Data protection requirements for school events and children

Reading Time: 3 minutes
GDPR for schools events.jpeg.crdownload


Trilateral Research

Date: 16 May 2019

Regulation (EU) 2016/679 (GDPR) has been welcomed with much excitement by privacy-concerned individuals – but it has also led to confusion in many contexts, including schools. The ambiguity around the lawfulness of the practice of taking photographs at school events has led the Irish Data Protection Commission (DPC) to publish guidance. This article summarises the requirements set out by the DPC and the takeaway messages and recommendations about capturing personal data in public spaces.

Firstly, the DPC draws a distinction between personal or household activity, and non-personal activity. It is common knowledge that the GDPR regulates the processing of personal data by individuals as well as organisations but, as one can imagine, the rules for individuals processing data in their private lives are different compared to those applicable to individuals and companies acting in their work context.

Regarding the conduct of individuals, a relatively-less-known GDPR provision is the personal or household exception, which provides that the GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (meaning, when there is no connection with a professional or commercial activity). Personal or household activities include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities (Recital 18 GDPR). Hence, individuals could take and keep photographs of their children or other individuals if this is for ‘domestic’ purposes. For example, if a parent or guardian takes a photograph of their child or another individual at a football match and keeps this photograph in a personal record, such as the family or personal album, the GDPR will not apply.

Nonetheless, the above exemption cannot be interpreted broadly. Although Recital 18 GDPR refers to social networking, the household exception was interpreted narrowly under Directive 95/46/EC. In the case C-101/01, the European Court of Justice held that uploading personal data on a personal website did not fall under said exception, even though the website pursued religious and charitable purposes and was not for profit. This was because posting the data made it accessible to an indefinite number of people. Similarly, in the most recent judgement C-345/17, the Court confirmed this narrow interpretation.

However, whenever a public or private organisation publishes on social media or traditional media photographs of children or other individuals, such as teachers and parents, full compliance with the GDPR is required. This means, among other things, that a lawful basis must be established, and the DPC seems to favour consent, even though they do not exclude the possibility to resort to other lawful bases, including legitimate interests.  In the case of children’s consent, consent should be obtained from parents or guardians, although in some cases a child could provide valid consent depending on age, context and impact of processing, the sensitivity of data, type of processing, etc. Even where the consent of parents/guardians is required, organisations should support the involvement of children in this decision-making.

Most notably, though, this guidance sheds light on whether and under which conditions children can be photographed during school events. Although the guidance focuses on the case of children at school events, it is worth bearing in mind that similar reasoning applies to any case where personal data are recorded in public spaces, including but not limited to, voice recording, photographs, and video. Moreover, similar considerations apply when a person participates in a private event attracting publicity or media exposure, such as workshops and conferences.

What is necessary to keep in mind when capturing personal data in public space is:

  • The purpose and context of data processing. If the processing takes place for personal or household purposes, then the GDPR does not apply. If the data processing is related to professional or commercial activities, then the household exception does not apply, even if the organisation is a charity or NGO.
  • The necessity to adopt adequate policies. Organisations should put in place policies and procedures to adequately record children’s data processing aspects, such as consent forms and privacy notices. Records of processing should be kept and updated to enable children to exercise their rights when they obtain the capacity to do so.
  • The vulnerability of children. Children are by definition a vulnerable category of data subjects. Specific attention should be paid to the protection of their rights and freedoms. Organisations should take this into account when conducting balancing exercises, such as Legitimate Interest Assessments and Data Protection Impact Assessments.
  • The need to keep children engaged. Even when the consent of parents/guardians is required and obtained, organisations should make an effort to involve children in this decision-making. The degree of involvement depends on the capacity of children to understand and decide. For example, organisations could draft and provide children with privacy notices tailored to the abilities and digital literacy of children.

For more information please refer to our services pages or contact our Data Governance team.

Related posts