Information Commissioner's Office
Blog: Don’t get caught out when it comes to pupil photos
Blog posted by: Andrew Laing, ICO Head of Data Protection Complaints, 09 March 2020.
We’ve issued two reprimands, which are legal warnings, recently to schools for wrongly disclosing the personal data of children.
In the first case a class photograph, sent to a local newspaper by a Cheshire primary school, included the images of two pupils whose adoptive parents had refused consent for their children’s images to be shared.
The second reprimand, issued to a Humberside primary school, followed a class photograph being taken and sent home to parents. The photo included the image of a child whose adoptive parent had previously signed consent forms clearly stating that no photographs of her daughter were to be used outside of the school.
These sorts of incidents can lead to safeguarding concerns and distressing consequences not only for the families involved but also the staff responsible.
While data protection law does not prevent the taking and publication of photos, in cases where parents have made a specific request for their children not to be included, data protection law does apply.
We feel other schools can benefit from the lessons to be learned in these cases to avoid falling short of the standards required by the law when handling photographs of pupils:
- Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed
- Ensure your school has an appropriate procedure for the handling of pupils’ images. Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions
- Make sure to report any breach to your data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
- Know what personal data the school holds and where. Documentation and accountability is a key part of the GDPR and an information audit or data-mapping exercise will help with this.
- Staff should be educated about the school’s data protection policies and procedures. These should be reiterated to them on a regular basis, such as annually or as soon as changes are made. Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.
It’s important to note that data protection law is unlikely to apply in many cases where photographs are taken in schools and other educational institutions. If photos are taken purely for personal use, such as by parents at a sports day for the family photo album, they will not be covered by data protection legislation. Fear of breaching the law should not be a reason to stop people taking photographs or videos which provide many with much pleasure. The issue here is about schools following good data protection practices, so their pupils remain protected.
Latest News from
Information Commissioner's Office
Statement in response to media enquiries about the Data Protection Impact Assessment for the NHSX’s trial of contact tracing app11/05/2020 09:15:00
An ICO spokesperson said: “We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight.”
Blog: Information Commissioner sets out new priorities for UK data protection during COVID-19 and beyond06/05/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 05 May 2020.
COVID-19 contact tracing: data protection expectations on app development05/05/2020 09:10:00
Information Commissioner Elizabeth Denham and Executive Director of Technology and Innovation Simon McDougall appeared before the Human Rights Joint Committee yesterday (4 May 2020).
Statement in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic27/04/2020 09:10:00
Statement given recently (24 April 2020) in response to details about an NHSX contact tracing app to help deal with the COVID-19 pandemic.
Blog: Combatting COVID-19 through data: some considerations for privacy20/04/2020 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 17 April 2020.
Blog: Video conferencing: what to watch out for17/04/2020 09:10:00
The COVID-19 crisis is changing the way we live our lives. Keeping our distance means many of us are working from home for the first time and adapting to new ways of doing our jobs.
How we will regulate during coronavirus16/04/2020 09:10:00
The ICO yesterday published a document setting out our regulatory approach during the coronavirus pandemic.
ICO statement on investigating coronavirus scams09/04/2020 09:10:00
ICO are supporting businesses eager to stay in touch with customers during the Covid-19 pandemic.
Winner of the ICO’s Practitioner Award for Excellence in Data Protection 2020 announced07/04/2020 12:25:00
Recognising the increasingly vital role played by data protection professionals, the third ICO Practitioner Award for Excellence in Data Protection is awarded to Barry Moult, Information Governance and Privacy Consultant, and former Head of Information Governance at an NHS Trust.