top of page

Data Protection & Privacy Policy

Version: 1.0 | Effective date: 01 March 2026 | Review cycle: Annual (or sooner if law/practice changes)

Approved by: Ben Griffin | Next review due: 01 March 2027

 

 

1. Purpose & Scope

This Data Protection & Privacy Policy (“Policy”) explains how King’s Lynn Youth News (“KLYN”, “we”, “us”, “our”) collects, uses, shares, and protects personal data. It covers all processing carried out across our activities as an online news platform and as a community organisation delivering outreach (including school visits and small-group sessions with young people).

This Policy applies to:

  • Visitors to our website(s), apps, and social channels;

  • Contributors, sources, interviewees, competition entrants, commenters, and subscribers;

  • Young people, parents/carers, teachers and partner agencies engaged through outreach;

  • Staff, freelance journalists, volunteers, trustees/board members, and suppliers;

  • Any person about whom we process personal data in the UK.

2. Who We Are & How to Contact Us

Controller: King’s Lynn Youth News (KLYN) – Sole Trader.

Registered address: 53 Riversway, King's Lynn, Norfolk, PE30 2EE.

Data Protection Lead (DPL): Ben Griffin, Email: Ben@KLYouthNews.com Phone: 07587323009

We are the ‘controller’ for most processing defined in this Policy. Where we work with schools, youth organisations or other partners, we will agree roles (controller/processor or joint controllers) in a written data sharing or processing agreement.

3. Our Legal Framework

We operate under the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations 2003 (“PECR”), as amended.

As a news publisher, we may rely on the ‘special purposes’ exemptions (journalism, academic, literary, or artistic purposes) under the DPA 2018 where necessary to reconcile freedom of expression and information with privacy rights. These exemptions are applied only where:

  • Processing is undertaken with a view to the publication of journalistic material, and

  • We reasonably believe publication would be in the public interest, having regard to the codes of practice and relevant circumstances, and

  • Applying the exemption is necessary to reconcile privacy with freedom of expression.

Even where exemptions apply, we still take appropriate steps to ensure security, accuracy where reasonably possible, and responsible handling of personal data.

4. What Data We Collect

The types of personal data we process include:

  • Identity data (name, pronouns, date of birth/age band, school, organisation).

  • Contact data (email, phone, social-media handle, address/town).

  • Engagement data (comments, messages, competition entries, survey responses).

  • Editorial/source data (interviews, quotes, bylines, photos, audio/video recordings, background notes, metadata).

  • Technical data (IP address, device identifiers, analytics, cookies—see our Cookie Policy).

  • Account/subscription data (username, preferences, newsletter choices).

  • Safeguarding and participation data (consent forms, attendance, risk assessments for sessions, parental/carer details).

  • Supplier/contractor data (bank details for payments, contracts).

Special category data (e.g., health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation, biometric data) may be processed where strictly necessary and lawful (see Section 6). Criminal convictions/offences data is handled only where permitted by UK law.

5. How We Collect Data

  • Directly from you (e.g., forms, emails, interviews, outreach participation, competitions).

  • Indirectly (e.g., referrals from schools/partners with a proper lawful basis and agreement).

  • Public sources (e.g., official records, public social media posts, public events).

  • Automated means (e.g., cookies/analytics, access logs).

6. Lawful Bases & Public Interest Tests

Depending on the purpose, we rely on one or more of the following lawful bases under Article 6 UK GDPR:

  • Consent – e.g., optional newsletters, certain uses of images of children outside a news context.

  • Contract – e.g., paying freelance contributors, subscription delivery.

  • Legal obligation – e.g., safeguarding records, HMRC/finance requirements.

  • Legitimate interests – e.g., running our website, editorial newsgathering, protecting our platform from abuse; we balance our interests against your rights.

For special category data (Article 9), we only process where a condition applies, such as:

  • Explicit consent;

  • Substantial public interest (Schedule 1 DPA 2018) including journalism and freedom of expression;

  • Vital interests (e.g., serious risk of harm).

For children’s data, we take particular care to use data-minimisation, clear explanations, and age-appropriate notices. For online services relying on consent, the UK ‘age of digital consent’ is 13; for younger children we seek consent from a holder of parental responsibility, usually via schools or directly.

