The UK data protection authority, the Information Commissioners Office (the ICO) has recently issued a reminder to schools and educational establishments about the importance of obtaining parental consent when taking and using photos of pupils in their care.

With lock down in place schools and early years providers are experimenting with new methods of communicating and engaging with parents and children to share learning ideas and keep up the community feel amongst their children and parents. More newsletters will be being sent home and lessons will be carried out remotely using technology schools may not have used before. Many of these new communication and teaching methods may involve sharing photographs / videos so the ICO’s statement is a timely reminder to those in the education sector to check they have appropriate consents before sharing photos.

The ICO has highlighted two recent reprimands it has given to two different schools for sharing photographs without consent. Both of these cases involve adopted children and the ICO has reminded schools of the need to consider safeguarding issues in this area. 

In the first case, a primary school sent a class photograph to a local newspaper. The class photograph included two pupils whose adoptive parents had refused to provide consent for their children’s images to be shared.

In the second case again it was a class photograph that caused another school to become unstuck. The class photograph was sent home to parents but the adoptive parents of one of the children featured had previously signed consent forms clearly stating that no photographs of their child were to be used outside of the school.

Whilst neither school was fined they received a reprimand from the ICO and were publicly named on the ICO’s website. Both these cases highlight the importance of obtaining clear and unambiguous consent from parents in relation to photographs and how you can use them and the cases also highlight the practical difficulties involved when dealing with group photographs when parents have different wishes.   

In its blog the ICO recommends having appropriate policies and procedures in place for handling images and ensuring breaches are reported to the data protection officer / ICO promptly. The ICO also recommends organisations document what personal data they hold and ensure staff are adequately trained. We have looked at the ICO’s recommendations in further detail below:  

Ensure you have appropriate policies / procedures in place for handling images

This is key to your accountability obligations under the General Data Protection Regulation (GDPR) and having clear policies and procedures in place will help ensure compliance and minimise risks of complaints / data breaches.

Report breaches promptly to your data protection officer / the ICO

Having a clear breach reporting policy which is communicated to all staff is key so that staff know what to do in the event of a breach and who they should report it to internally. Staff training is also key here. If the breach is reportable to the ICO you will only have 72 hours to report it so it is important that the data protection officer is notified immediately so appropriate action can be taken. Staff also need to understand how to identify when a breach has occurred for your breach policy to be effective.

Document what personal data you hold

Key to accountability and record keeping obligations under GDPR. A data mapping exercise should be carried out and records of the data you hold kept and updated on a regular basis.

Training staff

Do not simply rely on one member of staff to understand, implement and enforce your policy – particularly in the current climate with teachers providing lessons from home all staff need to know and understand your policy and procedures for handling images of pupils. In the event of a data protection breach the ICO ask whether the person responsible for the breach has received training in the last 2 years so it is important that all staff receive training and reminders of your obligations under GDPR and your policies. Ensuring compliance with data protection legislation should not be the responsibility of one person alone.

The ICO reminds readers that data protection law doesn’t come into play when parents take photos for personal use although this can be a polarised issue and it is  good practice to be respectful of other parents wishes particularly as you may be putting other children at risk inadvertently by sharing their photos. The reminder from the ICO and this article is written with schools and other education providers in mind.  

As well as ensuring you have appropriate consents for sharing photographs (the same will apply to videos) it is important that education providers carefully review the technology they use and that a privacy impact assessment is carried out for the use of any technology which will process and hold children’s personal data to ensure adequate protections are in place. Existing privacy policies and notices may need to be updated as a result of new technology being adopted to handle home schooling. 

Whilst schools and early years providers are gearing up for a possible re-opening from the 1st June it is anticipated that many children and teachers will still remain at home due to health concerns and it is likely some of the new teaching and communication methods tried during closure will continue post lock down so it is important that data protection compliance remains at the forefront of educational providers minds during this time.