What are the rules around using photographs of children? Do we need to get parental/ PR* holder consent for every child in a group photo?
These are questions that regularly vex organisations and parents alike. And no organisations more so than schools. The ICO has published a blog highlighting legal warnings that it has issued against two primary schools for wrongly disclosing the personal data of their students.
What went wrong?
In both cases the schools shared photographs of children in direct contravention of the stated wishes of their adoptive parents.
In the first case a primary school in Cheshire sent a class photograph to a local paper which was published in the paper (online and in print). This was despite the adoptive parents of two of the children in the photograph having refused consent to images of their children being shared via any media.
In a similar set of circumstances a second primary school in Humberside sent a class photograph to parents. The adoptive parent of one of the children complained that this had raised safeguarding issues for her child and was in contravention of the statement on the consent form she signed which said that no photographs of her daughter were to be used outside the school.
How was the GDPR breached?
In both cases the ICO found that the sharing of the children’s images was a breach of the GDPR on a number of grounds, including (but not limited to):
- Breach of Article 5(2) GDPR which requires organisations to be able to demonstrate compliance with key data protection obligations. The schools had not implemented an appropriate procedure for handling children’s images and had failed to consider reporting the breach to the ICO as a data security breach;
- Breach of Article 5(1)(a) (which requires that personal data is processed lawfully, fairly and in a transparent manner) for processing the personal data in the photographs without a suitable lawful basis and, in the case of one of the schools, failing to process children’s images in a transparent manner; and
- Breach of Article 5(1)(f) which requires that personal data is processed in a way that ensures the data is secure. The school was found to have breached this Article because the system in place at the schools put undue reliance on individuals. The Humberside school relied on individuals to understand that use of photographs outside school included class photographs and the Cheshire school required a single individual to remember to check a spreadsheet of consents.
Both schools were issued with reprimands and the ICO recommended a number of specific steps for each school to take to improve their data protection compliance.
What are the ICO’s 5 takeaways from these breaches?
In its blog the ICO highlighted the following key lessons which schools should take from these breaches:
- Photographs taken for official school use, for instance to be sent to a local paper or used in a school prospectus, will be covered by data protection legislation. Note however that the blog also points out that many photographs taken of children in educational settings will not be subject to data protection law, in particular photographs taken by parents for their personal use.
- Schools should have appropriate procedures in place for handling pupils’ photographs, which need to be more than a single member of staff remembering to check a spreadsheet of parental consents.
- Any breach of data protection law through use of children’s images should be reported to the school’s Data Protection Officer and schools should consider whether it is also appropriate to report the breach to the ICO (where it involves a breach of security).
- Schools should have a clear idea of what personal data they hold and where. The blog recommends that a data mapping exercise or audit would help to comply with this.
- Staff need to be alerted to the school’s data protection policies and procedures and should be regularly trained on them. The ICO recommends that schools….
“Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.”
Not just relevant to schools
While the ICO’s blog is aimed at schools, the lessons from these investigations can be applied to any organisation using images of children – whether religious groups running children’s activities, international NGOs or theatres working on productions featuring school children. Where organisations have sought consent from parents/ those with PR* to use images of their children, decisions to withhold that consent must be respected. Organisations should also remember that consent is not always needed for the use of photographs of children and it may be possible to rely on an alternative lawful basis for processing images of children.
Organisations should have clear procedures that staff can easily access that explain what steps need to be taken before using an image of a child, for instance checking on records of consent.
Staff using children’s images need to be trained on these procedures. Bearing in mind that sharing of children’s photographs could raise safeguarding issues, organisations should consider whether it is appropriate to report any security breach to the ICO and may wish to refer specifically to children’s images in their data protection policy documents.