When claiming a journalism exemption, we apply a documented public interest test that considers the proportionality of intrusion, the contribution to a debate of public interest, and any potential harm.

7. Purposes of Processing

  • Publishing: researching, verifying, producing and publishing news, features, photos, and multimedia.

  • Community engagement: comments, submissions, competitions, surveys, newsletters.

  • Outreach: planning and delivering school visits and small-group sessions (e.g., registers, consent, supervision, safeguarding and impact evaluation).

  • Business operations: HR/volunteer management, commissioning, finance, audit, donor/sponsor relations, supplier management.

  • Safety and security: moderating content, preventing fraud/abuse, legal claims/complaints handling.

  • Technical: site performance, analytics and audience measurement (with PECR-compliant cookie choices).

8. Data Minimisation & Retention

We keep personal data no longer than necessary for the purposes for which it was collected, in line with journalistic archiving needs and legal requirements. See Appendix B for retention periods. Where possible, we anonymise or pseudonymise data. Editorial archives may be retained indefinitely for the integrity of the public record and our legitimate interests, subject to safeguards and takedown/complaint routes.

9. Data Sharing & International Transfers

We may share data with:

  • Processors (e.g., hosting providers, email platforms, analytics, transcription services) under written contracts (Article 28).

  • Partner organisations (e.g., schools, youth services) where a data-sharing agreement sets out roles, purposes, and safeguards.

  • Regulators, law enforcement, or safeguarding agencies where required or permitted by law.

  • Legal advisers and insurers for claims-handling and risk management.

If data is transferred outside the UK, we ensure an appropriate safeguard applies (e.g., adequacy regulations, UK International Data Transfer Agreement or Addendum, or Article 49 derogations where strictly necessary).

10. Children & Young People

We design our outreach and publishing with the best interests of the child in mind. We:

  • Use clear, age-appropriate explanations and obtain consent where required;

  • Work with schools/partners to ensure lawful sharing and safeguarding duties are met;

  • Avoid unnecessary collection; minimise identifiers;

  • Seek consent for non-news promotional uses of images/voice of minors;

  • Apply risk assessments for sessions/events and follow safeguarding protocols.

11. Photography, Filming & Audio

For genuine journalism in the public interest, we may photograph/record individuals without consent in public places or where there is no reasonable expectation of privacy, subject to law and ethics. For outreach sessions, school activities, or promotional/marketing content, we will obtain consent as appropriate (from the child if 13+ for online services or from a parent/guardian/school as applicable). See Appendix C for detailed guidance.

12. Cookies, Analytics & Direct Marketing

We use cookies and similar technologies for core site functions, security, and (where you agree) analytics and personalisation. See our separate Cookie Policy for details and choices in line with PECR.

We will only send electronic direct marketing (e.g., newsletters) where we have consent or the ‘soft opt‑in’ applies, and you can opt out at any time.

13. Security

We implement technical and organisational measures appropriate to risk, including:

  • Access controls, role‑based permissions, and multi‑factor authentication where feasible;

  • Encryption in transit and at rest for sensitive systems;

  • Secure device management and least‑privilege principles;

  • Backups, patching, logging, and vulnerability management;

  • Data protection training for staff/volunteers;

  • Privacy-by-design, DPIAs for higher‑risk processing (e.g., children’s outreach, sensitive topics).

14. Your Rights

Your rights under UK GDPR include: access, rectification, erasure, restriction, objection, portability, and the right not to be subject to solely automated decisions with legal or similarly significant effects. Some rights may be limited where the journalism exemption applies and limitation is necessary to protect freedom of expression and information.

To exercise your rights, contact our Data Protection Lead using the details in Section 2. We will respond without undue delay and within one month, subject to legal exemptions.

15. Complaints

If you have concerns about our data practices, please contact us first. You also have the right to complain to the UK Information Commissioner’s Office (ICO): ico.org.uk | 0303 123 1113.

16. Data Breaches

We log, investigate, and remedy all suspected personal data breaches. Where required, we will notify the ICO within 72 hours and affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. See Appendix E for the breach log template.

17. Governance, Accountability & Training

We maintain records of processing activities (ROPAs), data sharing/processing agreements, DPIAs, training logs, and incident logs. The board/leadership receives regular updates on privacy risks and compliance. We review this Policy annually or following significant change.

