A blog by Andrew Laing, ICO Head of Data Protection Complaints

We’ve issued two reprimands, which are legal warnings, recently to schools for wrongly disclosing the personal data of children.

In the first case a class photograph, sent to a local newspaper by a Cheshire primary school, included the images of two pupils whose adoptive parents had refused consent for their children’s images to be shared.

The second reprimand, issued to a Humberside primary school, followed a class photograph being taken and sent home to parents. The photo included the image of a child whose adoptive parent had previously signed consent forms clearly stating that no photographs of her daughter were to be used outside of the school.

These sorts of incidents can lead to safeguarding concerns and distressing consequences not only for the families involved but also the staff responsible.

While data protection law does not prevent the taking and publication of photos, in cases where parents have made a specific request for their children not to be included, data protection law does apply.

We feel other schools can benefit from the lessons to be learned in these cases to avoid falling short of the standards required by the law when handling photographs of pupils:

  • Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed
  • Ensure your school has an appropriate procedure for the handling of pupils’ images. Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions
  • Make sure to report any breach to your data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
  • Know what personal data the school holds and where. Documentation and accountability is a key part of the GDPR and an information audit or data-mapping exercise will help with this.
  • Staff should be educated about the school’s data protection policies and procedures. These should be reiterated to them on a regular basis, such as annually or as soon as changes are made. Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.

It’s important to note that data protection law is unlikely to apply in many cases where photographs are taken in schools and other educational institutions. If photos are taken purely for personal use, such as by parents at a sports day for the family photo album, they will not be covered by data protection legislation. Fear of breaching the law should not be a reason to stop people taking photographs or videos which provide many with much pleasure. The issue here is about schools following good data protection practices, so their pupils remain protected.

Andy Laing is Head of Data Protection Complaints at the ICO.