I see: oh! - snap away this Christmas - ho ho ho!

News

08 December, 2010

The previously quiet world of data protection has been making the news. The Information Commissioner's Office, the government body responsible for data privacy rights, has this week clarified that the law does not prevent family and friends from taking pictures of their loved ones inside school grounds.

Guidance published by the ICO on the issue of taking photographs in educational establishments states that the Data Protection Act does apply to photographs or videos taken by the school themselves for official use (e.g. for ID passes or school prospectuses) which is only permissible if the child's parents have given permission or are aware that the photo is to be taken. When it comes to the family and friends taking pictures however this is not a breach of the Data Protection Act and claims that suggest otherwise are wrong.

Christopher Graham, Head of the ICO comments, "Having a child perform at a school play or a festive concert is a very proud moment for parents and is understandably a memory that many want to capture on camera. It is disappointing to hear that the myth that such photos are forbidden by the Data Protection Act still prevails in some schools… photographs simply taken for a family album are exempt from data protection laws… and parents should feel free to snap away this Christmas and stand ready to challenge any schools or councils that say 'Bah, Humbug' to a bit of festive fun."

This advice comes after a year which has seen the ICO send out a clear message to the public that it takes its protective role of individual's data privacy rights seriously and is willing to issue fines where appropriate, as shown by the body's recent decision to fine Hertfordshire County Council a staggering £100,000 and employment services organisation A4e £60,000 for serious breaches of the Data Protection Act.

In June 2010, Hertfordshire County Council on two separate occasions misdirected a fax to the wrong recipient. The first fax containing highly sensitive information in relation to a child sex abuse case was accidentally sent to a member of the public, where as the second fax, sent just two weeks later, contained information relating to child care proceedings. The commission found that the second breach clearly showed that the council had failed to take sufficient steps to reduce the likelihood of another breach occurring after its first breach. It was said that both breaches were capable of causing substantial damage and distress and accordingly a fine of £100,000 was deemed appropriate.

At a similar time, private limited company A4e reported to the ICO the theft of a company laptop containing unencrypted personal information relating to over 24,000 people who had used legal advice centres in Hull and Leicester. Once again the commission emphasised that the access to thousands of people's personal data was very capable of causing substantial distress and could quite easily have been avoided by simply encrypting the information. A fine of £60,000 was deemed necessary.

The ICO in issuing the penalties stated, "These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

Daniel Milnes of Forbes Solicitors comments, "This is the first example of the ICO using its newly enhanced powers to enforce Data Protection legislation. Organisations should be wary that the previously friendly ICO has now grown sharp teeth and is obviously willing to use them where breaches are deliberate, involve the ignoring of a risk or can potentially cause real distress. If any lessons can be taken from the example cases it is that first and foremost organisations should review the risks they are facing and should ensure that all sensitive information on both laptops and mobile phones is encrypted. Staff should also be made aware of the special care which needs to be taken when handling personal details of individuals. On a less serious note, I for one will be heading to my daughter's festive concert with my camera at the ready."

Back

Make an enquiry