I’m glad to see the Hadrian’s Hvndred rules no longer say that our email addresses may be published, but the word hasn’t spread to other LDWA events. Even if consent to hold data is given, you still have to keep it secure and publishing doesn’t really do this.

Previous LDWA guidance also says that if people don’t like having their pictures taken at events, they should ask for them to be deleted. In most cases, if I were the photographer, I’d be happy to delete, but the right of erasure under the GDPR does not apply “if processing is necessary... to exercise the right of freedom of expression...” Which includes taking photographs. The photographer does, however, have to have a clearly identified legitimate interest. Which could be that they’re exercising their right to freedom of expression...

In response to an earlier query, the GDPR is here to stay and the same rights and protections are enshrined in a new Data Protection Act that in some cases goes further than the GDPR.

And also: it doesn’t matter if a photographer keeps someone’s picture for their own private use, as one contributor put it: the rules and obligations of the GDPR still apply.

David Green, SQLR looks like it might enable anonymous trolls as you don't have to give a user name.

When the new site is being developed, the developers may wish to consider this technology:
https://sqrl.grc.com/pages/what_is_sqrl/
It would appear to solve some of the data protection and hacking issues.

Does it make any difference from a GDPR point of view if the the Facebook postings are to a closed group ?

Steph, Thanks for the background information.

I been on a few social walks and none of them have every been lead by a female member, So that will be something to look forward too.

The gender of our membership has always been stored for individual members and it is something we should know.

The ability and desire to walk long distances is not gender specific, but for an organisation like ours it is useful to know the gender of our members, so that we can understand the collective membership. Knowing that we can all make better judgements about how to advertise and promote the organisation, and even who might lead us..

For example when the LDWA was founded, females made up about 12% of individual memberships. For the last 5 years females have been over 40% of new individual memberships. So in 2019 we have a much higher proporion of female joiners than in the 1970s. That information is useful in many ways, from asking why we don't yet reflect the near 50/50 gender split in to society, to the balance and content of articles we put in Stider, through to deciding where and how we might promote ourselves.

It raises other questions for reflection, for example is each gender appropriately represented on local group committees or on the NEC? Have we got a similar proportion of walk leaders by gender as we have general membership? etc etc (this is potentially a long list!). While the answers to such gender representation questions are not currently a general issue across recreational associations it is certainly a hot topic for large employers, and who is to say that it won't become an issue for us in future?

Knowing each member's gender is essential to allow us to make informed judgements in the present, and for the future.

Steph Carter: Gender- Male (Outgoing LDWA Membership Secretary)

Anyway, returning to my original two questions, what's the definition of a 'group photo' and why does the LDWA need to store the sex of an individual?

I think you are missing the point, you are arguing about what ifs on some of the many possible scenarios about whether the data would be useful

Whereas the law really says none of your arguments matter about usefulness.

To unlock a phone using a photo of the owner you would already have to know the identity of the owner of that phone and that the phone is owned by that person. Otherwise, even if you had an third-party photo and you knew the name of that person in that photo, unless you had their phone you couldn't use that photo to unlock their phone.
It would be no use to a thief to copy an internet photo of me unless he could tie that photo to me i.e. identify me as the subject. It would be no use to him to have a photo of me without knowing my name (and that I was in the photo). Then if he did have a photo of me and knew my name, he would have to have access to my phone in order to hack into it using that photo.
So to unlock a phone you need many pieces of data: A third-party photo, know the name of the person in that photo, know where to find that person, steal the phone from that person, know that the phone was set up for facial recognition. It would be must easier to just threaten that person, grab their phone and point its camera at them and the phone's unlocked. Why anybody would want to go to this much trouble though is beyond me...

While you might be only able to recognise a person, other people or more importantly other systems will be able to identify somebody because they already have a reference from somewhere else.
And identification is not just match name to photo but also match photo to photo or photo to real life.
e.g. for passport checks at a border they look at real life and compare to your passport photo and that identifies that the real person is the same as the one the passport photo, that then gives them a name and other data.
another example is that face unlocking of you phone does not need any other data, it just requires that it can match 2 photos to identify that you are the owner of the phone.
Captions with name might be important for people but not for a lot of other processes of identification.

Identification can be taken from any type of photo, group or ad hoc.

