Pupil photos – recent ICO action to note
The ICO has recently reprimanded two schools for sharing photographs of children whose parents had instructed the schools not to do so.
In the first case, a class photograph was sent to a local newspaper and in the second case, a class photograph was sent home to parents. The ICO’s Head of Data Protection Complaints, in a recent blog, stressed that the law does not prevent the taking and publication of photos in schools but, where parents have made a specific request for photos of their children not to be shared, data protection law does apply. Breaches in these circumstances can lead to safeguarding concerns and distressing consequences, not only for the families involved but also the staff responsible.
Photos in schools: what are the rules?
Firstly, photographs taken for personal use are not covered by data protection legislation – so family shots of children at sports day or in the school play are OK.
Where photos are taken by the school, a legal basis for the processing of that data will be required. That might be for compliance with a legal obligation or processing that is necessary in the performance of the school’s public task (maybe related to safeguarding if the photographs are to allow access to the school site or to identify a child with a severe allergy to the catering staff). Photographs will also need to be used in compliance with the data processing principles – which would include, in the case of a photo, for example, that it is not shared more widely or for longer than the specific purpose requires.
Where a school seeks to use pupil photographs for publicity purposes then it is likely that the child and the child’s parents/guardians (depending on the age of the child) will need to be made aware this is happening and the context in which the photograph will be used.
What does the ICO recommend?
- Ensure your school has an appropriate procedure for the handling of pupils’ images. Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions
- Ensure that school staff and governors receive appropriate training, updated as required, so that they are aware of and understand their obligations under the GDPR, with an emphasis on security, personal data breaches and accountability
- Keep an accurate and up-to-date record of staff training, policy updates and internal communications bringing data protection issues to the attention of staff. This will create an audit trail to evidence your school’s compliance.
- Make sure to report any breach to your data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
- Know what personal data your school holds and where – carry out a data audit (and review on a regular basis). Documentation and accountability is a key part of the GDPR and an information audit or data-mapping exercise will help with this.
Don’t stop taking photos!
The ICO stresses that fear of breaching the law should not be a reason to stop people taking photographs or videos which provide many with much pleasure. The issue here is about schools following good data protection practices, so their pupils remain protected.
The blog by the ICO’s Head of Data Protection Complaints is available here .