Guidance for images (photographic and video) intended for publicity purposes

Transcription

1 Guidance for images (photographic and video) intended for publicity purposes This guidance relates to the permissions required for use of personal data in the form of photographic and video images, to ensure compliance with the Data Protection Act This guidance relates only to the use and storage of images (photographic and video) intended for publicity purposes. Separate guidance is available for imagery relating to medical imagery. Key Principles Staff and Students should never assume that taking someone s image without their consent is acceptable. Respect should be given to the wishes of the individual Publication of images should only be with the explicit informed consent of the individual. Consent should always be sought, whether taking pictures of individuals, groups or events. Are photographic and video images covered by Data Protection Legislation? Yes. The Data Protection Act 2018 / General Data Protection Regulation aims to protect every individual from misuse of their personal information. Under the terms of the Act photographs and video footage featuring pictures of people, and any consent forms which accompany them, are considered to contain personal information. Why is compliance with the Act important? The visual content (e.g. faces, uniforms, security badges, office signage), embedded data in digital images (EXIF data, geolocation data), accompanying text (e.g. captions or body copy containing names, location where a photo was taken), consent forms (e.g. address, ) all contain information that can be used inappropriately e.g. to locate and potentially harm an individual. Non-compliance with the Act also exposes the University to the risk of a fine, compensation claims, negative media coverage, reputational damage and financial loss. How do we comply? Compliance consists of the following key elements: 1) Gaining formal (informed and explicit) consent for the use of an individual s image. Guidance on this can be found at A form can be found at m.pdf 2) Ensuring appropriate processing of the individuals image and the accompanying consent including storage, security, use, re use, and deletion. 1 University of Brighton consent form can be found at

2 3) Ensuring that we can protect the data subject s rights in terms of access, rectification, objection and erasure. When is formal consent required? Individual consent is required if all the following criteria are met: - an individual is clearly identifiable and is the main visual element of the image as it will be published, either solely or as part of a group of clearly identifiable individuals. If the individual is a child (15 years or under) the consent of their parent, guardian or carer is required. - the image is to be used for anything other than personal or domestic use. Case study: A photograph is taken of the audience at an event taking place on University premises. The event is open to the general public. No pre-booking was required. The University intends to use the photograph for corporate communications, via the website and . The event is taking place in a private space, and the image is for corporate use. However, as subject of the original image is the crowd rather than any single individual no individual consent would be required. However, if the image is subsequently cropped to appear in publicity material so that one or a small number of individuals clearly become the focus then consents would be required. University of Brighton consent form can be found at NB personal or domestic use Photos taken for personal use perhaps to share on a staff member s personal facebook page or blog, would not need consent, though it is best practice to ensure the data subjects are aware of this and have the opportunity not to be photographed. If, after the event the staff member wants to use the image for University purposes a course brochure or university owned blogs or social media then consent must be sought if individuals are identifiable Gaining consent for images taken or commissioned by the University of Brighton (e.g. UoB staff or officially contracted freelance employees) Consent must be formally gained, and indicate as clearly as possible how, where and when the images will be used. Verbal consent is not sufficient. At events it is good practice to inform attendees prior to the event (on the event invite or booking information) that photographs or video are being taken at the event, describe what the photographs and video will be used for and to give the individual the option not to take part. This content should be available at the event via posters or signage. For example: This event will is being filmed and /or being photographed, the university may use any such images, films or recordings (including any copies) for documentary, promotional or other reasons without payment or credit to the attendee. If you do not wish to be filmed or photographed please let us know at xx immediately. We will seek specific 2 University of Brighton consent form can be found at

3 consent from you for any filming or photographs where individuals are specifically identifiable Any permissions granted by the individual (or parent/carer/guardian) to third party organisations will not cover images produced by and for the use of the University of Brighton. New and specific permissions will need to be gained. Case study: A party of primary school children are visiting the University. Their parents have previously signed permissions forms for their School. These permissions do not cover the creation and use of new images by the University of Brighton and new consents must therefore be gained. Consent forms should be supplied to the parents via the schools headteacher. (Remember to allow plenty of time for this, so that you get permission before you take the photographs) Ensuring consent for images supplied by third parties (e.g. images from photo libraries, other institutions) Responsibility for ensuring necessary consents were gained lies with the originator of the image. However, responsibility ultimately rests with the University of Brighton to ensure that permission was obtained. Therefore evidence of existing consent must be confirmed before any third party images are used. Verbal assurance is not sufficient. Does the Data Protection legislation relate to the initial capture of images? No. The legislation is concerned with the use and storage of images. It does not cover the initial capture of images. It is in the majority of cases not illegal to take an image of any individual (members of the armed forces, police are an exception). However, wherever possible, it is considered a mark of respect and good practice to gain an individual s approval prior to image capture. Failure to do so can not only create bad will, thereby reducing the likelihood that permission will be granted to use the images, and could be considered a breach of privacy laws and lead to civil prosecution. For similar reasons, signage should be placed at the entrance to and around the edge of the event arenas, notifying attendees that photography or filming is taking place. Individuals can then make an informed decision on whether they wish to enter the event space. When should permissions/consent be gained? Wherever possible permissions should be gained prior to image capture. This allows practical measures to be taken to accommodate those who do not wish their image to be used (e.g. colour-coded badging, seating position, scheduling of photography in breaks.) and helps ensure that resource is not wasted on capturing images for which permissions have/will not been granted. 3 University of Brighton consent form can be found at