Just as reference some facial recognition software "can recognize faces as small as 50x50 pixels in image resolutions up to 1920x1080"

I keep seeing the phrase 'group photos'. What does this mean? To me, a group photo is a posed photo of a group of participants, but most photos are much more ad hoc, meaning they're taken without warning or taken spontaneously. What about these types or photos?
Much is made of people being 'identifiable' from photos. I would suggest that people are merely recognisable from photos, which is not the same thing as identifiable. I might recognise a face in a photo but I can only identify that person if I already know their face or a caption to the photo informs me as such. So a published photo without a caption only contains images of recognisable people, not identifiable people. The addition of a name caption then makes those images identifiable.
If photos are published without captions then the people in them aren't identifiable unless somebody already know their face.

Second point, with the recent discussion about the androgenisation of the 'walking man' and not wanting to exclude people, why does the LDWA need to store the sex of an individual on its computer system(s)?

Thank you for the detailed response and thank you for the work you have done on this.

Part of the reason for the post was to raise awareness of this issue and I'm glad to see ICO are happy with the approach being taken by LDWA and that there will be further communication on this issue to members via email/letter and the walks register template.

As the Data Manager I welcome this interchange. As David Morgan has noted, we have thought long and hard about our data protection and privacy policy, user guide and briefing notes for officers. I have tried to keep the rules simple, clear and the minimum necessary to comply with the GDPR. As with any new system, there will be teething issues which my successor, Stuart Bain, will pick up on after March 10, when I step down..

Photographs pose a particular issue and I hope the note below clarifies the issue. Please note that I have outlined this approach to the Information Commissioner’s Office and they say that our system seems to be appropriate and fit for purpose (they cannot be more positive than that).

1 Background

We do clearly define a photo as personal data in the Data Protection and Privacy Policy, in the User Guide for Data Protection and Privacy User Guide, and in the Briefing Note for LDWA Officers on Data Protection and Privacy.

We live in a world where hardly any participant at an LDWA event does not have a camera (in a smartphone) ready to hand. Most people are keen to have their photo taken and to participate in group shots.

We cannot completely control the taking of photos by individuals on our Social Walks and Challenge Events.

2. Policy and guidelines

I believe that the policy as it stands reflects a common sense approach that is practical whilst defending the rights of individuals to have their privacy protected. The measures are therefore proportionate to the problem. It is also a major step forward in protecting the privacy of members.

There is a promise that we will take a photo down from the website whenever an individual in it asks for this to be done.

Walk leaders should ask people unwilling to be included in a group photo to withdraw well away from the camera and to be given a chance to do so.

People who do not want to have their photo taken should ask for any shots of them to be deleted if they see such a photo being taken.

The concept of “opting in” to having your photo taken is almost impossible to police. While “opting in” is certainly a general principle for data protection, we could not expect (and nor does the ICO) all participants, eager to use their camera, both to hear about and to recognise all people who have not “opted in”

3. Guidance and action

I agree that the walk leader should be aware of the privacy issues relating to photos. I aim to produce a guide for walk leaders in the next month.

All members of the Association will receive an email or letter from me in the course of the next month to include a section on photographs.

I think it would be helpful for the walks register to contain a statement on the use of photos. I will update these templates within the next week.

If you have any further questions please email me at datamanager@ldwa.org.uk and I will do my best to respond. Thanks for your patience.

As with any laws there are grey areas, especial in the UK which relies on interpretation of case law more than other countries.

Does "art" fall under public interest legal basis? and what is "art"?
A lot of journalism probably would be public interest.

It might be good to read direct from the horses mouth https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
But they say "Why don’t you tell me exactly what to do? Every organisation is different and there is no one-size fits-all answer. Data protection law doesn’t set many absolute rules."

As for the B word, all of this is enacted in UK law http://www.legislation.gov.uk/ukpga/2018/12/contents to comply with the EU directive
Any change on the status with the EU won't affect this law currently but it could offer an opportunity for it to be changed in the future, but I see that as unlikely the UK law would be changed any time soon.

Andrew I've had a look at the link, https://freelancerclub.net/resources/blog/post/impact-of-gdpr-on-street-photography There is some interesting reading there and thankyou for posting. I don't know if I've read it right but here is a quote from it " However, it is expected that the UK law implementing the GDPR (such UK law has not yet been passed by Parliament) will contain certain exemptions/derogations to the consent rule under the GDPR. It is likely there will be an exemption to the consent rule for personal data collected for the purposes of "journalism, literature, and art". However, as the UK data protection law has not yet been approved and adopted by Parliament, we can't yet confirm what those exemptions will be." end quote I don't like to use the B word but I wonder if brexit will have any effect on it?

Ian.

