Picture This: Staff Privacy

With the year coming to end, many companies will be hosting year-end events to celebrate and close off the year. During these festivities, memories are often being captured in photographs. These may end up being circulated internally for employees to enjoy, posted on company LinkedIn pages or maybe even used in the company's marketing materials. However, just because these images are captured at a work event or for fun, does not mean that data privacy law does not apply.

Under the Protection of Personal Information Act, 2013 (POPIA), photos which contain information that can identify a person, are considered personal information. Photos can also inadvertently reveal special personal information of a person, such as race, ethnic origin, health and religious beliefs. When processing special personal information, responsible parties need to take extra precautions to ensure that the processing of such special personal information complies with POPIA.

When processing personal information, employers must ensure that the 8 processing conditions of POPIA are complied with. The processing of employees' personal information must be lawful; adequate, relevant and not excessive; for specified, legitimate and explicit purposes; and necessary to achieve the purposes for processing.

In the context of an employment relationship, a responsible party typically relies on certain legal grounds to justify the processing of employee information. These grounds include:

• processing that is necessary to concluding or performing a contract to which the employee (data subject) is a party; or
• processing that is required to comply with a legal obligation imposed on the responsible party.

The information processed under these grounds is essential for maintaining the employment relationship. However, photos, particularly those taken at work-related events, are not required for this purpose and an employer would not be able to rely on these grounds for processing such photos. As a result, employers would look to rely on consent and the responsible party's legitimate interests to conduct this processing activity.

If relying on consent, the employer must ensure that before taking photos consent has been obtained. Consent must be a voluntary, specific, and informed expression by the data subject. This means that pre-ticked boxes would not be acceptable, the consent must refer to the capturing and distribution of photos, and clear notices are provided. In addition, the challenge with relying on consent is that a data subject can withdraw their consent at any time, alternatively, not provide their consent at all. As such, the employer will need to implement practical measures to ensure that only individuals who have provided their consent are photographed (this can be achieved with providing non-consenting employees with colour stickers or wrist bands) and that consents are documented and managed effectively (ensuring that a record of consents, no-consent and withdrawn consents are kept).

If relying on legitimate interest, the employer will need to undertake a legitimate interest assessment ("LIA") before it processes the personal information, i.e. in advance of the event. The LIA should be documented and the findings from it will need to be reviewed and updated regularly.

Capturing memories through photos can be a wonderful way to share experiences. However, employers must ensure that taking and sharing employee photos is done lawfully and in line with data protection requirements. Failure to comply can lead to privacy breaches and reputational risks. To mitigate against these risks, responsible parties should develop and implement a policy for handling data subjects' images. The policy should cover the legal basis for processing, conducting a LIA (if required), the creation, storage, use, and deletion of photos, the notice to be provided to individuals including consent wording.

It is recommended that organisations review their data privacy policies and ensure best practices are followed when processing personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.