Be clear about roles and responsibilities
You cannot apply the journalism exemption to the specific requirements in this section. However, if the criteria to meet the exemption is met, you no longer have to comply with the general principles for restricted transfers of personal information (see Apply the journalism exemption).
What does the legislation say?
What does controller, joint controller and processor mean?
Controller is a term used in the UK GDPR to describe the main decision-making body who has control over why and how personal information is used.
If two or more controllers jointly decide why and how the same personal information is used, they are joint controllers. If the information is being used for different purposes, they are not joint controllers.
Processors act on behalf of, and only on the instructions of, the relevant controller.
11.1 If acting as a joint controller, you must have an agreement with the other party or parties that sets out your respective responsibilities, particularly about transparency and individual rights. You must make this information available to people.
11.2 Whenever you use a processor, you must have a written contract with them. You must also make sure any processors you use give you sufficient guarantees that they will meet the UK GDPR’s requirements and protect people’s rights.
11.3 When sharing personal information or receiving it, you must comply with the data protection principles. In particular, you must:
- share personal information lawfully, fairly, and transparently (see Use personal information lawfully, Use personal information fairly and Use personal information transparently); and
- take reasonable steps to check it is accurate (see Use accurate personal information).
11.4 You must keep certain records whenever you share personal information and you must carry out a DPIA, if needed (see Demonstrate how you comply).
How do we comply?
11.5 If you are dealing with personal information and any third parties, you should decide whether they are a controller, joint controller, or a processor under the UK GDPR because this affects legal responsibilities.
11.6 To decide whether a third party is a controller, joint controller, or processor, you should consider the nature of the activities they are carrying out and how much control they have over why and how information is used.
11.7 For example, private investigators, freelance photographers, and freelance journalists are likely, in many cases, to be controllers because they are likely to have a significant degree of independence.
11.8 If you ask a third party to help you with a story and they are permitted to act only on your instructions, they are a processor, even if they make some technical decisions about how to use personal information.
Sharing personal data
11.9 You should consider our Data sharing code of practice to help you comply with the law and good practice when sharing personal information.
International data transfer rules and online publication
11.10 There are specific rules about making international data transfers. These do not apply to online publication, even if this makes information available outside the UK.
Reference notes
These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.
11.9 Sharing personal information
A data sharing agreement with other parties may help you to make sure the details are clear, especially if you are sharing personal information regularly, routinely or it is planned in advance.
Data sharing agreements:
- set out the purposes of sharing personal information;
- cover what happens to the personal information at each stage;
- set standards; and
- help all parties to be clear about their roles and responsibilities.
Key legal provisions
UK GDPR article 28 and 29 – requirements regarding processors
UK GDPR article 30 – requirements to record information about processors
UK GDPR article 32 – requirements to make sure that personal data is processed securely by processors