I too have an interest in photography (mostly of Landscapes)

The problem is that you seem to be a bit out of date, the article https://www.amateurphotographer.co.uk/technique/expert_advice/street-photography-and-the-law-96304 is dated October 2016 whereas GDPR came in to effect 25th May 2018
http://www.urban75.org/photos/photographers-rights-street-shooting.html is dated December 2009

https://freelancerclub.net/resources/blog/post/impact-of-gdpr-on-street-photography is more up to date guide as it was written just before the law came in to force.
A quote from it
"Those who are collecting other people’s personal information (including photographs) can only do it if they have a “legal basis” for doing so. The legal basis that most photographers would normally rely upon is the consent of the person being photographed."

The best argument I've seen especially for "street photographers" with respect of GDPR is that when you take the photograph you are allowed to do so because of the law you stated and it is for your own personal use under GDPR.
If you wish to do something with that photo other than you own personal private use then you need consent to process it in a way other than private use.

So if you publish that photo anywhere you cannot use the "personal use" exception any more and you need to gain consent before you publish, the easiest way to do that is gain consent before you take the photograph but with un-staged street photography that is difficult.
This un-staged nature with GDPR can be worked around with a carefully worded consent approach after the photo has been taken but before publishing (this is easiest straight after the photo has been taken)
e.g. I've take this photo for my personal use but would like to process it a non personal manner but I require your consent before I do that.

Luckily most of this does not apply to Landscapes as they tend not to have personal data in them i.e. identifiable people

"I'm not going to answer a series of what if's for you, you should do your own research on the answers."

Andrew, one of my hobbies in retirement is street photography and this subject does crop up from time to time, I've lost count of the e-mails asking "who gave me permission" to take photos of this or that. I very rarely rely unless I'v been trespassing at the time. If the property owner objects then I do remove them. One of my most used photos is of a disused property that you cannot see from any public area and yes you do need to trespass to get to it, A presenter from the BBC tried but failed and used my photos instead. If the landowner asks then I will remove the photos.

The law dose state (see link below) that you can take photos in public. But this must be done with commonsense. I never take photos of children as a rule. I never take photos of schools, parks or play areas when children are using then. I do take photos of police offices (section 43 /44 & 58) allows me to do that unless under special restrictions. You may find this link useful. A couple of lines around half way down reads "Photographers are free to use their photographs of people taken in public places as they wish - including for commercial gain." Here is the link..... http://www.urban75.org/photos/photographers-rights-street-shooting.html More useful reading can be found here.

https://www.devon-cornwall.police.uk/advice/your-community/taking-photographs-in-a-public-space/ and here, https://www.amateurphotographer.co.uk/technique/expert_advice/street-photography-and-the-law-96304

I'm not going to answer a series of what if's for you, you should do your own research on the answers.

I'm sure all organisations have done, the LDWA has and I believe there is nothing in there data protection policy that allows them to process personally identifiable pictures other than "informed freely given consent" of people on social walks.

For challenge events I think they are most likely fine for entrants as I seem to remember there is a condition in the event terms and conditions "a contract" about photography (This is probably how your sports event is covered, they have paid money to enter the private land of the sports event and the contract you have formed to do this contains the right conditions to allow any photography)

How about all the closeups of the crowd at sporting events. Or people walking by during any outside news items or events. In the day of CCTV we get our faces recorded all the time. Even when on a bus there are camera's recording my face. It also records the stops I get on and off the bus. Knowbody asks if it's OK to record on all of the above.

There are a number of legal basis for processing personal data.

I'm sure that scenario you described have been thought about and my guest it would fall number one of 2 legal basis (summarised below)
1) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
2) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

The LDWA is not a News organisation and has outlined a different legal basis for processing personal info and it does not include photographs that identify people.
Thus it should need to rely on the main legal basis which is freely given consent

Posted: Sun 3rd Feb 2019, 23:01
Joined: 2017
Local Group: Thames Valley
Your face is considered biometric data (hence why they have photo of your face on your passport/driving license or you can even unlock your phone with it) and thus covered by GDPR when excluded by the personal use/national security/law enforcement exemptions.

So take shots of backs on heads or people far in the distance so they cannot be identified ;-)


----------------------------------------------------------------------------------------------------------------------------------------------------------

I wonder how the news media gets away with taking photos / filming people outside of courts ect? Err Mr ******** we know your up in court for robbery but can I use my photo of your face for the front page of the daily *******

Thanks for creating this post. It's great to always review and reassure that LDWA is GDPR compliant.

Christopher Hedley has worked hard on GDPR for the last 18 months in his role as Risk Officer. He has liaised with the Information Commissioners Office throughout, so the guidance provided has come as a result of interaction with the ICO.

