Are staff photographs a breach of the GDPR?
Certain employers take photos of their employees to use on their website and use to support marketing campaigns.
Do photos constitute personal data under the GDPR? The other question is do the photos need to be treated as sensitive data as they may revel something about the employee’s health.
Is an employee’s photograph personal data?
If individual employees can be identified directly from their website image or identified by using the image in conjunction with other available information on the website then the image will be classed as personal data.
This means the employer’s processing of the image will be governed by the GDPR and the image needs to be processed in accordance with its principles.
It is important to understand how the employer is using the data. It could be that they are general shots of employees and not being distributed to the public so there may be a difference between a photo that identifies the individual and an anonymous photo used for marketing purposes. When the photos are identifiable this could reveal something about someone’s health, disability or racial origin and this could be seen as sensitive personal data.
What does an employer do under the GDPR?
Images which amount to personal data need to be processed lawfully, fairly and transparently.
The use of employee images to generate general employee engagement within the workplace and to promote the business externally to customers to generate business could be explored as a means of establishing a legitimate interest as a lawful basis for using the photos.
The employer also needs to provide fair processing information to its employees in accordance with GDPR requirements to ensure that they are aware that their personal data may be processed for such purposes.
The advice from the ICO to employers is that relying upon consent to process employee personal data should be of the last resort unless in the circumstances, obtaining consent is mandatory, because of the uneven relationship between employer and employee. The reason why is that there are stricter rules for obtaining consent under the GDPR, which includes requiring that consent must be freely given.
Unfortunately, if the data is seen as sensitive data whereby a person heath or racial origin is easily identifiable then it is hard to see how its use could be justified without first obtaining consent.
It is possible it is a case where consent of the employee could be relied upon and in most cases an employee would give consent because it may be good for them to raise their profile but in accordance with GDPR requirements for use of consent, the employee should be allowed to withdraw consent at any time and their photo needs to be removed which could cause a problem for the employer.
In this context, it would also be necessary to look at any contract terms, policy or staff handbook to see what they say about taking photographs in this type of situation although this does not get over the problem a staff handbook would not give the employer the grounds to process sensitive data as lawful.
Privacy under the Human Rights Act
An individual might also claim that they have a right to privacy under the Human Rights Act.
There might be grounds for an employee to argue that their privacy had been infringed by the employer if the employer has taken a photograph of them without their consent but used it in a way of which they were not informed, and to which they did not consent.
Given the issues, it may be sensible for employers to ensure that the employee’s consent to the employer’s use of the photograph of them has been obtained in writing.
You could do this by requesting that the employee sign a form, which should set out how the image will be used so that the employee can provide appropriate consent to that use. The consent form should include, among other things, full details on how the photograph will be used and where it will appear.
This is not legal advice; it is intended to provide information of general interest about current legal issues.