4 Does consent expire? No, however it is good practice to inform data subjects how long you will keep their data for, in practice this means that for example, if you delete the data after 2 years, you may also delete the consent. A data subject can withdraw their consent at any time please see information later in this document. Consent relating to existing images If you do not hold or cannot provide evidence of consent for an existing image, which based on the above criteria would require them, no new use of that image should be approved. Any existing uses of the image should be removed from the public domain as soon as reasonably possible if it is not possible to ask for subjects to reconsent. Withdrawal of consent An individual can withdraw consent at any time. There is then a 21 day period during which all practical and reasonable steps must be taken to withdraw the image from the public domain, and delete any copies. If you receive a request to withdraw consent please inform the Data Protection Officer dataprotection@brighton.ac.uk - immediately, so that appropriate action can be considered, implemented and monitored. You will need to keep a record of the withdrawn consent for a period 12 months It is good practice to inform the data subject (on the consent form) what will happen to any public images if they withdraw their consent ie that it will be withdrawn from online sources, will not appear in any new promotion/publicity, but it may still appear on printed materials. When is consent not required? Under the Data Protection Act 2018 individual consent is not strictly required when an individual: - appears in an image but is not clearly identifiable (i.e. has their back to the camera) or - is not the main element of that image (e.g. a single face in a crowd of many faces) or - is attending a public event in a public space. In the case of public events, although not a legal requirement, it is considered good practice to seek individual or parental permissions if consent would otherwise normally be required e.g. an individual is clearly identifiable and is the main or key visual element of an image, either solely or as part of a group of clearly identifiable individuals. Failure to gain permissions in these cases, could be considered a breach of privacy laws and lead to civil prosecution. Use of images beyond their original use An image is personal data and must not be used for any other purpose than that for which it was originally collected E.g. it is not appropriate to use images collected for use in promotional material in an online information system. 4 University of Brighton consent form can be found at

5 Photo captions Images of any individual under 18 years old should not be accompanied by their name, either in an image caption or in main copy, unless it is appropriate (e.g. an image of a competition winner) and specific consent has been gained from their parent/guardian/carer to name them. Storage of images and consent forms Under the terms of the Data Protection Act (2018) photographs featuring people and any consent forms which accompany them are considered to be personal information and, as such, should be stored securely. Electronic images should be stored in a protected folder on a network drive with restricted access. The consent form should identify the image numbers to which it refers. It is best practice not to include a persons name in the image title. Electronic images should never be stored on any unencrypted portable equipment such as a memory card, laptop, memory stick or mobile phone. Images should be deleted from the capture device as soon as possible. Physical images (prints, negatives) and related consent forms should be stored in a locked draw. If an image file is received by , move the content into a secure area and delete the from your system, and local physical hard drive as soon as possible. Guidance on responsible and safe computing can be found at A data subject can request access to, or copies of any personal data held about them, this includes photographs or videos it is therefore important that you organize your files in a way that facilitates easy and efficient access, avoid unnecessary duplication, or sharing of files. Sharing of images Particular care must be shown when sharing images, firstly you must ensure that the sharing is secure this could be via sharing a link to the files, which are stored in a secure area, or if they have to be sent by the file must be encrypted (the University recommends Z Zip for this, see the link above for information on this). Secondly the person you are sharing with should be appropriately authorized, and have a clear understanding of the original purpose of the image, and further use is consistent with that original purpose. Data subject's rights (informed, access, rectification, erasure, restriction of processing, objection to procession, right to data portability) and the right to complain Individuals have very clear and specific rights as regards the use of their data. It is important that the University respects these rights and has the capability to fulfill them, we also have a duty to inform data subjects what these rights are and how they can exercise them. This information must be included in your consent forms further information can be found at 5 University of Brighton consent form can be found at

6 Access to images A data subject can request access to, or copies of, any personal data held about them, the University has 30 days to comply with such a requests this includes photographs or videos it is therefore important that you organise images in a way that allows for efficient access on request. A form for data subjects to complete is available at June University of Brighton consent form can be found at