In relation so social media, the LDWA manages two accounts; Twitter and Instagram. The Facebook page is not owned by the LDWA. The comments made in relation to photographs going beyond the EU area is being reviewed by Christopher and I am aware that he's phoning the ICO in relation to GDPR issues today (04.02.19).

I've asked Christopher to review this forum post and I'm sure he'll update in due course. In the meantime, please be assured that the LDWA has taken its GDPR responsibilities seriously and that as far as we are aware, are compliant and have the necessary caveats added to satisfy the ICO.

In relation to insurance, Sandy Gee has been asked to speak to the insurance broker (again!). Furthermore the LDWA is in the process of renewing the insurance and we are asking as to whether the list of attendees is necessary with the new insurers that are being considered. To date, all are requiring the attendance list and we will continue to work hard to try and remove a process that some groups (but not all) are finding onerous.

Regards

David Morgan

Your face is considered biometric data (hence why they have photo of your face on your passport/driving license or you can even unlock your phone with it) and thus covered by GDPR when excluded by the personal use/national security/law enforcement exemptions.

So take shots of backs on heads or people far in the distance so they cannot be identified ;-)

"GDPR is not like copyright, you are never the owner of the personal information your photographs contain."

What personal information on the photos are you talking about?

While that is still true that you can still take a photograph in a public place without permission, GDPR now places restriction on what you can do with that data.
My understanding is that for for personal/household activities you can still do want you want with it BUT as soon as you transfer that data to an organisation that is subject to GDPR like the LDWA there is restriction on what they can do with that data.
You as a non professional photographer might not need consent but the LDWA does

GDPR is not like copyright, you are never the owner of the personal information your photographs contain.

I've been known to take one or two photos while out walking and my understanding of the law is, if the photographs are taken in or from public areas then the person who takes the photograph dose not need permission about it's use from anybody who may be in the photograph.

I good idea about an "opt in" once a year to members but that does not cover non members who can attend walks.

I suspect Andrew has opened a can of worms. We give our members on social walks the opportunity to 'opt out' of being photographed, but I suspect, as Andrew says we should be able to prove they have 'opted in. To the best of my knowledge identifiable photos are considered personal data for the purposes of GDPR. Could walkers give their consent to 'opt in' once a year rather than on every group walk to be recorded on the register?
I look forward to some guidance from an expert in such matters.

I'm not a lawyer or expert on this subject but...

A number of group social walks I've been on recently and there have been photo's taken and posted to the LDWA website and or to Facebook/other social media.
I believe that a lot of these photo's are not GDPR compliant because there is no lawful basis for storing and processing the personal info of an identifiable image of somebody on a walk.

On one social walk there was a general announcement at the start about photo's and the ability to "opt out" of being photographed but GDPR requires "opt in" for consent.
Other walks nothing has been said about publishing photo's and photos have been published.

I know that LWDA does have GDPR pages and privacy policies (https://www.ldwa.org.uk/library/environmental/gdpr.php)
But this seems to contradict itself in places.
It states that the lawful basis data from social walks in that policy is to "administer that Activity" and this does not cover photographs but it then goes on to say that people should be given the chance for people to "opt out" of photo but really again this should be "opt in"
Also policy states that "Data will not be transferred outside the European Economic Area." but using Facebook and other social media will mean that the data will be transferred out of the EU.
It also states that "We will not sell or transfer personal information to any third party without the User’s permission" but again you be transferring personal info in photos to third parties without permission when posting to social media.


May be now that a "Walks Register" is taken that an "opt in" box be added for photographs as some types of photographs and uses of these photographs requires the ability to demonstrate their consent.?
Having this "opt in" for photos is especial critical if children are featured in photos

This is especial true as the LDWA Publicity officer was asking for photo for marketing while not mentioning consent of individuals in the photos (I was a bit shocked by this admission in his request)

On another GDPR note the walk registration form clearly states how and for how long the information would be held for insurance purpose for any member/non member recorded but it fails to give the same detail for how a non members info would be stored and used for approaching for possible membership. It's also difficult for a non member to have understand what is in the privacy policy reference as it is not something they will already have agreed to, therefore I suggest that walk leaders also have a copy of the privacy policy with them for non members.

I also note that other organisation have a better privacy policy in regard to photographs containing personal info.

To summarise, I think that:-
The LWDA should have better policy regarding photo's
The walk register should be enhanced to cover privacy and personal info "opt in" for photos
The walk leader should be better equipped regarding the personnel info they are collection for non members by having a copy of the privacy policy.
The walk leader can inform the group about taking photographs for publication to LWDA website and or Facebook/Social media by checking everybody has opted in for this.
Members should be made better aware of the GDPR requirements on photos on walks.

Thoughts?