Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

Practice Areas

More Information

Leeds: 0113 244 6100

Sheffield: 0114 267 5588


Send us an enquiry

Schools warned over use of pupil photos

12 March 2020

The Information Commissioners Officer (ICO) has recently issued reprimands to two schools.

The schools which sent a class photo, in one case, to the local paper and, in the other, home to parents included the images of pupils whose parents had previously refused consent for their children's images to be shared.

On its blog, the ICO has sought to stress the lesson to be learnt by schools:

  • Photos (including videos) taken for official school use, such as on its website, in a prospectus or to be sent out to newspaper, will be covered by data protection rules;
  • Ensure that the school has robust procedures for processing any personal data.  That includes:
    • knowing what personal data you hold, where and for what lawful purpose;
    • having appropriate data protection policies and procedures;
    • ensuring that staff are trained on and understand those policies and procedures.  Keep a training record and ensure staff are regularly reminded.  Many will be handling personal data daily, including special category data (e.g. health, ethnicity);
    • reporting any breach to the school's data protection officer, and as required to the ICO, as soon as possible.
  • This shouldn't be seen as any prohibition on taking photos, including by parents at a school event for personal use

Separately the ICO has recently announced two new key services which can help schools, and others, show accountability through the development of GDPR Codes of Conduct and Certification Schemes.  Directed toward sector wide and representative organisations, rather than any individual school or academy or multi-academy trust, the schemes can demonstrate compliance and provide reassurance to parents and others. At present there are no approved Codes or accredited certification bodies for issuing GDPR certificates. Further detail is available on the ICO website.

Our article last month, GDPR in schools – ensuring best practice, highlighted the ongoing ICO audit of schools and academies.  Audit reports, and their executive summaries, have flagged various issues which all schools can look to assist with improving their own compliance.

 Wrigleys' education team have data protection experts who have already worked alongside schools and academies to assist in reviewing and updating data protection compliance and to provide general and specific training.

If you would like to discuss any aspect of this article further, please contact Nick Dunn, Sue King or any other member of the Education team on 0113 244 6100.

You can also keep up to date by following Wrigleys Education on Twitter here

The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors

Chris Billington View Biography

Chris Billington


27 Nov 2023

Disabled Persons Trusts: A Guide for Parents, Carers, and Advisers

A guide to the advantages of Disabled Persons Trusts for Parents, Carers and Advisors including tax efficiency and protection of means-tested benefits

22 Nov 2023

An analysis of the case of Butler and the availability of Business property Relief in relation to a wedding events business

The recent case of Butler considers services provided by the wedding events business and whether or not these qualified for business property relief.