What are the rules about employee photos on websites and GDPR?
Here we look at an issue that is increasingly being raised: how employee photos on websites are handled under GDPR
You would like to create a “meet the team” section on you website which has photos of all key staff and a description of their job role.
But where do you stand on this legally when it comes to employee photos on websites and GDPR?
Under the GDPR, an image of a person, such as a still photograph is categorised as personal data if an individual can be identified:
- Directly from the image
- Using the image in conjunction with other available information, e.g. the employee’s name and/or position is also displayed.
In either situation, the processing of the image will be governed by GDPR.
However, there’s a further issue here that needs to be taken seriously.
In addition to personal data, the GDPR carves out “special categories” of personal data.
Special category personal data is that which is more sensitive and therefore requires more protection.
Special category personal data includes information about an individual’s: health; race; ethnic origin; religion; sex life; sexual orientation; political beliefs; trade union membership; genetics; or biometrics (where used for ID purposes).
Images can reveal a person’s ethnicity, racial origin or their religious belief e.g. because they are wearing a headscarf, turban, or crucifix.
They can also disclose information about an individual’s health e.g. the physical effects of a disability are evident in the image.
Whilst the point has not yet been test by the courts, any images of employees who are either name or identifiable, such as in a “meet the team” webpage, are likely to amount to special category personal data.
In order to process this type of data, you must have an employee’s consent before you use their image.
Under the GDPR, the consent must be obtained in writing in advance and be “freely given, specific, informed and unambiguous”.
The Information Commissioner’s Office has stated that consent for GDPR purposes is not proper consent if it’s rolled up into the employment contract or staff handbook.
Therefore, if you wish to use an employee’s image in a meet the team section on your company website, you must obtain appropriate and separate consent from each employee before it can be used.
If an employee refuses, you must accept their decision.
They can also withdraw their consent to use their image at any time.