University guidance on GDPR and photography

The accordions below are intended to help staff ensure their photographs complies with GDPR

Expand All

Personal data is any information that can be used to identify a living individual directly or indirectly and that relates to them.

Sensitive personal data (known as Special Category Data) concerns the subject’s race, ethnicity, politics, religion, trade union status, health, sex life or criminal record.

Yes - Where an image is clearly of an individual or group of individuals, who are the focus of the image, it will be personal data (they don't have to be named in the caption).

No - Where an image does not focus on an individual or group of individuals, the data is unlikely to be personal data.

It will not normally be necessary to obtain the specific permission of everyone who appears incidentally in the background, where they are clearly not the focus of the image.

Consent is one of six possible lawful bases for processing personal data under the GDPR. 

Consent must be specific and given freely.

Requirements for consent are stricter under GDPR than they were under the Data Protection Act.

any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

You need written consent from every individual you photograph - unless they are not clearly identifiable. A University consent form is available for this (see photography toolkit).

Written consent is required from parents or guardians of children under the age of 13.

For any event where photos are being taken, you need to have consent forms in addition to perimeter notices.

It may not be appropriate to ask VIPs to complete consent forms. If so, it should be sufficient to obtain verbal consent. But do make a written note of this as you must have a record of consent.

Consent for photos must be kept separate from other terms and conditions (e.g. signing up for an event)

The consent form sets out how the photograph will be processed (The ‘Activities’) and how it will be used (The ‘Purpose’).

In the ‘Purpose’ field, list all the ways in which you plan to use the image - be as specific as possible (e.g. departmental annual review, alumni magazine).

If you gain someone’s consent for their image to be used in one way, you cannot then use it for another purpose.

You must keep copies of consent forms – either digitally or in hard copy – so you can prove that you have gained consent.

Copies of consent forms should be stored alongside the images for as long as the images are retained. This should be documented in a retention schedule.

For work-related events involving University staff, you can use legitimate interests as the lawful basis for processing rather than consent.

This is based on the fact that work-related photographs are included in the University’s Staff Privacy Policy, and staff would reasonably expect work-related photos to be taken of them.

This means you don’t need to ask individuals to sign consent forms.

However, it is good practice to have perimeter notices clearly visible at events and to respect the wishes of staff who don’t want to be photographed.

This applies only to work-related events, not to social events - even if they take place on University property.

Consent is required for photographing students.

You must ask students to complete a consent form each time their photograph is taken – you cannot rely on blanket consent covering the duration of their course.

There may be limited specific exceptions to this where there is an alternative legal basis for processing, such as the filming of graduation ceremonies (which is done on the basis of legitimate interests). If you think an exception may apply in a particular case, please seek further advice from:

information.compliance@admin.ox.ac.uk

External photographers are data processors acting on our instructions.

They must be made aware of the University’s procedures for gaining consent and their obligations as a data processor.

There is a University photography agreement template in the toolkit. This assigns an exclusive licence to the University for the images, but allows the photographer to retain copyright.

Ensure you brief your photographer about the need for consent, and provide them with copies of the consent form.

If you don’t have consent, you can’t use the photos (even if you’ve paid for them…).

Brief your photographer carefully about what shots you require (e.g. do you need close-ups or will shots with people in the background suffice?)

Consider whether you need a photographer at an event. If you require close-up shots for promotional purposes, it may be better to commission a separate photoshoot instead.

Staff and students who are taking photos for University use must gain written consent.

Photographs taken on personal equipment for purely personal use are exempt from the GDPR requirements. However, any images published or posted on University platforms (e.g. websites, social media channels) must have consent.

The University owns the intellectual property (IP) of photos taken by staff during the course of their employment and using University equipment.

People who have given consent can withdraw that consent at any time.

If this happens, you must stop using their image(s) and ensure that it is not used by other people in the University.

This means you need to know where these images are and who has access to them.

Store your images and consent forms in such a way that you can track down relevant images if necessary.

Don't keep more data than you need

Select a small number of photos that you intend to use and delete the rest

Have a clear retention policy in place for your photographs, and be diligent about adhering to it and clearing out photos on a regular basis

Delete all the photos at the end of the retention period

Ensure you store your photos securely (do not use Flickr)

Store the consent forms in a locked drawer, or on a University database or network drive with restricted access

If you intend to share your photos with another party, you must have an agreement in place which addresses data protection

Data sharing may already be covered within an existing agreement with the other party

In cases where it is not, a data-sharing agreement template is available in the Photography Toolkit

The University has overarching data-sharing agreements in place with the colleges

If you intend to share photos with another party, you must include details on the consent form

It is the responsibility of the uploader to obtain all necessary consents for images.

You must have consent if you are uploading images to a University social media platform.

Please do exercise caution in retweeting or sharing anything that contains personal data as the University is reliant on the uploader having the necessary consent.

Permission for sharing someone else’s content:

  • Permission is not required to retweet a post on Twitter containing images. This is because, in Twitter’s terms of use, the uploader grants a licence to any Twitter user to retweet content.
  • Permission is required to share someone else’s post on Instagram. This is because the licence is personal to the uploader and does not extend to other users.

Advise people in the joining instructions that a photographer will be present

Have consent forms available at the venue, together with perimeter notices

A5 consent forms are available for events – use them alongside a data privacy notice at registration (available to download from the photography toolkit)

Consider having a photography-free area

Consider using different coloured name badges or lanyards for people who have agreed to have their photo taken

For talks or panel discussions, ensure you gain consent to photograph the speakers

You can find associated resources in the GDPR and Photography Toolkit.

Contact us

Email: information.compliance@admin.ox.ac.uk