Risk is minimised further by removing older data from devices connected to the internet wherever practical and possible.

Emails, interview recordings and transcripts, and financial data are stored on a desktop computer that is connected to the internet most of the time it is in use. The desktop computer's hard drive is encrypted and protected by a strong password, a firewall is in use, the internet connection goes through a Virtual Private Network to anonymise and encrypt data in transit, and a regularly updated anti-malware system is installed and operating at all times.

Emails, Interview recordings and transcripts are additionally stored on an encrypted, password-protected device used as an on-site backup. This device is never connected to the internet, and backups are only made when the computer is offline. A second such device is stored at a remote location: it too is never connected to the internet, and information is backed up to it only when the computer it is backing up is offline. Strong locks and insurance-compliant physical security measures are in place where the desktop computer is stored. Off-site backups are stored in a location with significantly higher levels of physical security.

Data are also stored on a laptop computer. Data held on this device are deleted from it after the project they are being used for is no longer currently active. The laptop is encrypted and password-protected, so that, in the event of the laptop being lost or stolen, the chances of a third party being able to access any of the data stored on it are as low as I can possibly make them.

Until I download emails to my desktop computer, those emails are stored on servers either owned or managed by my email service provider. That service provider has assured me that their data-security processes are compliant with GDPR and that data are stored on servers physically located within the UK. To limit the risk of unauthorised access to my email account, two-factor authentication is required to access my email account.

Email addresses and other contact information for work projects may additionally be stored in an electronic address book within my email account, hosted by my email service provider, so that I have access to contact details while away from my office. I believe this offers a higher level of security than storing those data on my laptop computer, or by writing them into a physical address book. These data are protected by my service provider's digital security systems, and can only be accessed via the email account's two-factor authentication system.

A limited amount of data - names and telephone numbers - is stored on my mobile phone. The phone is not a smartphone and these data cannot be accessed by anyone who is not in possession of the device. 

Subject Access Requests:

If a data subject wishes to obtain copies of the data I hold on them, please send a Subject Access Request via this site's contact page. Under the GDPR, I have 30 days to respond to Subject Access Requests. Such requests will be assessed on a case-by-case basis.

There are certain exemptions granted to those processing data for the purpose of journalism, and for data held for archival purposes in the public interest. It may not be compulsory for me to divulge details of data held, or to edit, amend or delete them.

If you are a data subject and believe that I am holding data on you that I have no lawful basis for holding or processing, please get in touch using this website's contact page to specify the data in question and request their deletion. Similar exemptions may apply to those relating to Subject Access Requests. I will assess and respond within 30 days.

last updated: May 25th, 2018





Comments

Click here to add your comment.

Comments will be subject to approval and should not be defamatory, obscene, racist, in breach of copyright, or contrary to law. Neither Angus Batey nor the site host is reponsible for any views expressed here.

Archive

home

about/contact

features

photo gallery

reviews

mailing list