Skip to main content
Craft13 June 2026• 10 min read

Managing Sources Over Time: A Guide for UK Journalists

A source is not a contact list entry — it is a relationship that must be built, maintained, and handled with care over months and years. The journalists who break the most important stories are rarely those with the most contacts but those who have maintained the deepest trust with the right people. This guide covers the long-term management of source relationships in the context of UK law, ethics, and digital security.

8 min read

Last reviewed: Next review due:

Quick answer

The NUJ Code of Conduct (Clause 7) obliges journalists to protect the identity of confidential sources. UK law provides some protection for source material under the Contempt of Court Act 1981 and Police and Criminal Evidence Act 1984 (PACE), but this protection is not absolute and can be overridden by court order. Good source management involves keeping accurate records of what was agreed off the record, using encrypted communications where risk warrants it, and having a clear protocol for what happens to source relationships when a journalist leaves a beat or employer.

This guide is for experienced journalists on specialist beats — crime, politics, business, health, defence — where source networks take years to build and represent significant professional assets. It is also relevant to investigative reporters and editors who manage teams with access to sensitive sources.

Why Long-Term Source Management Matters

Most of the significant exclusive stories that UK journalism produces come not from a single tip but from accumulated trust built over years. A police source who trusts a reporter will call them when something important happens; a Whitehall official who has been treated fairly will make contact when a policy decision is about to be announced. These relationships are not transactional — they depend on the source feeling that the journalist is reliable, discreet, and genuinely interested in their world.

The mechanics of maintaining these relationships over time are rarely taught in journalism schools. They involve regular contact even when no story is imminent, reciprocal value (information, introductions, context), careful management of what has and has not been agreed, and a clear understanding of the legal and ethical obligations that govern what happens when a source's identity might be revealed.

Source CRM: What to Record and How

Experienced beat journalists maintain some form of source management system — even if informal — to track relationships over time. For reporters covering sensitive areas where source protection is a real concern, this system must be kept securely and should record no more than is necessary. The principle of data minimisation that applies under UK GDPR (which continues in force as UK GDPR post-Brexit) is a useful guide: record only what you need, protect what you record.

A workable source CRM for most journalists is simple: a note of how you know each source, what they are useful for, when you last contacted them, what was agreed about the basis of any previous conversations, and a reminder to follow up. The tool does not matter — a spreadsheet, a notes app, or a dedicated contact manager — but the security of whatever you use does. A plaintext spreadsheet of confidential sources on a shared company drive is not acceptable.

  • Minimise identifiable data: Use pseudonyms or descriptors rather than full names where sources are sensitive. Store contact details separately from notes about their role or information provided.
  • Encrypt storage: Use encrypted local storage or an end-to-end encrypted notes application. Avoid cloud services where the provider has access to your unencrypted data if sources are sensitive.
  • Keep records separate from story notes: Your source CRM should not be mixed with story notes that could be subject to disclosure in legal proceedings. Treat them as separate systems.
  • Review and purge regularly: Sources who are no longer active, no longer in relevant roles, or who have explicitly asked to be removed from your records should be deleted. Old data is a liability, not an asset.

Off-the-Record Records: Tracking Agreements

The UK journalism convention has no single definition of “off the record.” Different journalists, editors, and sources use the term to mean different things — from “you can use this information but not attribute it” to “this conversation never happened.” Disputes about what was agreed when are one of the most common and damaging sources of conflict between journalists and sources.

Good source management requires that every significant conversation where the basis is not fully on the record is recorded contemporaneously. You should note, immediately after (or during, where possible) the conversation:

  • The exact terms that were agreed: “on background,” “not for attribution,” “off the record,” or “unattributable”
  • Who proposed those terms (you or the source) and whether they were agreed before or after information was provided
  • What you agreed to do with the information (use it to develop other leads, publish without attribution, not publish at all)
  • Whether the source agreed that you could seek corroboration from other sources

Key tip: The standard UK convention is that “off the record” must be agreed before information is provided. A source cannot give you information and then retrospectively declare it off the record. If a source attempts this, you must decide how to proceed carefully — publishing may damage the relationship and your reputation for trustworthiness; not publishing may mean abandoning a valid story. Seek editorial guidance before making this call unilaterally.

NUJ Code Clause 7: The Protection Obligation

Clause 7 of the NUJ Code of Conduct states that a journalist “protects the identity of sources who supply information in confidence and material gathered in the course of her/his work.” This is not merely an aspiration: it is a professional obligation that the NUJ takes seriously and that courts have recognised in the context of source protection applications.

The obligation has practical consequences. A journalist who reveals a source's identity without consent — even to a colleague, even under pressure from an employer — is in breach of the NUJ Code and potentially in breach of any contractual obligations to the source. The obligation to protect a source does not dissolve when you change jobs, move beat, or leave journalism. It continues indefinitely unless the source explicitly releases you from it.

