User menu

Information watchdog warns of dangers of school photos and wrongful disclosure of personal data

The Information Commissioner’s Office has issued two reprimands, or legal warnings, to schools for wrongly disclosing the personal data of children.

The actions were revealed in a blog entry from the watchdog’s Head of Data Protection Complaints, Andy Laing.

He said that in the first case a class photograph, sent to a local newspaper by a Cheshire primary school, included the images of two pupils whose adoptive parents had refused consent for their children’s images to be shared. The school's external data protection officer was only told of the incident three months after a complaint had been submitted to the chair of the governors.

The second reprimand, issued to a Humberside primary school, followed a class photograph being taken and sent home to parents. The photo included the image of a child whose adoptive parent had previously signed consent forms clearly stating that no photographs of her daughter were to be used outside of the school.

Laing said: “These sorts of incidents can lead to safeguarding concerns and distressing consequences not only for the families involved but also the staff responsible.

“While data protection law does not prevent the taking and publication of photos, in cases where parents have made a specific request for their children not to be included, data protection law does apply.”

Laing said the lessons to be learned in these cases by other schools, to avoid falling short of the standards required by the law when handling photographs of pupils, were:

  • Photos taken for official school use, such as in the school prospectus or to be sent to the local paper, will be covered by data protection law and so the legislation should be followed.
  • Ensure the school has an appropriate procedure for the handling of pupils’ images. "Don’t just rely on a single member of staff remembering to check a spreadsheet of parental permissions."
  • Make sure to report any breach to the school’s data protection officer as soon as it happens and consider if the incident needs to be reported to the ICO.
  • Know what personal data the school holds and where. “Documentation and accountability is a key part of the GDPR and an information audit or data-mapping exercise will help with this.”
  • Staff should be educated about the school’s data protection policies and procedures. “These should be reiterated to them on a regular basis, such as annually or as soon as changes are made. Keep accurate and up to date records of staff training, policy updates and the internal communications that bring these to the attention of staff. This will create an audit trail to evidence compliance with the GDPR.”

Laing said it was important to note that data protection law was unlikely to apply in many cases where photographs were taken in schools and other educational institutions.

“If photos are taken purely for personal use, such as by parents at a sports day for the family photo album, they will not be covered by data protection legislation. Fear of breaching the law should not be a reason to stop people taking photographs or videos which provide many with much pleasure,” he added.

“The issue here is about schools following good data protection practices, so their pupils remain protected.”