Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Sharing photos on World Book Day: Privacy considerations
Students and teachers sharing photos of World Book Day costumes, celebrating reading in school.
Best Practice Updates

Sharing photos on World Book Day: Privacy considerations

📸✅ It's World Book Day on the 5th March when most schools will be celebrating reading and capturing photos of staff and students in their costumes.   Given this is one of many significant photographic events in the calendar, we thought it was a good opportunity to remind everyone of photo and video best practice so there are no data protection slip ups.

Many schools have some great systems in place, however, procedures are only as good as their implementation, so ensure everyone involved knows what they should be doing!  


📸Capture the Magic, Maintain the Safety: A World Book Day Guide

Even the best policies are only effective if they are followed in the moment. Here's an essential checklist for keeping student data safe while celebrating.


📋Step 1: Check Consent 

    Before any photos are taken, ensure you have the right consent:

  • Targeted Consent: verify that consent is up to date and covers the specific platform you intend to publish to. For example you cannot ask for consent to publish to the school website and then also publish to Facebook without specific consent. You may need a special form for World Book Day to cover this. Remember the GDPR Principle: data should be for a specific purpose.
  • No-Photo List: Ensure relevant staff know exactly which children cannot be photographed - publishing a photo of a child without consent cannot be undone and may pose a significant risk to the individual
  • Resources to help you:

           🔗 Photos and video Best Practice

            🔗 Social Media & Marketing Best Practice

           🔗 Best Practice for Managing Photos and Video Article

           🔗 Photo and Video Policy - and release 

📸Step 2: Devices & Storage

  • School hardware only: only allow photos to be taken on school devices. Remember the GDPR Principle: Confidentiality & accountability.
  • Lock it down: ensure every device is either PIN or biometric protected. Remember the GDPR Principle: Confidentiality
  • Physical Storage: ensure devices are locked away when not in use.  Who has access to your office/room when you are not there? Remember the GDPR Principle: Confidentiality.
  • Records Management: ensure there is a safe area on the network or cloud to save the photos with a clear procedure for removal from both the device and online.  Remember the GDPR Principle: Data limitation.
  • Resources to help you:
      
        🔗  DfE Laptop, Desktop & Tablet 

            🔗 Why Physical and Data Security Must Go Hand in Hand

🌐Step 3: Smart Sharing

Once the photos have been taken, the 'sharing' phase is where most risks occur.

  • Background Check: scan the background of any photos for sensitive information on wall display or non-photograph children. Remember the GDPR Principle: Confidentiality.
  • Disposal: printed photos should be treated as confidential waste - if they are no longer needed then shred them. Remember the GDPR Principle: Confidentiality.  Confidential data does not stop being confidential data just because you no longer need it. Do not leave photos on printers.
  • Platform Specifics: double check consent. Just because consent was agreed for your website doesn't mean they've agreed to a public Facebook post. Remember GDPR Principle: Confidentiality and Accountability.
  • Resources to help you:


         🔗  Managing Confidential Waste

         🔗  Social Media Best Practice

         🔗 Safeguarding Smiles & Social Media!

🕑Step 4: Records Management & Retention

 Don't let photos sit on devices or the cloud indefinitely:

  • Clean up Schedule: have a procedure to regularly remove photos from devices and network drives assigned to a specific person - ensure someone oversees this rather than relying on individuals through implication. Remember GDPR Principle: Purpose Limitation.
  • Online Audits: regularly review what is on your website and social media platforms and remove inline with your retention policy. Remember GDPR Principle: Purpose Limitation.
  • Resources to help you:

            🔗   Records Management Best Practice

            🔗   Acceptable Use Best Practice


🚨Step 5: Mitigation Plan

If a photo is accidentally shared or a device goes missing, it's important to have a plan:

  • Reporting: ensure everyone knows how to report a data breach with their DPO.  DPE customers should email This email address is being protected from spambots. You need JavaScript enabled to view it. or log a data breach on the Knowledge Bank. Remember the GDPR Principle: Accountability.
  • Communicate: check with the DSL as to whether the data breach includes a safeguarding concern to help ascertain any risks to the individual.
  • Resources to help you:
      
        🔗 Data Breaches Best Practice


             🔗 Contact the DPO: 📧This email address is being protected from spambots. You need JavaScript enabled to view it. 

Ready for a compliance check?

Consider completing our Photos and Videos Checklists.  Checklists provide a clear, organised and structured way to track compliance:

©2025 Data Protection Education Ltd.

Search