Corporate Information

Producers' Data Protection and Security Guidelines


Data Protection Guidelines

Producers’ Data Protection and Security Guidelines

1. Introduction

These guidelines set out recommended safeguards that all production companies should implement in order to best protect all Personal Data (including Sensitive Personal Data) and to ensure compliance with the Data Protection Act 1998 (‘DPA’). A copy of the DPA together with practice guidance notes can be found on the Information Commissioner’s website at: - Please also see the attached Production Crew Data Security Guidelines which set out practical advice and assistance for your production crews when dealing with living people’s personal data (including sensitive personal data) under the DPA.

The guidelines are designed to provide practical advice to assist in protecting the data of individuals and in turn protecting production companies from civil and/or criminal sanctions and reputational damage as the result of an unauthorised disclosure of personal or sensitive personal data under the DPA.

It is therefore important that all senior staff read these guidelines and that the necessary practical support and guidance is provided for all staff. It is recommended that one senior person within the company takes overall responsibility for data protection policy and practice for the company. Contact details of that senior person should be made available and accessible to all staff.

2. What is Personal Data?

Personal Data is data which relates to a living individual who can be identified from that data, or from that data in conjunction with other readily available information, e.g. any one or more of their name, address, telephone numbers, personal email addresses, date of birth, bank and pay roll details, next of kin, passport particulars, images etc. It can also include data such as IP addresses and data automatically collected when using computers and the internet.

3. What is Sensitive Personal Data?

Sensitive Personal Data is data that relates to an individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health matters, sexual orientation/life, alleged or actual criminal activity and criminal records. The processing of Sensitive Personal Data requires extra care and, except in limited circumstances, Sensitive Personal Data can usually only be collected and used with the express consent of the person to whom the data relates.

4. Notification to the Information Commissioner

If you make decisions about how Personal Data is processed and collected it is likely that your company will need to notify the Information Commissioner for listing on the Information Commissioner’s register. This is a legal requirement and failure to keep registered details up to date is a criminal offence. If you are processing Personal Data it can be safely assumed that this is something that you do need to do (if you haven’t already done so).

Please refer to

5. Collection of and access to Personal Data

You and the employees and freelancers working for you will have access to or will routinely acquire Personal Data from many sources and in many forms. For example, Personal Data can be obtained from past, current and future employees, contributors, suppliers and contractors.

Personal Data might be contained or provided in letters, correspondence, call logs, programme treatments, running orders, CVs, CCTV footage, contributor agreements or release forms, contributor application forms, call sheets, P-as-Cs, criminal record bureau checks, medical records, invoices, purchase orders, rushes with captions, bank statements, lists of employees, and employee references. The Personal Data may be in hard copy form e.g. original or copy paper document, photographs and film; or electronic form e.g. PC, lap top, mobile phone, blackberry or memory stick.

When proposing to collect Personal Data, care should be taken to limit the Data collected to what is actually and likely to be needed. For example, it is unlikely that you would need information regarding a contributor’s sexual history, unless it was relevant to the programme.

When you are collecting Personal Data from individuals, you should tell the individual why you are doing so, who you are and any additional information necessary if specific circumstances require it. The ICO guidance provides that you do not need to tell people what you are doing if the use is obvious, i.e. when having a released form signed with a description of the programmes, it is obvious to the reasonable person, why and how the information will be used, in such circumstances a written privacy notice is not necessary. A privacy notice is a statement that tells an individual who is collecting information and what it will be used for and details of any third parties the Personal Data is going to be shared with. Privacy notices take a number of forms, for example a notice on a website or a script read out over the telephone.

Where you are collecting confidential and/or Sensitive Personal Data, or are intending to use Personal Data in a way that is likely to be unexpected or objectionable to the individual, you must actively communicate your privacy notice i.e. take positive action to provide the privacy notice to the individual, for example, the policy could form part of the contract with the individual. Please read the ICO guidance for further information on privacy notices:

Please note when collecting children’s data through websites the ICO has provided guidance you should review:-

6. Policies & Personnel

All production companies must have in place an appropriate Data Protection or equivalent Security Policy that sets out how they manage Personal Data within the company and when making programmes. The policy should incorporate the eight principles contained in the DPA. This means that all companies must take prudent steps to ensure Personal Data is:‐

1) processed fairly and lawfully;

2) processed for specified and lawful purposes;

3) is adequate, relevant and not excessive in relation to the purposes for which it is being processed;

4) accurate and, where necessary, kept up-to-date;

5) not kept longer than is necessary;

6) processed in accordance with the rights of the data subjects under the DPA;

7) appropriate technical and organisational measures shall be taken against unlawful or unauthorised processing or personal data and against accidental loss, destruction or damage to personal data;

8) not transferred outside the European Economic Area unless that country has an adequate level ofprotection in respect of the processing of personal data.

