Why determining if photos are personal data is not straightforward

schools reprimanded for sharing pupil photos

Share This Post

This week the ICO published a new blog post, aimed at schools, looking at a couple of reprimands it had served on a couple of schools.

On the face of it the main issue was that the schools shared photos of children outside their school which contained the images of children whose guardians had explicitly not consented to the use of their child’s image in school photos used outside of school.

As well as the safeguarding issues (in these cases it would seem the guardians had very good reasons not to allow the sharing of school photos) the ICO points out that when consent like this isn’t given, then data protection applies.

Unfortunately, the blog post confuses the issue somewhat. We’ve seen ICO guidance before about how the processing of a photo may constitute processing of personal data in some circumstances, e.g. if the photo is processed to identify an individual or their behaviour, or used for internal identification purposes (e.g. door or security passes), where it may not constitute personal data if it is not processed to identify or because it does not identifying the individuals.

And whilst I agree the processes for the schools should have been followed to make sure photos weren’t shared that included photos of pupils who have not consented to the use of their image and the ICO are right to reprimand, their guidance in the blog post is somewhat confusing. Specifically, they say:

Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed

This seems to contradict what they say about the use of photos in their personal data guidance where individuals aren’t identified. I did ask the ICO to confirm this, but they dodged the question a little and wouldn’t give a straight answer about the contradiction (in my mind at least).

Anyway, the blog post offers some guidance for schools when processing photos and the actual reprimand notices both highlight the issues and what the schools are expected to do, to comply with the notices, so they’re worth checking out.

Our GDPR DIY, GDPR Helpline and GDPR DPO subscribers get access to our Knowledge Centre which provides more detailed guidance on these reprimands, as well as receive updates and alerts about changes in law, enforcement action, etc. For more information about how you can benefit from this, take a look at our GDPR solutions or get in touch to find out how we can help your organisation. Alternatively, sign up to our Article 13 GDPR Newsletter for a monthly briefing and updates.

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy