ICO warns schools about use of children’s images

Posted on 16 March 2020

What are the rules around using photographs of children? Do we need to get parental/ PR* holder consent for every child in a group photo?

These are questions that regularly vex organisations and parents alike. And no organisations more so than schools. The ICO has published a blog highlighting legal warnings that it has issued against two primary schools for wrongly disclosing the personal data of their students.

What went wrong?

In both cases the schools shared photographs of children in direct contravention of the stated wishes of their adoptive parents.

In the first case a primary school in Cheshire sent a class photograph to a local paper which was published in the paper (online and in print). This was despite the adoptive parents of two of the children in the photograph having refused consent to images of their children being shared via any media.

In a similar set of circumstances a second primary school in Humberside sent a class photograph to parents. The adoptive parent of one of the children complained that this had raised safeguarding issues for her child and was in contravention of the statement on the consent form she signed which said that no photographs of her daughter were to be used outside the school.

How was the GDPR breached?

In both cases the ICO found that the sharing of the children’s images was a breach of the GDPR on a number of grounds, including (but not limited to):

Breach of Article 5(2) GDPR which requires organisations to be able to demonstrate compliance with key data protection obligations. The schools had not implemented an appropriate procedure for handling children’s images and had failed to consider reporting the breach to the ICO as a data security breach;
Breach of Article 5(1)(a) (which requires that personal data is processed lawfully, fairly and in a transparent manner) for processing the personal data in the photographs without a suitable lawful basis and, in the case of one of the schools, failing to process children’s images in a transparent manner; and
Breach of Article 5(1)(f) which requires that personal data is processed in a way that ensures the data is secure. The school was found to have breached this Article because the system in place at the schools put undue reliance on individuals. The Humberside school relied on individuals to understand that use of photographs outside school included class photographs and the Cheshire school required a single individual to remember to check a spreadsheet of consents.

Both schools were issued with reprimands and the ICO recommended a number of specific steps for each school to take to improve their data protection compliance.

What are the ICO’s 5 takeaways from these breaches?

In its blog the ICO highlighted the following key lessons which schools should take from these breaches:

Photographs taken for official school use, for instance to be sent to a local paper or used in a school prospectus, will be covered by data protection legislation. Note however that the blog also points out that many photographs taken of children in educational settings will not be subject to data protection law, in particular photographs taken by parents for their personal use.
Schools should have appropriate procedures in place for handling pupils’ photographs, which need to be more than a single member of staff remembering to check a spreadsheet of parental consents.
Any breach of data protection law through use of children’s images should be reported to the school’s Data Protection Officer and schools should consider whether it is also appropriate to report the breach to the ICO (where it involves a breach of security).
Schools should have a clear idea of what personal data they hold and where. The blog recommends that a data mapping exercise or audit would help to comply with this.
Staff need to be alerted to the school’s data protection policies and procedures and should be regularly trained on them. The ICO recommends that schools….

“Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.”

Not just relevant to schools

While the ICO’s blog is aimed at schools, the lessons from these investigations can be applied to any organisation using images of children – whether religious groups running children’s activities, international NGOs or theatres working on productions featuring school children. Where organisations have sought consent from parents/ those with PR* to use images of their children, decisions to withhold that consent must be respected. Organisations should also remember that consent is not always needed for the use of photographs of children and it may be possible to rely on an alternative lawful basis for processing images of children.

Organisations should have clear procedures that staff can easily access that explain what steps need to be taken before using an image of a child, for instance checking on records of consent.

Staff using children’s images need to be trained on these procedures. Bearing in mind that sharing of children’s photographs could raise safeguarding issues, organisations should consider whether it is appropriate to report any security breach to the ICO and may wish to refer specifically to children’s images in their data protection policy documents.

*Parental Responsibility

If you have any questions about any of the issues discussed in this blog, please contact Mairead O’Reilly at [email protected]

Watch again | Balancing responsibility & innovation – How can we develop and implement ethical AI? | 4 July

A recent explosion in innovation has meant AI has become more popular and powerful. AI and automated decision-making, especially in …

Practical tips for deploying AI

With AI integration becoming increasingly common, it is vital that businesses deploy AI systems in a way that complies with …

Data Protection and Digital Information Bill

Summary Ministers have set out a vision for the UK’s technology strategy. The UK is to become a “tech superpower” …

Election ’24: The data protection considerations of political campaigning (part two)

Communicating with individuals and processing personal data are an essential part of campaigning and advocacy. Read our latest Election '24 factsheet on the data protection rules that you should bear in mind.

EdTech and the application of the ICO Children’s Code

In this factsheet, we briefly outline when the ICO's Children's Code applies to Edtech providers and other key data protection considerations for schools and Edtech service providers.

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others