Am I overreacting?

TheSpiddalKid

It may not be relevant to your query but if you are working as a teacher in an environment that is regulated by Ofsted then as part of the inspection regime your employer should already have photographic ID for you and a photo of you *(this latter part maybe best practice rather than a specific requirement) on file. 

Katy43

Thank you all for your thoughtful replies.

I teach alongside other staff but we're not under Ofsted. It's a well-established company.

When I first started working for them, there was a very caring ethos but as the company has grown, this is not so much the case.

I'll need to speak to them and see what happens. I'm not confident about the outcome though.

Dakta

Try not to worry, give them a chance your concern is a valid one. 

There is (and it's already starting) but there is going to be a very big shift in culture and attitudes with regards to peoples information and how its handled, whilst its a slow thing, probably a generational thing,  it is starting to really get traction and acknowledgment how important privacy is and how important it is we look after it. 

Also, whilst you might wish to consider a compromise, and if you feel any middle ground is fair you may want to accept it, ultimately if you don't give consent then it shouldn't be shared and that's the end of the discussion. 

DullGreyGuy

twopenny said:

For a start, can they make the photos uncopiable? It used to be the norm for sites to do this but it's got very slack in recent times.

I realise that should someone have the absoloute determination to copy then they would but 99% would look elsewhere for mischief.

It's totally impossible to make it uncopiable, the crudest/least technological approach to bypass any attempt to is to load the email with the picture on your laptop or tablet, take a photo of the screen with your smart phone, you now have a copy. For those with a tiny amount of technical skill, screenshotting will get a better copy just as easily. 

For people running websites and not wanting competitors to steal their images etc and those competitors will want high quality images not just phone camera shots then you can put minor barriers in the way but it doesn't take much skill to circumvent them. Where picture quality isnt an issue, see above. 

Undervalued

DullGreyGuy said:

twopenny said:

For a start, can they make the photos uncopiable? It used to be the norm for sites to do this but it's got very slack in recent times.

I realise that should someone have the absoloute determination to copy then they would but 99% would look elsewhere for mischief.

It's totally impossible to make it uncopiable, the crudest/least technological approach to bypass any attempt to is to load the email with the picture on your laptop or tablet, take a photo of the screen with your smart phone, you now have a copy. For those with a tiny amount of technical skill, screenshotting will get a better copy just as easily. 

For people running websites and not wanting competitors to steal their images etc and those competitors will want high quality images not just phone camera shots then you can put minor barriers in the way but it doesn't take much skill to circumvent them. Where picture quality isnt an issue, see above. 

Indeed, it is like standing on the beach and telling the tide not to come in!

As others have said the employer has a legal responsibility to process any personal data they hold in accordance with the GDPR. They may well have a legitimate need for a photograph, you can only find out if they can / will relax that for your special circumstances by asking them.

Keep in mind that anybody can quite lawfully take a photograph of you in a public place, they do not need your consent. There are very few legal restrictions on what they can do with the image.

Dakta

Sorry to be a stickler but if they have taken your photo (such as for a security lanyard) they can't alter the purpose without your permission.

Just bear that in mind, because if they do have something on file already (such as for regulations etc) they can't just compile it and use it. 

technical controls will always go so far, I used to work in DLP (data loss prevention) and the ultimate heist was literally just taking a photo of a screen. All the technology in the world aint detecting or containing that. 

DullGreyGuy

Dakta said:

Sorry to be a stickler but if they have taken your photo (such as for a security lanyard) they can't alter the purpose without your permission.
 

They can if the Privacy Notice allows for it, especially if it was the one in force at the time the photo was taken. Not sure why the Pru has their Employee Privacy Notice on their public website but lets make use of it  https://www.prudentialplc.com/~/media/Files/P/Prudential-V13/content-pdf/prudential-plc-employee-privacy-notice-aug2022.pdf 

You will see a photo of you is explicitly defined as a type of personal data they will hold under the heading of identification. They then go on to say one of those uses of identification data is to communicate to you, other employees and third parties in which they include the example of customers. 

As such, they would be on fairly strong grounds to say appropriate notice has been given that photos can be given to customers 

Most employers should have something similar else they cannot share the OPs name with customers etc either. 

Dakta

Well that's the thing - in that document that are informing you of the way its been used (or at least the way it can be used), so it wouldn't be unilaterally changing the  nature of the processing in context of what has been consented after the consents been given.

Also i note that's a privacy policy (correct me if I'm wrong, I assume this is a policy for the purpose of transparency and process not a contract) i.e not consent form - so whilst other personal details are considered identification (such as your personal landline) it wouldn't give prudential carte blanche to give customers that as part of 'communications'. 

Highly interesting subject though, this is what businesses have to contend with  

Undervalued

Dakta said:

Well that's the thing - in that document that are informing you of the way its been used (or at least the way it can be used), so it wouldn't be unilaterally changing the  nature of the processing in context of what has been consented after the consents been given.

Also i note that's a privacy policy (correct me if I'm wrong, I assume this is a policy for the purpose of transparency and process not a contract) i.e not consent form - so whilst other personal details are considered identification (such as your personal landline) it wouldn't give prudential carte blanche to give customers that as part of 'communications'. 

Highly interesting subject though, this is what businesses have to contend with  

Then of course there are the real world considerations of what useful redress / penalty there is if they accidentally (or deliberately) misuse it anyway?

Only the OP knows how important this actually is in her case. I would have thought a greater concern is what other images of her, outside of any control, are "out there" anyway.

Dakta

A team I worked with once did this as an experiment, we brought a member of the board in to let them know what we could find on them in 'publicly available means', it ended with us describing the contents of his bookshelf before we brought it to a close with the point made

You're not without point, and whilst there's some good people in the ICO they aren't known for being particularly good in the enforcement sense, however I think we can give the OP some peace of mind that they can go back and tell the employer (any previous consent excepting) that they don't want their data to be used in this way, and they are not wrong in any way to do so, so we can at least answer the OP's question about he rights or wrongs and overthinking etc, and if things develop further we can go from there. 

Obviously in a perfect world this would be the end of it, it isn't a perfect world though - so If there is any pushback, which i think at this stage would be quite dramatic - they can always come back for further advice