Data Protection for School Photography

Permissions and Privacy Concerns in School Offices

“I can’t give you a list of names, what if it gets lost?”

“You don’t have permission to see that data…”

“I can’t tell you his name, that’s private!”

Let’s tackle the DATA PROTECTION monster.

When you know what is ok and what’s not, you will be able to explain it to your schools.

Then everyone will have an easier time.

Your customers and clients are right to be concerned about and protective of their data. Difficulties arise when two parties have a different understanding of the risks and rules.

First things first, let’s talk about the General Data Protection Regulation (GDPR), that governs how we handle personal data in the UK. Under the GDPR, a photograph of a student is considered ‘personal data’ because it can be used to identify them.

(Yes, GDPR does still apply in the UK. It was enshrined in UK law in 2018.)

You probably know that before you can take or use a photograph of a student, you need to obtain ‘consent’.

This usually comes from the parents or guardians of the student. It’s crucial to ensure that this consent is freely given, informed, and specific.

This means that the parents or guardians understand why and how the photographs will be used.

You should not need to gain this consent yourself.

99% of parents will have given consent for their children to be photographed when they joined, and it is up to the school to explain at that time why photographs might be taken.

(Don’t panic, that will include your job 😊)

What you DO need to do, is ask if there are any specific children with hidden identities and then not include those children in any group photographs. Also, ensure that their image is safe from being shared inappropriately.

But what about names?

Can you request a list of students to be photographed?

The answer is YES, but with caution. Students’ names are also considered personal data, and the same rules apply. You need to ensure that you have a legitimate reason for needing this information, and that you handle it with the utmost care.

The key here is to understand what a legitimate reason is.

A system that automatically matches a child with their name to provide a seamless viewing and ordering platform for families is a legitimate reason.

And, with names data, there is no risk that the wrong name can be recorded against the wrong child in photo ordering software.

Compare this to individual QR codes, without names.

  • Children swap codes.
  • Slips get lost.
  • Someone misunderstands the process and duplicates codes.

(We had someone photocopy a single QR code 400 times once, because they thought they were all the same…)

Finally, let’s talk about data retention.

The GDPR states that personal data should only be kept as long as necessary. This means that you can’t keep the photographs indefinitely.

You should have a clear policy about when and how to delete or archive old photographs.  This can stretch to years and years if you can justify it.

As school photographers, we play a crucial role in both providing a service to schools and creating memories.

Keeping everyone happy can be a delicate balance, but with knowledge and care, it is possible!