Many employers take photographs of their employees to use on the business’ website and to support other business-wide marketing campaigns. But do photos constitute personal data under the GDPR?
Is an employee’s photograph classed as ‘personal data’?
If individual employees can be identified directly from their website image or identified by using the image in conjunction with other available information on the website, then the image will be classed as personal data.
This means that the employer’s processing of the image will be governed by the GDPR and the image needs to be processed in accordance with its principles.
It is important to understand how the employer is using the data, in this case, photographs. There is a difference between a photo that identifies the individual and an anonymised photograph that is used for marketing purposes. When an employee is identifiable in a photograph, information related to the employee’s health, disability or racial origin could be communicated and this could be classed as ‘sensitive’ personal data.
What can an employer do under the GDPR?
Photographs that amount to personal data need to be processed lawfully, fairly and transparently.
The use of employee photographs to generate employee engagement within the workplace and to promote the business externally to customers in order to generate future business could be explored as a means of establishing a legitimate interest as a lawful basis for using the photos.
The employer also needs to provide fair processing information to its employees in accordance with GDPR requirements to ensure that employees are aware that their personal data may be processed for such purposes.
The advice from the ICO to employers is that relying upon consent to process employee personal data should be viewed as a last resort, because of the uneven relationship between an employer and employee. There are stricter rules for obtaining consent under the GDPR, which includes requiring that consent must be freely given.
If the data is classed as ‘sensitive data’ whereby an employee’s heath or racial origin is easily identifiable then it is hard to see how its use could be justified without first obtaining consent.
In many cases an employee is likely to give consent for their photograph to be used, as it can help to raise an individual’s professional profile, but in accordance with GDPR requirements for use of consent, the employee should be allowed to withdraw their consent at any time and their photograph needs to be removed at this point which can cause a problem for the employer.
In this context, it would also be necessary to look at any contract terms, policies or references in the staff handbook to see what is said about taking photographs of employees, although this wouldn’t automatically give an employer the grounds to lawfully process sensitive data.
Privacy under the Human Rights Act
An employee might also claim that they have a right to privacy under the Human Rights Act. There could be grounds for an employee to argue that their privacy has been infringed by their employer if the employer took and used a photograph of the employee without their informed consent. Given the issues, it might be sensible for employers to ensure that an employee’s consent to the use of a photograph is obtained in writing.
An employer could do this by requesting that the employee signs a form, which should set out how the image will be used, so that the employee can provide appropriate consent for that use. The consent form should include, among other things, full details about how the photograph will be used and where it will appear.
For further advice on this, or any other employment-related dispute, please contact Jane Crosby at Hart Brown Solicitors directly by emailing firstname.lastname@example.org or by calling 01483 887742.
This is not legal advice; it is intended to provide information of general interest about current legal issues.