This website uses cookies

Read our Privacy policy and Terms of use for more information.

BLOCKCZ3 · COURSE ZERO
TOPICLEGAL FRAMEWORK · UK GDPR · DEFENSIBLE COLLECTION
TOOLSICO GUIDE · DPA 2018 · COLLECTION LOG · BALANCING TEST
DIFFICULTYFOUNDATIONAL

01

OSINT collection is processing under data protection law the moment it begins

The moment you collect information about an identifiable living person, UK GDPR applies. This tutorial gives you the decision framework for naming a lawful basis before collection begins, applying the journalism exemption correctly, and producing a defensible record that holds up to ICO scrutiny and editorial legal review.

OSINT practitioners operate under data protection law the moment they collect information about an identifiable living person. Under UK GDPR, that collection is lawful only if it has a named basis in Article 6. For journalism and public-interest investigation, the relevant basis is almost always legitimate interests under Article 6(1)(f), qualified by the journalism exemption in Schedule 2 Part 5 of the Data Protection Act 2018. The exemption is conditional, not absolute, and it protects processing for publication, not processing for private use.

Defensible collection means three things: you can name the lawful basis before you start; the scope of what you collect is proportionate to the investigative question; and you can explain, after the fact, why each piece of collected data was necessary. Investigators who cannot do this face enforcement risk from the ICO, civil claims from subjects, and editorial rejection from publications whose legal teams will not run the story without a clean record. This tutorial walks one investigation type end to end, investigating a named individual suspected of corporate wrongdoing, and produces the decision flowchart you can apply the same way every time.

Learning outcomes

By the end of this tutorial you will be able to:

  • Name the correct Article 6 UK GDPR lawful basis for OSINT collection before any processing begins

  • Apply the three-part legitimate interests balancing test in writing and record it to a defensible standard

  • Identify which GDPR provisions the journalism exemption disapplies, and under what conditions

  • Produce a collection log that documents scope, basis, exclusions and stop condition for a single investigation

  • Recognise when collection has become disproportionate and apply the stop condition

Subscribe to keep reading

This content is free, but you must be subscribed to Signal & Shadow to continue reading.

I consent to receive newsletters via email. Terms of use and Privacy policy.

Already a subscriber?Sign in.Not now

Reply

Avatar

or to participate

Keep Reading

© 2026 Signal & Shadow. All rights reserved..
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv