This week the ICO published a new blog post, aimed at schools, looking at a couple of reprimands it had served on a couple of schools.
On the face of it the main issue was that the schools shared photos of children outside their school which contained the images of children whose guardians had explicitly not consented to the use of their child’s image in school photos used outside of school.
As well as the safeguarding issues (in these cases it would seem the guardians had very good reasons not to allow the sharing of school photos) the ICO points out that when consent like this isn’t given, then data protection applies.
Unfortunately, the blog post confuses the issue somewhat. We’ve seen ICO guidance before about how the processing of a photo may constitute processing of personal data in some circumstances, e.g. if the photo is processed to identify an individual or their behaviour, or used for internal identification purposes (e.g. door or security passes), where it may not constitute personal data if it is not processed to identify or because it does not identifying the individuals.
And whilst I agree the processes for the schools should have been followed to make sure photos weren’t shared that included photos of pupils who have not consented to the use of their image and the ICO are right to reprimand, their guidance in the blog post is somewhat confusing. Specifically, they say:
Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed
This seems to contradict what they say about the use of photos in their personal data guidance where individuals aren’t identified. I did ask the ICO to confirm this, but they dodged the question a little and wouldn’t give a straight answer about the contradiction (in my mind at least).
Anyway, the blog post offers some guidance for schools when processing photos and the actual reprimand notices both highlight the issues and what the schools are expected to do, to comply with the notices, so they’re worth checking out.
Our GDPR DIY, GDPR Helpline and GDPR DPO subscribers get access to our Knowledge Centre which provides more detailed guidance on these reprimands, as well as receive updates and alerts about changes in law, enforcement action, etc. For more information about how you can benefit from this, take a look at our GDPR solutions or get in touch to find out how we can help your organisation. Alternatively, sign up to our Article 13 GDPR Newsletter for a monthly briefing and updates.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR