Ask the Privacy Expert
Readers are encouraged to submit their questions to
We will tap the expertise
of IAPP members to answer your questions.
A reader last month submitted the following question to Ask the Privacy Expert:
Q Do any global privacy laws cover the use of employee photographs for use such as security badges, organizational charts, organizational announcements, internal media or internal Web sites? Are employee photographs universally considered "sensitive personal data" or simply "personal data," given that one may be able to deduce national origin, race, gender, and even potentially disability from a photograph?
A In general, global (non-U.S.) privacy and data protection laws are often "omnibus" laws that apply broadly whenever a company collects, uses, stores, or discloses any information about an identified or identifiable individual, including employees (personal data). As a result, employee photographs will often be regulated as "personal data" under many such laws, and will attract data protection obligations to (i) Provide affected employees with a proper notice about the intended purposes of use and the like, (ii) Maintain reasonable security measures to protect the data, (iii) Update registrations with data protection authorities to reflect the use of the data, (iv) Ensure adequate protection for international transfers of the data, and (v) Address other requirements. A more difficult question is whether employee photographs would be "sensitive" personal data entitled to heightened protections (i.e., express consent requirements), particularly if the photographs reveal national origin, race, disabilities, etc.
We raised this question with several of our privacy practitioners in jurisdictions around the world, and have summarized their responses below. As is evident, the answers vary depending on the specifics of the local laws, as well as the intended purposes of use of the photographs and other factors. Naturally, with any good data protection or privacy question, the responses reveal that the other applicable legal requirements - beyond privacy and data protection - will bear on the question as the company works its way toward finding an appropriate regulatory solution to its planned activities with employee photographs.
The Argentine Data Protection Law defines personal data as any information related to natural persons or legal entities. It could be argued therefore that personal data includes "photographs," and when such photographs disclose information about race or ethnic origin, or health or disability information, such data arguably may constitute "private data," which would be subject to heightened restrictions under the law. The company therefore may need to obtain consent from affected employees, and indeed may wish to consider taking steps to avoid capturing or using employee photographs that reveal such private data. The Argentine Civil Code provides protection against arbitrary interference with the private life of others or publishing images that harm others' customs or feelings. An employee could therefore seek redress under these statutory protections or the data protection law to the extent the employee considers that he or she is adversely affected by a photograph that is published to a wide audience through a company's Web site, intranet, newsletter or in a press release or announcement.
In Belgium, an employee photograph would constitute personal data. To the extent the photograph reveals race or ethnic origin, health or disabilities, or the like, such a photograph would likely be considered "indirectly sensitive" personal data. In other words, employee photographs may not rise to the level of "sensitive" personal data as long as the purpose of processing is not related to the potentially sensitive character of the data. For instance, if the purpose for processing the photographs is ethnic screening, those photographs would be considered sensitive personal data, and will require express consent or may be entirely prohibited. In contrast, the processing of such photographs will not be considered as processing of sensitive data if they are processed for necessary work-related identification purposes.
Under the French Data Privacy Law, "personal data" is defined to include any information relating to an identified or identifiable natural person (data subject). Such definition is broad enough to cover individual photographs and images that allow directly or indirectly the identification of a natural person. As early as 1994, the French Data Protection Authority (the CNIL) indicated that images captured by a video camera in a monitoring system should be regarded as personal data. In 2005, the CNIL again confirmed that: (i) Individual images are protected by the fundamental rights to privacy and article 9 of the French Civil Code and (ii) They constitute also personal data as they allow the identification of a natural person. The CNIL also noted that photographs may not necessarily constitute "sensitive" personal data. However, as mentioned by others, if the photographs are used by the company for the purpose of identifying an individual's race or ethnic origin, or the like, it would be possible to argue that such photographs do indeed constitute "sensitive" personal data that attract express consent requirements if not entire prohibitions on processing.
In Germany, employee photographs generally constitute "personal data" that falls within the scope of the German Data Protection Act. Such photographs also generally will constitute "sensitive" personal data where the race or health (i.e., disabilities) of a person can be discerned, and therefore such processing may attract an express consent requirement. In addition, to the extent the photographs will be published internally to a wide audience (i.e., through organizational charts, company announcements, or internal Web sites) such publication is likely to also fall under the German Act on Artistic Works. This act generally requires the consent of the person prior to publishing his or her photograph.
The Italian data protection authority recently issued guidelines on the processing of employee personal data, and expressly mentioned photographs as one form of "personal data" that a company would process about its employees. In general, a company only will be able to use and disclose such photographs internally without consent where the company can justify such processing as necessary for the performance of obligations resulting from the employment contract. If the photographs are to be published externally to customers or third parties, consent generally will be required. When photographs disclose race, ethnic origin, or health or disabilities, they qualify as "sensitive" personal data, and will attract an express consent requirement in any case.
In Spain, employee photographs are considered personal data because they are related to identified employees. The Spanish Data Protection Agency has yet to address the issue of whether photographs are sensitive personal data. In general, an argument can be made that photographs should not be considered "sensitive" personal data (even if they reveal race, ethnic origin, and the like) so long as the photographs are not used for the purpose of identifying or processing such "sensitive" personal data, but rather for customer human resources and organizational security purposes. If the employee photographs are used beyond what is necessary for the employment relationship, or if the posting of the employee photographs can be regarded as an international transfer of data, then the employees' consent may be required.
In the United Kingdom, the courts have determined that photographs and images of people are capable of being personal data (Durant v Financial Services). In particular, where the name and image of a person are linked - or are capable of being linked - then the person can be identified and the image should be regarded as personal data under the UK Data Protection Act (1988). The Information Commissioner's Office (ICO) has taken a pragmatic approach on the issue of whether photographs are "sensitive" personal data by saying that while an image might indeed constitute sensitive personal data, the depiction of someone's skin color is not a clear indication of ethnicity and should not, by itself, be regarded as sensitive personal data. However, if an employer has other data about an employee, which coupled with the photo of the employee could confirm the sensitive information depicted by the image then, in theory, both sets of data should be treated as sensitive personal data. In practice, though, (and until the courts provide a clear ruling on this point), employers who do not treat photos as sensitive personal data can take some comfort from the ICO's practical view.
This response represents the personal opinion of our experts (and not that of their employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.