That’s a good point - I’m tempted to say that I can’t imagine ICO doing anything about it, but that’s cheating. Strictly for the purposes of a non-EU transfer which publication on the internet would represent, I can’t see that any of the other justifications would be likely to apply. -- Tim Turner www.2040training.co.uk From: Data Protection <[log in to unmask]> <[log in to unmask]> Reply: Data Protection <[log in to unmask]> <[log in to unmask]> Date: 28 September 2018 at 17:04:27 To: [log in to unmask] <[log in to unmask]> <[log in to unmask]> Subject: [data-protection] FW: [data-protection] FW: Filming Photography of Students during Sporting Event As many photographs are destined to end up on a website would consent not be necessary to the enable transferring of personal data outside the EU in the absence of an adequacy decision or other appropriate safeguards? This is the basis on which I have been assuming that consent will normally be required for photographs. Regards Fiona Wheater Governance and Information Compliance Manager University of Stirling *From:* This list is for those interested in Data Protection issues [mailto: [log in to unmask]] *On Behalf Of *Tim Turner *Sent:* 27 September 2018 12:44 *To:* [log in to unmask] *Subject:* Re: [data-protection] FW: Filming Photography of Students during Sporting Event I think it’s a mistake to assume that consent is required. An organisation can adopt that as a policy, but it isn’t required. Care needs to be taken when using personal data about young people, but equally, there is nothing in the GDPR that says that photographing public events or publishing identifiable data requires consent to be obtained. This kind of misinformation is why Data Protection has historically had such a bad name. If an organisation decides never to identify people in images without their consent, they should explain that this is their policy, and not claim that is a requirement of the GDPR. As Robert Scott sets out in his reply, a legitimate interests assessment can be an appropriate alternative to consent in many circumstances. Tim Turner www.2040training.co.uk From: Steve Forecast <[log in to unmask]> <[log in to unmask]> Reply: Steve Forecast <[log in to unmask]> <[log in to unmask]> Date: 27 September 2018 at 12:38:06 To: [log in to unmask] <[log in to unmask]> <[log in to unmask]> Subject: Re: [data-protection] FW: Filming Photography of Students during Sporting Event Should it also be stated somewhere that no one will be identified in a photo unless their agreement has bene obtained, i.e. no names? *From:* This list is for those interested in Data Protection issues < [log in to unmask]> *On Behalf Of *Scott, Robert J *Sent:* 27 September 2018 09:22 *To:* [log in to unmask] *Subject:* Re: [data-protection] FW: Filming Photography of Students during Sporting Event Morning I would not try and limit yourself. Consider a layered approach and instead of consent, utilise legitimate interest with different measures to show a balanced approach which will be evidenced in the LIA. Based on your initial options: 1. Put up notices at the location which state photographs will/are being taken, explaining why and provide possible alternatives for individuals to avoid having their photo taken. Also state that if a photo is taken which they did not intend to be a part of then to speak to the photographer and it will be deleted. 2. Notify the competing institutions so that it can be disseminated to their players and objections raised before the event and mitigating actions put in place 3. Ensure the photographer adheres to requests for deletion and is clearly visible in cases where parents may laso be present taking photos The only times I would use consent would be where/if the photo could be seen as potentially having an effect on the data subject or where they could be deemed more ‘vulnerable’ or if the setting is such that assumptions could lead to other personal data being identified. An example of this could be if photos were taken in a medical setting and could hint at potential health data etc. then consent must always be obtained though clearly this is not the intention here The ICO guidance has always been suitably lacking regarding photos though whilst referring to the DPA 98 there is no mention of strict consent only mention of a common sense approach ‘can I take a photo?’ coupled with clear transparency. https://ico.org.uk/media/for-organisations/documents/1136/taking_photos.pdf Kind regards Robert J Scott Data Protection Officer Central Secretariat Imperial College London South Kensington Campus Level 4 Faculty Building London, SW7 2AZ Tel: +44(0) 20 7594 3502 Email: [log in to unmask] www.imperial.ac.uk/data-aware *From:* This list is for those interested in Data Protection issues [ mailto:[log in to unmask] <[log in to unmask]>] *On Behalf Of *Jon Baines *Sent:* 27 September 2018 09:16 *To:* [log in to unmask] *Subject:* Re: [data-protection] FW: Filming Photography of Students during Sporting Event Why do you need consent? I’m not saying you definitely don’t, but a legitimate interests assessment might result in an alternative approach. Jon Baines, Chair, NADPO On 27 Sep 2018, at 08:07, Clayton, Debbie <[log in to unmask]> wrote: Good Morning, Is anyone able to advise on this please as I can find no clear guidelines. As a Land-based and Sports College, our students compete in many league matches and tournaments which are photographed/filmed for social media and marketing purposes. Many of these photographs will include one or more of our own students but with an opponent in close proximity, on a basketball court for example. We have obtained the appropriate consents from our own students but are we now unable to publish any such photographs, do we require explicit consent from each individual against whom we are competing or is there something that I haven’t considered. Presumably, the Colleges against who we are competing will be using photographs containing similar images of our students. Kind regards, Debbie ------------------------------ ------------------------------ The University achieved an overall 5 stars in the QS World University Rankings 2018 The University of Stirling is a charity registered in Scotland, number SC 011159. ------------------------------ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format): - Leaving this list: send *leave data-protection* to [log in to unmask] <[log in to unmask]&BODY=LEAVE data-protection> - Suspending emails from all JISCMail lists: send *SET * NOMAIL* to [log in to unmask] <[log in to unmask]&BODY=SET * NOMAIL> - To receive emails from this list in text format: send *SET data-protection NOHTML* to [log in to unmask] <[log in to unmask]&BODY=SET data-protection NOHTML> - To receive emails from this list in HTML format: send *SET data-protection HTML* to [log in to unmask] <[log in to unmask]&BODY=SET data-protection HTML> All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the *body* of an otherwise blank email to [log in to unmask] Any queries about sending or receiving messages please send to the list owner [log in to unmask] <[log in to unmask]> (Please send all commands to [log in to unmask] <[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline) ------------------------------ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html Any queries about sending or receiving messages please send to the list owner [log in to unmask] Full help Desk - please email [log in to unmask] describing your needs To receive these emails in HTML format send the command: SET data-protection HTML to [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^