GDPR and School Photographers

GDPR guidance for photographers

Commercial photographers taking pictures of students in schools must comply with the GDPR law in the UK or in Europe (or applicable laws in other countries). 

The ICO links below offer basis of all guidance. You may also want to review best practice from the NSPCC, Local Authorities and school groups.

ICO: Taking Photos in Schools (*)

ICO Home Page (*)

NSPCC: Photography in Schools (*)

GDPR Guidance Links

(*) Please contact us if these third-party links are no longer available.

Photographers must demonstrate compliance with GDPR

Schools are the guardians of all data held for pupils and staff and they alone (not ESS SIMS) can grant access to data. To comply with GDPR law, schools must be satisfied that photographers are handling data securely and understand GDPR requirements. School photographers take images of students which augments the personally identifiable data. As such, photographers are 'data processors' and subject to GDPR. Photographers have the same requirement for contracts and care of data as would be the case for any other data processor. If a school is not satisfied that a supplier handles data security appropriately, it is illegal for the school to use this supplier. A school must ask its suppliers to demonstrate that they are processing data securely. GDPR requires that photographers prove this.

To demonstrate compliance the photographer must:

1. Be registered with ICO.
2. Have a privacy policy for data held.
3. Carry out a DPIA (Data Protection Impact Assessment) and make this known to the school. In this they will look at the data they process for the school. They will make sure the school understands the legal basis for processing the data, they are meeting the rights of the data subject, and they have considered all aspects of security.
4. Provide servicing for Subject Access Requests (SAR) from the data subject or on the data subject’s behalf by a parent.
5. Provide servicing for data subject’s rights, for example the right to be forgotten. 

There will never be a day when a supplier is 100% risk free. However, schools are required to demonstrate that they have considered the risks and taken appropriate steps to remove or mitigate them. 

Schools may pass on pupil names to photographers for photographs used in school

Schools need a photograph of each student as part of their record for identification in SIMS or for use in passes, cashless systems, etc. If this is a normal function of the school, it comes under the public umbrella and the legal basis for processing is Public Interest. The school can pass on the whole data set.

Schools must obtain consent before releasing parent/carer details to photographers for the sale of photographs

The school may wish to sell photographs, either directly or via the photographer, to earn funds for the school. This is clearly not a public interest basis and the best legal reason for processing will come as consent from the parent or the data subject. Thus, schools must obtain parental/carer consent if the photographs are offered for sale. Schools will usually have an agreement with parents regarding the capture and use of photographs of students. For example, this source has a parental consent process for all photography

We believe many schools ask for consent today, but it is worth advising schools that they still can tell parents that they can take pictures for their own records even if they don’t give consent.

Caveat

ESS guidance is based on research and is based on our knowledge to date. It is not legal advice, simply guidance.