Does insisting on a staff photo risk violating GDPR and the Human Rights Act?

Does insisting on a staff photo risk violating GDPR and the Human Rights Act?

Q: I have just introduced a new HR system that has a space for employees’ pictures. While most are happy to have their photo taken there are a couple who refuse. Can I insist and if they still refuse can I take them down the disciplinary route?

A: An act as simple as using employee’s photographs, even for purely legitimate reasons, triggers rights and obligations under data protection legislation. It even reaches as far as the Human Rights Act 1998.

A photo would be classed as ‘personal data’. You are also obliged to gain the employee’s consent if you wish to use the photo for any reason and if you went on to use it without having gained consent, you would be breaching data protection legislation.

You may also be breaching the employee’s right to a private life under the Human Rights Act, unless you gain their specific permission. For these reasons then, it is advisable to obtain employee’s express consent by having them sign a document that explains what their photograph will be used for; that gives you permission to use it for those specific purposes and no other unless further consent is gained.

Although using a photograph in this way may seem harmless, an employee may have reasons for not wanting to grant permission that reaches further than simple shyness.

If the photograph is merely for internal use to aid communication processes, there would appear to be no great ramifications if there is none present therefore instigating disciplinary action as a result would likely appear heavy-handed, particularly because the employee has the right to withhold their permission.

What does an employer do under GDPR?

Jane Crosby, partner at Hart Brown Solicitors, goes into more detail about the implications of taking employee photos post-GDPR. 

If individual employees can be identified directly from their website image or identified by using the image in conjunction with other available information on the website then the image will be classed as personal data.

This means the employer’s processing of the image will be governed by GDPR and the image needs to be processed in accordance with its principles.

It is important to understand how the employer is using the data. It could be that they are general shots of employees and not being distributed to the public, so there may be a difference between a photo that identifies the individual and an anonymous photo used for marketing purposes.

When the photos are identifiable this could reveal something about someones health, disability or racial origin and this could be seen as sensitive personal data. 

A lot of it depends on what the employee photo is being used for

Images which amount to personal data need to be processed lawfully, fairly and transparently.

Use of employee images to generate general employee engagement within the workplace or to promote the business externally to customers could be a way of establishing the lawful basis of using the photos.

The employer also needs to provide fair processing information to its employees in accordance with GDPR requirements to ensure that they are aware that their personal data may be processed for such purposes.

“The employee should be allowed to withdraw consent at any time and their photo needs to be removed”

In most cases an employee would give consent because it may be good for them to raise their profile but in accordance with GDPR requirements for use of consent, the employee should be allowed to withdraw consent at any time and their photo needs to be removed. This could cause a problem for the employer.

In this context, it would also be necessary to look at any contract terms, policy or staff handbook to see what they say about taking photographs in this type of situation although this does not get over the problem a staff handbook would not give the employer the grounds to process sensitive data as lawful.

Source link