Steps should be taken to alert and advise employees and workers of their obligations under the DPA and of your data protection and security policies and practices. The ICO website/telephone help line is established to assist you with all your data protection needs and queries, but you may also want to consider if it would be helpful for any individuals to attend a training session or course in order for them to help them understand your obligations under the DPA. The There are a number of organisations who can provide suitable training courses.

7. Exemptions

There are some limited exemptions under the DPA where the processing of Personal Data will be exempt from a number of the eight data protection principles (see paragraph 6 above). However, no exemption exists surrounding data security so it’s important that Personal Data is always protected against unlawful or unauthorised processing and against accidental loss, destruction or damage.

In certain circumstances where you are processing Personal Data with a view to publishing journalistic, literary or artistic material (‘the special purposes exemption’ under section 32 DPA) you will be exempt from certain provisions of the DPA provided that such publication would be in the public interest and if in all the circumstances compliance with certain provisions of the DPA would be incompatible with the special purposes.

Further guidance on the exemptions and how to apply them is available from the Information Commissioner or alternatively you should consult a lawyer.

[See also paragraph 14 below which deals with Subject Access Requests under the DPA]

8. Recommended practices for security of Personal data

The production company should regularly review how it stores all Personal Data including for those individuals whose Personal Data is collected during the course of making the programme, to assess whether the security measures in place can be improved. For example:

On premises security

• Can hard copies of production and other files be kept in locked cabinets and/or is there secure storage on or off the site?

• Do office computers and networks have sufficient information security measures in place? Are passwords restricted and regularly updated?

• Is access to computer files with Personal Data limited to those who actually require access, and are computers logged off overnight or locked if unused?

• Do office computers and networks have sufficient information security measures in place? Are passwords restricted and regularly updated?

• Are adequate measures in place for back-ups of Personal Data, to prevent accidental destruction?

• Is access to computer files with Personal Data limited to those who actually require access, and are computers logged off overnight or locked if unused?

• Do computer systems have adequate virus protections and firewalls etc., and is guidance given to staff about the necessary care to be taken when opening emails and attachments or visiting new websites?

• Are adequate measures in place for back‐ups of Personal Data, to prevent accidental destruction?

• Are computer screens/notice boards and white boards positioned away from windows/public view to prevent accidental disclosures of Personal Data? Are appropriate measures taken so that paper documents cannot be viewed by unauthorised visitors?

• Is access to the building controlled and are adequate and reasonable security measures in place? Are visitors adequately supervised or monitored near personal and other confidential information?

• Where CCTV is in operation is this in compliance with the CCTV code of practice provided by the Information Commissioners Office?

Off premises security

• Are computers, lap tops, computer discs, memory sticks etc allowed off the premises and, if so, is there suitable password protection in place and for Sensitive Personal Data and financial data (or other data such as children’s and major talent contact details) is there a high level of encryption for the relevant folder or for the computer/discs etc. as a whole, or other protection arranged? If the equipment was stolen would the Personal Data be protected?

• Has the ICO guidance that all portable media devices containing Personal Data should be encrypted to FIPS 140‐2 (cryptographic modules, software and hardware) and FIPS – 197 (or as otherwise suggested by the ICO from time to time) been properly adopted?

• Are work mobile devices password locked and/or coded?

• Where accessing broadband and a link is available, are suitable protections in place for accessing the information, i.e password protected/secure network?

• Is suitable guidance given to the protection, return and/or destruction of documents, memory sticks and/or dvds that need to be taken off the premises?

• Is there a system in place for tracking information where data is taken off site and returned?

• Are there adequate provisions for secure storage of production paperwork, call sheets, release forms, made available when off site to ensure documentation is not left lying around?

Information collection and disposal

• Is unnecessary copying of paper and electronic records for distribution being undertaken? Are staff aware that they should be careful not to leave copies of documents at the photocopier, scanner or fax machine?

• Are shredders and/or “security safe” recycling bins/boxes readily available for disposing of documents and papers potentially containing Personal Data, and are staff reminded to use them properly?

• Is the requisite care and attention taken when faxing Sensitive Personal Data so that only the intended recipient receives the information at the time of sending the information?

• Are employees and workers aware that even verbal disclosure of Personal Data can be in breach of the DPA and are they aware of when it is appropriate to disclose?

• Where you receive a request for information from the police you are not compelled to provide the information. However, you may choose to provide the information if a senior member of your company is satisfied that you have complied with the following guidelines: 29_gpn_v1.pdf.

Where an application for information is related to programme material or rushes you should consult with your commissioning broadcaster before any disclosure takes place as there may be legitimate legal and editorial grounds for resisting disclosure.

• On closedown of a production senior staff should review what personal data records can be legitimately retained or destroyed.

• Are computers, disks and memory sticks properly “wiped” before being re‐used or sold?

