By Susan Gately - 21 April, 2019
Ireland’s Data Protection Commission (DPC) has recommended a common sense approach to the issue of photographs of children at school events, including First Holy Communion.
The DPC has released a statement in response to queries from schools and worried parents. “A balanced, common sense approach will go a long way towards ensuring that individuals’ rights are respected, while also ensuring that data protection doesn’t become an obstacle to capturing and celebrating significant school events,” the statement said.
“The introduction of the General Data Protection Regulation (GDPR) has triggered a significant shift in people’s perception of data protection, and organisations across all types of sectors are contending with different challenges.”
The statement noted that the DPC often receives queries from schools, parents and photographers about taking photographs at school events. Common questions are:
“Taking photographs of people in public is generally allowed. However, whether you can publish a photograph to a broad-based audience is a different question,” said the DPC statement.
“In other words, taking a photo in public is generally fine; it’s what you do with that photo that can potentially become a data protection issue.”
Photos taken by parents of their children at a school event or at Holy Communion which include another child fall under the “household exemption” clause of the GDPR, which provides that the GDPR does not apply when a person processes personal data (like a photograph of someone) in the course of a purely personal or household activity, not connected with business or commercial activity.
The DPC statement said that photos can end up being posted on a social media platform such as Instagram or Facebook. The GDPR doesn’t strictly prohibit this. “Recital 18 [states] that personal or household activities could include social networking.”
However, if a parent publishes a photo of their own child online which also contains images of other children, and the parent of one of these children asks for the image to be taken down, they should do so “out of common courtesy”.
Where schools hire an official photographer for a school-related event and images are destined for the school website or local paper, the schools cannot rely on the household exemption, the DPC statement said.
“They are acting as data controllers which brings them into the sphere of the GDPR and all of the rules that come with it. For example, they must have a legal basis to process the personal data (eg, take and store photos) and they must provide clear and concise information about what it is that they are doing with this personal data, and how long they will be keeping it for.”
If a school identifies consent as the “appropriate legal basis for taking and publishing photos”, the DPC advises not only getting consent of the parent or guardian but, depending on the age of the child, his or her consent too. A parent or child can withdraw consent later if they wish.
“Schools themselves are in the best position to judge the age at which they believe their students are capable of understanding what exactly it is they are agreeing to and giving consent themselves. As such, depending on the context and the age of the student, it may be a case of involving both the parent/guardian and the student in the discussion about consent.”