Are photos personal data?

Today, companies use images for everything from internal documentation to marketing. It is therefore crucial for businesses to understand whether images are considered personal data and, if so, what implications this has for data protection. The UK-GDPR imposes strict requirements for protecting personal information, and any violation of these rules can have serious consequences for a business.

This guide explores whether images are regarded as sensitive personal data and how companies should manage images to remain compliant.

You may have wondered if photos are personal data under UK-GDPR. The short answer is, yes. Photographs of living people, that can be used to identify them, are personal data.

Under UK-GDPR, personal data refers to all information that relates to an identified or identifiable living individual. Pieces of information that can lead to the identification of someone when collected together also count as personal data.

Certainly, many images and videos can fall into this category. For example:

• Employee photos and IDs, particularly if the photographs reveal the person’s national origin, race, disabilities, etc.
• CCTV footage of people where they can be identified. Performing this type of surveillance might require a Data Protection Impact assessment (DPIA).
• High-resolution videos of people’s faces that could be used for facial recognition count as biometric data. These are special category or sensitive data under the UK-GDPR.
• A photo of someone along with its metadata. This can show a person’s location, GPS location, and more. It could be used to track someone down or incriminate them in court.
• Images of photo IDs combine a facial image with sensitive ID numbers + and other personal data. This could harm someone if it falls into the wrong hands.

Photographs taken purely for personal use are exempt from GDPR. However, companies and organizations that use a person’s photo must secure the right to use photos whenever they are used in a context where individuals can be identified or when they are used commercially. The right to use a photo involves both legal and ethical aspects, requiring consent from the individuals appearing in the image.

By proactively securing these rights in advance, you can avoid potential legal issues and show respect for those featured in the photos. A good approach is to develop a standard consent process that can be consistently applied across all relevant activities and situations where images are collected and used.

When collecting photos, it is essential to obtain explicit consent, especially when the images can identify individuals. According to GDPR, consent must be voluntary, specific, informed, and unambiguous. This means the person must clearly understand the intended use of their image and have the option to withdraw consent.

A good practice is to prepare a written consent form that outlines the purpose of the image, how long it will be used, and how it will be stored. Such a form can be provided at events, photoshoots, or as part of employee agreements. Storing consents digitally can also be helpful for easy access and management.

Using customer photos can be an effective way to build credibility and engagement, but it requires extra care. Customers may feel their privacy is compromised if their images are used without permission, especially in advertising and marketing contexts. The best practice is always to ask for written consent from customers and specify how and where the photos will be used.

To streamline the process, you can create a standard consent form, which can be presented during customer onboarding in your CRM, at events, or in other situations where you collect customer photos. You should also inform customers that they can request the removal of their photos at any time.

Photos of children require extra care and protection, as children are considered under GDPR to need special safeguards for their data. This means that consent must always be obtained from parents or guardians before using photos of children, especially when they can be identified. Additionally, it is important to consider whether it is necessary and appropriate to publish images of children in public or commercial contexts.

When publishing images of children, for instance, in school reports or at events, it can be beneficial to use photos where the children are not recognizable—either by taking photos from behind or by blurring faces. This provides a degree of anonymity and further protects the children.

These guidelines can help your organisation comply with the law and establish a safe and ethically responsible use of images.

Under UK-GDPR, British citizens can ask you to delete their personal data, including photos, in many cases. For example:

• If the data you collected about them is no longer relevant to the reason it was collected and contains sensitive personal information or if such information is outdated.
• If the person withdraws their consent for you to use their data (and you have no other legal basis for collecting it).
• If the person objects to you collecting data for direct marketing purposes.
• If the individual’s data was unlawfully processed or considered sensitive data.
• If deleting the data is legally required.
• If the data belongs to a child.

In all of these cases, you must erase the person’s data and images as soon as possible. Respond to the person with confirmation that you have deleted their photos and other personal data within 30 days.

People can also ask for information about the data you store, including photos. They can ask you to forward their data to third parties, restrict your use of it, and more. Read more about data rights here.

To ensure that you handle sensitive image content in compliance with the UK-GDPR, I recommend establishing an effective workflow for managing images. This involves not only storing them but also documenting who has given consent and the scope of that consent. Here are some practical steps for organising and managing your images:

• Create an Image Database: A central, secure database can help you keep track of all images and associated consents. Ensure the database includes metadata, such as date, purpose, and consent information.
• Determine Storage Duration: Consider how long the images remain relevant and update your database with an expiration date for when images should be deleted. For example, you can set a deletion policy where images are automatically removed after a certain period unless renewed consent is given.
• Track Consents and Permissions: Note which images require consent and document all permissions obtained. For each person in the image, record whether they have given consent and the specific usage approved. This makes it easy to retrieve information if someone wishes to withdraw their consent.
• Access Control and Protection: Ensure that only relevant staff have access to the database, and that images are protected against unauthorised use. Consider using password protection and encryption to safeguard images from unauthorised access.
• Review and Update Regularly: Regularly review your image files and ensure consents remain valid. If a person whose image has been used withdraws their consent, you should be able to locate and remove the image quickly and effectively.

This task naturally requires time. The first step should be to identify the sensitive images you currently hold.

You cannot search for privacy terms in an image in the same way as you can with text. It is therefore complicated to detect sensitive information in images. Having said this, you can use a Data Discovery tool with an integrated image scanner. This means that you do not have to look through all the images manually.

In Safe Online, we have developed the Data Discovery tool DataMapper, which can precisely identify sensitive expressions depicted in images. This could be, for example, in pictures of:

• Passport
• Driver’s license
• National Insurance Number Card/Social security card
• Tax information papers
• Patient records
• And much more…