The NUJ provides legal support to members facing court orders to disclose sources. If you receive such an order, contact the NUJ immediately. Do not simply comply without seeking advice: the legal framework provides defences that may protect you, and premature compliance may constitute a breach of your professional obligations.

UK law provides partial protection for journalistic source material, but that protection is qualified and can be overridden where a court determines that the interests of justice, national security, or the prevention of disorder or crime outweigh the journalist's interest in protecting their source.

  • Contempt of Court Act 1981, Section 10: Provides that no court may require a person to disclose a journalistic source unless it is established that disclosure is necessary in the interests of justice, national security, or the prevention of disorder or crime. This is a qualified protection, not an absolute one. Courts have ordered disclosure in cases including Secretary of State for Defence v Guardian Newspapers and Interbrew SA v Financial Times.
  • Police and Criminal Evidence Act 1984 (PACE), Schedule 1: Journalistic material is classified as “excluded material” under PACE, meaning police cannot obtain a production order for it without satisfying specific conditions before a circuit judge. However, this protection applies to physical material (notes, recordings) rather than to compelled testimony about sources.
  • Investigatory Powers Act 2016: Police and intelligence agencies may apply for a warrant to access journalists' communications data (call records, email metadata) under the Investigatory Powers Act. The Judicial Commissioner must specifically consider the public interest in protecting journalistic sources before authorising such a warrant. However, this protection is procedural rather than absolute: warrants have been granted.

The practical implication is that no source should be promised absolute protection from legal compulsion. You should promise to protect them to the best of your ability and to resist any order to disclose, but you cannot truthfully promise that no court will ever compel disclosure. Be honest with sources about this limitation, particularly those facing significant personal risk if identified.

Encrypted Communications: Choosing the Right Tools

For sources who face significant risk if identified — whistleblowers, public officials, people in hostile environments — the choice of communication channel is as important as the legal and ethical framework. Standard email, SMS, and phone calls are not secure against lawful interception or compelled disclosure from service providers. Journalists covering national security, organised crime, or corporate wrongdoing should offer sources secure communication options.

  • Signal: End-to-end encrypted messaging with disappearing messages. The Freedom of the Press Foundation and the Electronic Frontier Foundation both recommend Signal as the standard for journalist-source communications. Enable disappearing messages for sensitive exchanges.
  • SecureDrop: An open-source whistleblower submission system used by major news organisations. If your outlet runs SecureDrop, direct sensitive sources there rather than to your personal email or phone. Sources can submit documents anonymously through the Tor network.
  • ProtonMail: End-to-end encrypted email where both parties use ProtonMail accounts. Less secure than Signal (metadata is not always protected) but more familiar than SecureDrop for less technically sophisticated sources.
  • Avoid WhatsApp for sensitive sources: WhatsApp is owned by Meta and its metadata (who you communicated with and when) is not end-to-end encrypted. It is also backed up to cloud services by default, which may not be adequately secured.

The Freedom of the Press Foundation's Security Training for Journalists and the EFF's Surveillance Self-Defence guide provide detailed, up-to-date advice on digital security that goes beyond what this article can cover. Both are freely available online and should be consulted before handling communications with high-risk sources.

Source Handover When Leaving a Beat or Employer

One of the least-discussed ethical questions in source management is what happens when you leave a beat or employer. Your source relationships were built on trust in you personally, not in your employer. A source who spoke to you confidentially may not wish to be passed to a colleague or successor, and you cannot transfer that relationship without consent.

Before leaving a beat, consider the following:

  • Contact sources you have ongoing relationships with and let them know you are leaving. Give them the option of whether they wish to be introduced to your successor or to make their own decisions about future contacts.
  • Do not provide a successor journalist with contact details or background notes about a source without the source's explicit consent. The information about a source's role, views, and relationship with you is confidential, not merely the information they provided.
  • Delete or securely archive your source records when leaving an employer, in accordance with your obligations under UK GDPR and any employment contract provisions about data. Do not simply leave personal contact details on a work device.
  • Your obligation to protect a source's identity continues after you leave. Do not discuss former sources with colleagues at your new employer without the source's consent.

Source-Rotation Hygiene: Keeping Networks Fresh

Source networks become stale if they are not actively maintained and periodically refreshed. A beat journalist who relies on the same five sources year after year risks both a narrowing of perspective (their view of the beat is filtered through those five people's interests and blind spots) and a gradual capture by those sources (as relationships deepen, the implicit cost of publishing something damaging to a source rises).

Good source hygiene involves:

  • Regular review of who you talk to: At the start of each year, audit your source contacts. Who have you spoken to in the past six months? Who are you missing? Are there perspectives on your beat that are not represented in your current network?
  • Deliberately cultivating new sources: Every conference, committee hearing, court appearance, or public meeting is an opportunity to introduce yourself to people you have not previously spoken to. New entrants to your beat — newly elected officials, new executives, new union reps — should be added to your network early.
  • Maintaining distance on important relationships: When a source becomes so important that you would not publish something damaging to them even if you believed it to be true, the relationship has become a liability. This is source capture. The NUJ Code and basic editorial ethics require you to maintain independence from sources, however valuable they are.
  • Distinguishing sources from contacts: A contact provides on-the-record information and is comfortable being quoted. A source provides background, off-the-record information, or tips that lead to other sources. Not every contact needs to be a confidential source, and treating everyone as a source creates unnecessary complexity.

