Taking and Using Images of Children

7 January 2020

There are a number of events throughout the Academic Year when parents will no doubt be vying for the best seats to watch their child perform, wanting to record or photograph the performance or sporting event, but unsure as to the School's policy or where the law now stands on taking and using images of children.

All schools should make it clear that they are committed to protecting and promoting the privacy and welfare of pupils. It is good practice for Schools to have a clear policy explaining the general rules regarding the taking and using of images of children so that parents, pupils and employees have the information they need to understand the position.

Parents taking images

Photographs that are taken by parents for personal use are exempt from the Data Protection Act 2018 (the DPA). Schools can allow parents to take photographs or video their child at school events such as sports days or school plays. However, it is advisable to outline a few ground rules. For example: parents may be permitted to take photos providing it does not interfere with the smooth running of the event; the images must not be inappropriate or cause embarrassment; and the image must be for personal use only.

In the world of social media, it is important to stress that if an image identifies any other pupil then it must not be published on any social media site.

It is advisable for the School to reserve the right to withdraw permission of the use of a camera/phone at future School events if the conditions stated by the School are not adhered to.

The School's processing of images

The use of pupil images is regarded as personal data and schools are therefore required to comply with the GDPR, the DPA and any relevant guidance from the Information Commissioner's Office (ICO).

A School may wish to take images of pupils for educational, promotional or marketing purposes and is permitted to process images for these purposes if it has a lawful basis to do so under the DPA. The School's policy should set out where images are likely to be used (internally and externally) and the associated risks that employees taking and processing the images need to be aware of. It would be best practice, for example: to require any images to be taken on a school device; to state that images must not be shared with family and friends of the employee taking the image; and require images to be stored on secure, password protected devices.

The School may rely on consent (either from the parents or directly from the pupil), if freely given, but it may also have other lawful grounds for processing personal data where it may be necessary to meet the School's legitimate interests such as promoting the School. If you choose to rely on consent, do make sure that your forms are GDPR compliant and expressly confirm the purpose(s) for which the image is to be taken and used. You will also need to ensure that you seek consent directly from the child, an additional consideration if the child is aged 12 and above.


If the School uses or plans to use CCTV on the School's premises, a data protection impact assessment (a DPIA) should be carried out to consider the necessity and proportionality of the processing, the risk to individuals and measures that can be put in place to address these risks.  We would advise schools to adopt a separate CCTV Policy in this regard and to also include a reference in the School's Privacy Notice to the fact that individuals on the premises may be recorded.

Additional considerations:

  • The use of automated biometric recognition systems
  • Images of employees
  • Pupils taking images
  • Security
  • Retention

How we can help

The Governing Body of the School is ultimately responsible for ensuring compliance with the GDPR. We are able to review your School's policy documentation, draft a tailored policy for your School or provide tailored Consent Forms for parents and pupils for when specific consent is needed, to ensure that you are GDPR compliant.

It is a requirement of the GDPR that personal data should only be retained for as long as necessary.  We have also developed a Schools Data Retention Schedule, specifically designed for Schools to help you determine the relevant retention periods and justifications to ensure compliance with the GDPR.

For more information or to discuss a particular issue or requirement, please contact Vicky Wilson, Debbie Ashenhurst or your usual Wilsons contact.

Back to news