• Consideration should be given to the legitimacy of keeping records. For example records of quiz show applicants who are not in the final programme should be destroyed unless they have given permission for the records to be kept for future series or other shows or there is another legitimate business or legal reason to retain them, (e.g. they had an accident at the audition and it is required for health and safety reasons), but the records of an actor who doesn’t make the final cut may still need to be held for a limited time for e.g. auditing purposes.

• When staff leave your employment are they reminded or obliged to leave behind and /or delete all confidential and/or Personal Data?

9. What if I am engaging a third party to handle Personal Data for the Programme?

If you are using a third party or a sub contractor who is a Data Processor to handle, process or dispose of Personal Data or confidential information on your behalf you must ensure that they undertake to abide by the DPA. You will need to ensure there is a written contract in place setting out as a minimum that the Data Processor can only act on instructions from you (as Data Controller) and that they have to ensure appropriate security measures are taken against loss, damage to or unauthorised processing of Personal Data. Where a Data Processor is processing Personal Data that if lost may cause harm for a production, it will generally be appropriate to (i) expressly provide in your contact with them that they must comply with these guidelines (as applicable) and (ii) include provision in the contract for you to be able to inspect and/or monitor their compliance where practical and necessary.

10. Can I use the Personal Data for our other projects or for marketing?

You must only use Personal Data for the limited purposes for which it was collected or given to you. For example, it may be that the Personal Data was only provided by a contributor for the purposes of a particular Programme and not for any other use. This means that you must not sell, distribute or provide this Personal Data in any other form to any third party, except where this is necessary to produce and exploit the Programme.

However if you obtain consent from the person to contact them in the future to be involved in other programmes, or to receive marketing information, or to contact employees for opportunities for work etc then you are permitted to do so. Where you want to provide individuals with electronic marketing messages (e.g. SMS or email marketing), except in limited circumstances their express consent is required. This can be agreed when the contributor signs the form or when contracting with an employee or worker.

The ICO guidance on electronic marketing can be found at: _part_1_for_marketers_v3.1_081007.pdf

11. What if you become aware of a loss of security or an unauthorised disclosure?

If you become aware of a breach of the guidelines, you should alert your line manager and the senior member of your staff responsible for DP matters immediately, because prompt action is required.

You should also take immediate action to identify the potential harm to the person(s) concerned.

Please read the ICO guidance at: -, and take action accordingly.

If the breach relates to programme material e.g. it relates to contributors, contestants or talent you should also alert your commissioning broadcaster and take any further appropriate action that may be advisable.

12. What are the penalties for unauthorised disclosure?

The Information Commissioner’s Office (‘the ICO’) enforces all breaches of the DPA. The ICO can impose sanctions (including criminal sanctions) against companies found to be in breach. The ICO now has the power to fine organisations up to £500,000 for a serious breach of the DPA.

13. Reputational damage

In addition to the statutory sanctions that the ICO can impose on a company there is the reputational damage that a company or broadcaster can suffer. This can be compounded where talent is involved. Press criticism directed at a production company, talent and broadcaster can be highly damaging. In addition contributors are less likely to want to disclose Personal Data to a production company if they believe that their Personal Data will not be kept securely.

14. Subject Access Requests under the DPA

You should also be aware of your obligations under the DPA in the event you receive a subject access request. Under the DPA individuals can ask to see information which is held about them by you on computer and in certain paper records. Such a request needs to be made in writing with the relevant fee as prescribed for under the DPA (£10 as at Feb. 10). The request should include information to help you find the relevant information and most importantly the request enables you to satisfy yourself as to their identity of the person and that they are authorised to receive the information.

You should seek to respond to a request as soon as possible but no later than within 40 days after the necessary fee has been paid. Please read the Data Protection Good Practice Note Checklist for handling requests for Personal Data (subject access requests) at the ICO website: -‐88DE‐48F7‐AC39‐ 71320195002D

There are a number of exemptions to a subject access request, for example legal professional privilege, negotiations with the data subject if likely to prejudice such negotiations, management forecasting or planning if disclosure would prejudice the conduct of the business, and confidential references. In particular you should remember that you may be exempt from providing data associated with programme‐making (including rushes) under ‘the special purposes exemption’ in accordance with s32 of the DPA – see paragraph 7 above.

Where the request relates to programme material including rushes, you should consult with your commissioning broadcaster before making any disclosure as there may be legitimate legal and editorial grounds for resisting disclosure.

Further guidance on the exemptions and how to apply them is available from the Information Commissioner.

15. Additional guidance and information

For additional guidance and information, please refer to the Office of the Information Commissioner at

Demand 5

A significant proportion of Channel 5's schedule is now available to view on demand.  Catch up on your favourite shows here.


Go to Demand 5


Careers at Channel 5

Come and work for us. You'll discover exciting challenges and people passionate about TV.


The Channel 5 Family

  • Channel 5
  • 5 USA
  • 5 star
  • Demand_5
  • Channel 5+24

Our Websites

  • Channel 5
  • Milkshake!
  • The Gadget Show
  • 5 Prizes