Search Hill Dickinson

Schools issued formal reprimand by ICO

Details

The Information Commissioner’s Office (ICO) has announced that is has issued reprimands to two separate schools over their processing of children’s photographs. The decision puts into context the importance of ensuring that schools comply with data protection law, particularly around the use of images and children’s personal data.

The first reprimand was issued to a primary school in Humberside. The parents of the pupil concerned had stated on the consent form used by the school that images taken were not to be used ‘outside of school’. A class photograph was taken and a proof sent home for parents to consider. A complaint was raised to the school in response to which it took steps to address the matter and believed the parents were satisfied. The issue raised was that the proof sent home was in the parents view ‘outside of school’. A complaint was made to the ICO about the use of the image that the parents asserted raised safeguarding issues.

In its letter to the school the ICO found that it had failed to implement an appropriate procedure for the handling of pupils’ images. Furthermore, the school had failed to consider reporting the matter to the ICO as a personal data breach. It was critical that the processing had not been lawful in view of the absence of consent and the system in place at the time of the breach did not meet the security principle under Article 5(1)(f) GDPR.

The reprimand was issued for infringing the GDPR’s principles on lawfulness and security, along with failing to implement organisational measures across the school which meant that compliance with the accountability requirement could not be demonstrated.

The school has been ordered to review its policies and procedures around the use of children’s photographs, which should include guidance on the practical application of the procedure to prevent inappropriate disclosures. In addition, all staff and governors have to receive training on the requirements and obligations under the GDPR. Finally, all policies and procedures put in place had to be enforced and reiterated to staff who are to sign a disclosure that they have read and understood the policies/procedures.

The second reprimand has been issued to a primary school in Cheshire. The school shared a class photograph with the local media. This was despite parents of two pupils refusing to give consent for the image to be used in such a way. The parents raised a complaint with the chair of governors and the ICO.

The determination follows much of the same considerations as set out in the first case above. Here, the school had advised the ICO on investigation that it had not determined there to be a reportable breach in these circumstances. However, a new system has been introduced to double-check the parental permissions before images are shared with the media.

The ICO found that the principles under Article 5 GDPR had been infringe as it had in the previous case. In particular, it failed to implement an appropriate procedure for the handling of pupils’ images and had failed to report the breach to its Data Protection Officer (‘DPO’) or the ICO. It is understood that the school did not report the matter to the DPO until some three months after the event when the complaint to the Chair of Governors was being dealt with.

The reprimand was issued for processing which infringed the GDPR in respect of failing to follow the principles under Article 5 on lawfulness, security and accountability. The ICO ordered that a data audit as recommended by the school’s DPO was to be undertaken and its recommendations implemented. Furthermore, the ICO required training records to be up to date, for the school to promote awareness on a regular basis with staff and to enforce its policies and procedures.

These cases serve as a useful reminder of school’s compliance obligations and the risks associated with processing children’s images on the basis of consent. It is important to actively keep data protection on the agenda. Amendments to policies and procedures should follow to make them compliant and also accessible to staff. The risk that materialised in both cases was a lack of awareness and failure of a system put in place by the schools of their own design. Lesson should be learnt and systems revisited.

DPOs must also be allowed to provide an advisory function and not treated as an afterthought. They serve a role akin to a designated safeguarding lead and should factor into any consideration around personal data breaches and compliance issues.

Education

Funding issues, changing government policies and competition all create challenges for the education sector. Universities, schools, local authorities and educational charities are facing new challenges. You can rely on a solutions-oriented approach for complex situations such as changing status, acquiring a new campus or disputes.

For everyday matters, such as commercial contracts, risk management and human resource issues, our specialist sector knowledge will give you pragmatic commercially-based advice. We aim to deliver added-value solutions that can save you time, minimise your financial risk and protect and enhance your reputation.