Photos and images of individuals taken for University Business may be classified as personal data and are therefore regulated by the Data Protection Act 1998. If the image can be used to identify someone and tell you something about them it is likely that the Information Commissioner will consider it to be personal data. The following examples will help to identify the things that you need to consider:
Photos of specific individuals/groups
Where a photo is clearly of an individual or group of individuals who are the focus of the image this is treated as personal data and consent is required to use the image. Although the Data Protection Act does not specify that consent should be in written format it is strongly recommended that you obtain written consent so that you can keep a copy of the agreement for future reference. It is important to ensure that individuals are informed that you represent the University and that they understand what the images will be used for, where they will be displayed and who will have access to them. If the photos are to be placed on a website, this too must also be communicated to the individuals. See the University of East Anglia's Model Release Form.
Photos where individuals inadvertently appear in the background
It will not, normally, be necessary to obtain the specific permission of all students who appear incidentally in the background of publicity shots where they are clearly not the focus of the image, eg Congregation and general campus photographs.
Photos of large crowds/events
Where images of crowds are being taken with no person(s) being the focal point of the image it may not be possible to obtain the consent of every individual rather it is good practice to ensure that there are clear signs around the venue indicating that publicity photos are being taken. For example, if you are taking a photo of a seminar group, this should be announced in advance so that individuals may leave the room briefly if they do not wish to appear in the photographs.
For further guidance, please contact the University's Data Protection Officer, Dave Palmer.
See too a newly revised guide to privacy notices produced by the Information Commissioner's Office.