Recently a member of staff popped in to discuss how she would like to share photos of a school sporting event with the various schools which were involved. This got me thinking about GDPR and the implications for events and photography at such events.
Firstly, let’s consider the photos themselves. They might show groups of students involved in a sport or gathered at the start or end. They might also include spectators who attended the event including parents or visitors to the school. My first piece of advice here is simply to ensure that it is clear to people that photography will be taking place and that such photos may be used by the school for various purposes including newsletters and other marketing or publicity materials plus that they may be shared with other organisations involved in the event such as other schools. This notification can either be put on programmes or event marketing materials, or can be made clear at the event itself via posters or other displays. I believe this should be sufficient as gathering specific consent from all in attendance would be impractical plus where consent is not provided, avoiding including individuals in action event photography would be very difficult indeed. Taking a risk based view, given that no names are attributed to the photos, and therefore individuals are not clearly identifiable I see the risk of taking photos as events to be low. As such I see the provision of notices of the intention to take and use photos as sufficient.
Once we start identifying individuals in photos, possibly by naming them, or given that the photo is of a small group of individuals who therefore are more identifiable, then I think we would need to look to have consent or some other basis for processing the data. Schools usually have such a permission form or other method to gather permission from parents to use photos of children in their materials. Key here is to ensure that a permission form makes clear the purposes for which photos might be used. E.g. marketing purposes, around school for display purposes, etc.
When the staff member popped in, the issue of event photography highlighted the inaccuracy of the frequently used term “GDPR Compliance”. The term “compliance” to me conveys a sense of a binary outcome, either we comply or we don’t. The issues in hand when looking at GDPR are not so clear. Does compliance mean seeking permission from every individual in a photo, including members of the public? I would think not. As such I continue to believe in the need to take a measured risk based view on how we manage data and on our preparations for GDPR. Where a risk exists, we need to decide whether we accept the risk. If we do not we must seek to mitigate the risk through permission forms and notices in the case of school photography, to the point that we are then happy to accept, either this or we stop taking photos.
GDPR continues to result in confusion and contradictions of interpretation. We seek the way, the one way, the best way to achieve compliance yet every school is different plus interpretations and attitude to risk vary. For me the key is simply to consider your own environment, the risks and your schools appetite for risk, and to act from there.