18. Moderation, User‑Generated Content & Takedowns

We moderate comments and submissions under our House Rules. We may remove unlawful or harmful content. Requests to correct or takedown allegedly unlawful/inaccurate material are assessed promptly with reference to journalistic standards and public interest, while preserving editorial independence.

19. Data Processors & Third Parties

We only use processors providing sufficient guarantees of technical and organisational measures. We conduct due diligence and include mandatory clauses (Article 28) and UK international transfer safeguards where relevant.

20. Changes to This Policy

We may update this Policy. The latest version will be posted on our website with the effective date. Substantial changes will be highlighted.

 

 

Appendix A – Lawful Basis & Exemptions Matrix

Activity

Purpose

Lawful Basis (Art.6)

Special Category (Art.9)

Exemptions

Editorial newsgathering & publishing

Public-interest journalism

Legitimate interests; or consent where appropriate

Substantial public interest; or explicit consent

DPA 2018 journalism (‘special purposes’) where necessary

Reader accounts & newsletters

Provide service/updates

Contract or consent; soft opt-in where applicable

N/A

None

Comments & UGC moderation

Platform safety & quality

Legitimate interests

N/A

Possible journalism exemption for published material

Outreach registers & consent

Safeguarding, attendance, evaluation

Legitimate interests; legal obligation where applicable

Vital interests or explicit consent if needed

None

Photography/filming (outreach)

Promotion/records (non-news)

Consent (child 13+ or parent/guardian/school)

Explicit consent if special category

None

Suppliers & finance

Payment & audit

Contract; legal obligation

N/A

None

 

 

Appendix B – Retention Schedule (Summary)

  • Editorial archive (published content, source notes where lawfully retained): retained indefinitely where justified by public interest and archiving needs; periodic review.

  • Outreach consent forms & registers: generally 3–6 years from event/program end (or until the child reaches 21 if incident recorded); check safeguarding/limitation periods.

  • Safeguarding records: in line with statutory guidance and local thresholds (often significantly longer; follow safeguarding policy).

  • Accounts & finance (invoices, payroll, contracts): 6 years (plus current) minimum for HMRC/audit.

  • Supplier/processor contracts & DPIAs: life of contract + 6 years.

  • Marketing lists: until you opt out or after 24 months of inactivity, whichever comes first.

  • Website logs/analytics: 12–24 months (aggregated/anonymised thereafter).

Appendix C – Photography, Filming & Audio Guidelines

1.Journalism in public interest: prioritize public-interest test; avoid unnecessary intrusion; be sensitive with children and vulnerable persons.

2.Private/controlled settings (e.g., schools, outreach sessions): obtain appropriate consent in advance; offer opt-outs and no‑photo lanyards/stickers.

3.Captions & metadata: avoid publishing excessive personal data; consider pseudonyms where risk of harm exists.

4.Storage & access: secure storage; limit access; delete raw footage not needed.

5.Promotional use vs news use: treat promotional materials as marketing—consent required, distinct from journalism.

Appendix D – Template Data Sharing/Processing Clauses

  • Define roles: joint controllers or controller–processor, with contacts.

  • Specify purposes, lawful bases, and categories of data.

  • Security measures, retention, and deletion/return of data.

  • Mechanisms for responding to rights requests, breaches, and DPIAs.

  • International transfers and sub‑processors (approval process).

Appendix E – Personal Data Breach Log Template

Ref

Date/Time

Summary

Risk Level

Actions Taken

ICO/Subject Notified?

[auto]

[dd/mm/yyyy hh:mm]

[What happened; data types; volumes; data subjects]

[Low/Med/High]

[Containment; mitigation; remediation]

[Yes/No – when/who]

Appendix F – Data Rights Request (DSAR) Intake Form

  • Requester name and contact details:

  • Data subject identity (if different) and authority to act:

  • Right(s) you wish to exercise (access/rectify/erase/restrict/object/portability):

  • Scope (date range, systems, keywords):

  • Verification documents provided:

  • Preferred delivery format:

  • Deadline (one month from verification date):

This document is provided for general compliance purposes and must be tailored with KLYN’s specific details, systems, suppliers and local safeguarding thresholds. Consider independent legal advice for high‑risk processing.

bottom of page