Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

Leeds: 0113 244 6100

Sheffield: 0114 267 5588


Send us an enquiry

Schools warned over use of pupil photos

12 March 2020

The Information Commissioners Officer (ICO) has recently issued reprimands to two schools.

The schools which sent a class photo, in one case, to the local paper and, in the other, home to parents included the images of pupils whose parents had previously refused consent for their children's images to be shared.

On its blog, the ICO has sought to stress the lesson to be learnt by schools:

  • Photos (including videos) taken for official school use, such as on its website, in a prospectus or to be sent out to newspaper, will be covered by data protection rules;
  • Ensure that the school has robust procedures for processing any personal data.  That includes:
    • knowing what personal data you hold, where and for what lawful purpose;
    • having appropriate data protection policies and procedures;
    • ensuring that staff are trained on and understand those policies and procedures.  Keep a training record and ensure staff are regularly reminded.  Many will be handling personal data daily, including special category data (e.g. health, ethnicity);
    • reporting any breach to the school's data protection officer, and as required to the ICO, as soon as possible.
  • This shouldn't be seen as any prohibition on taking photos, including by parents at a school event for personal use

Separately the ICO has recently announced two new key services which can help schools, and others, show accountability through the development of GDPR Codes of Conduct and Certification Schemes.  Directed toward sector wide and representative organisations, rather than any individual school or academy or multi-academy trust, the schemes can demonstrate compliance and provide reassurance to parents and others. At present there are no approved Codes or accredited certification bodies for issuing GDPR certificates. Further detail is available on the ICO website.

Our article last month, GDPR in schools – ensuring best practice, highlighted the ongoing ICO audit of schools and academies.  Audit reports, and their executive summaries, have flagged various issues which all schools can look to assist with improving their own compliance.

 Wrigleys' education team have data protection experts who have already worked alongside schools and academies to assist in reviewing and updating data protection compliance and to provide general and specific training.

If you would like to discuss any aspect of this article further, please contact Nick Dunn, Sue King or any other member of the Education team on 0113 244 6100.

You can also keep up to date by following Wrigleys Education on Twitter here

The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors

Chris Billington View Biography

Chris Billington


17 Apr 2024

Independent schools’ development: policies for navigating the modern fundraising landscape

Independent schools face fundraising challenges in a tough climate. Learn best practices for compliant and effective fundraising policies.

09 Apr 2024

Charities Act 2022: new provisions introduced

What do the latest provisions mean for your charity?

09 Apr 2024

Cohousing Series: Navigating the Planning System

This article is the latest in our cohousing series following our team member as she develops her own cohousing scheme.