Whistleblower Protections and PIDA 1998

Many of the most significant sources a journalist manages over time are whistleblowers — employees or former employees disclosing wrongdoing within their organisation. The Public Interest Disclosure Act 1998 (PIDA), which amended the Employment Rights Act 1996, provides employment protection for workers who make a “qualifying disclosure” through defined channels, protecting them from dismissal or detriment as a result.

Critically for journalists, PIDA's protection for disclosures made directly to the media (rather than to a regulator, employer, or legal adviser) is significantly narrower and harder to satisfy than disclosures made through other routes. A worker who goes straight to a journalist without first raising the matter internally or with a prescribed regulator may not be protected under the Act, even if their underlying disclosure concerns genuine wrongdoing.

  • Advise, do not guarantee: Journalists are not qualified to give legal advice on employment protection, but you should be aware of PIDA's existence and, where a source's employment security is a serious concern, suggest they seek independent legal advice (for example, from Protect, the whistleblowing charity) before speaking to you.
  • Understand the disclosure route matters: A source who has already raised concerns with a regulator or through an internal whistleblowing procedure and been ignored is in a materially stronger legal position than one who has not. This is useful context when assessing how much personal risk a source is taking.
  • Protect (the whistleblowing charity): Protect operates a free, confidential advice line for whistleblowers and can advise sources on their legal position before they speak to you. Signposting a nervous source to Protect can be more valuable than any reassurance you can offer directly.

Institutional Memory: Team and Newsroom Source Management

Source management is not purely an individual discipline. Newsrooms that cover the same beats over many years accumulate institutional knowledge about sources — who is reliable, who has an axe to grind, who has previously misled a reporter — that outlasts any single journalist's tenure. Building structures to preserve this institutional memory, without compromising individual source confidentiality, is a genuine editorial management challenge.

  • Editor-level awareness without source identification: An editor can usefully know that “a source in this organisation has previously provided reliable information” without knowing that source's identity. This preserves institutional judgement about source reliability while respecting the reporter's confidentiality obligation.
  • Beat handover protocols: Newsrooms with formal beat handover protocols, distinct from ad hoc individual practice, produce more consistent source management across staff changes and reduce the risk of a valuable source relationship being lost entirely when a reporter moves on.
  • Legal risk registers: Larger newsrooms sometimes maintain a register of ongoing legal risks tied to specific sources or stories (without necessarily identifying the source by name), allowing the legal team to advise consistently even as the individual journalists handling a story change over time.

Practical Checklist

Use these as a recurring review for your source management practices:

Common Mistakes

  • Storing confidential source information on unsecured cloud services: Notes about confidential sources stored in an unencrypted cloud app that the provider can access are not adequately protected. If a device is seized or a provider receives a legal order, this data may be disclosed.
  • Treating retrospective off-the-record claims as binding: Information provided before off-the-record terms were agreed is not automatically subject to those terms. Document when terms were agreed relative to when information was given.
  • Passing source details to successors without consent: Handing over your source contacts as part of a beat handover without each source's explicit consent is a breach of confidence and potentially of GDPR data protection obligations.
  • Promising sources they can never be identified: Legal compulsion exists. Be honest with sources about the limits of what you can promise while still committing to protect them to the maximum extent of the law.
  • Relying on the same sources for too long: Source capture happens gradually. If you cannot remember the last time you published something that significantly displeased one of your main sources, that is a warning sign.
  • Encouraging a whistleblower to go straight to publication without understanding PIDA: A source who has not raised concerns internally or with a regulator first may be in a weaker legal position than they realise; make sure they understand this before deciding how to proceed.

Red Flags

  • A source who provides information only in return for the journalist's agreement to suppress other information
  • Source contact details stored in plaintext on shared work drives or personal email accounts not secured with two-factor authentication
  • A journalist who has not published anything critical of any of their main sources in over a year
  • An employer who attempts to retain source contact details after a journalist leaves (without the sources' consent)
  • A source who has been promised absolute protection and who is taking significant personal risk in reliance on that promise
  • A beat in which all main sources come from a single institution or perspective, with no sources from opposing or independent viewpoints

Jurisdiction note: The Contempt of Court Act 1981 and PACE apply across England and Wales. In Scotland, source protection is governed by the Contempt of Court Act 1981 (which applies UK-wide) and Scottish common law; the specific procedural rules for production orders differ. The Investigatory Powers Act 2016 applies UK-wide. Always seek jurisdiction-specific legal advice from the NUJ or a media lawyer when a court order is received.

Primary Sources

Related guides

Related articles