Data protection - Photoraphy policy

1) Purpose

This policy sets out how East Caithness Church of Scotland (Scottish Charity No. SC001291) will plan, capture, store, share and delete photographs and video (“images”) at church‑related events in a way that:

• Complies with the UK GDPR and Data Protection Act 2018;
• Aligns with Church of Scotland safeguarding and communications good practice; and
• Protects the dignity, safety and privacy of children, young people, adults at risk, members, visitors and staff.

Back to top

2) Scope

This policy applies to any image captured at or for East Caithness Church of Scotland including services, clubs, groups, concerts, community events, training, and marketing.

It covers:

• Images taken by church staff/volunteers and commissioned photographers;
• Images submitted to the church;
• Publication on church channels (website, livestream, printed materials, social media), third‑party platforms, press and archives.

It does not govern purely personal/family photos taken by attendees for private use.

Back to top

3) Roles & Responsibilities

• Data Controller: East Caithness Church of Scotland (“the Church”).
• Data Protection contact: Iain A Maclean, Session Clerk – session@eccos.org.uk.
• Safeguarding Coordinator: Emily Maclean – mail@emilymaclean.co.uk.
• Photographers (staff/volunteer/contractor): must follow this Policy and sign the Photographer Agreement (Appendix D) before shooting.

Back to top

4) Key Definitions (plain English)

• Personal data: any image where a person is identifiable.
• Special category data: personal data needing extra protection, including data revealing religious belief. Images captured in a church context may reveal someone’s religious belief (e.g., attending worship).
• Children and young people: anyone under 18.
• Adults at risk: adults who may be unable to safeguard themselves from harm or exploitation due to health, disability, or care needs.

Back to top

5) Lawful Basis & Conditions for Processing

We will decide and record the lawful basis before photography takes place and explain it in our privacy notice and event signage.

5.1 Internal church use (non‑public sharing)

Examples: closed WhatsApp rota groups restricted to volunteers; password‑protected internal reports; display on noticeboards inside church buildings not open to the general public.

Article 6 lawful basis: Legitimate Interests (Art. 6(1)(f)) for documenting activities and church life.

Article 9 condition (special category): Not‑for‑profit bodies (Art. 9(2)(d)) only where use is within the Church’s legitimate activities, with appropriate safeguards, relating solely to members/former members or regular contacts, and not disclosed externally.

Controls: clear privacy information; opt‑out respected; minimise identification.

5.2 External/public sharing

Examples: website, social media, press, livestream, printed publicity. Publication generally discloses images to third parties and may reveal religious belief.

Article 6 lawful basis: Consent (Art. 6(1)(a)).

Article 9 condition: Explicit consent (Art. 9(2)(a)). Standard: written, informed, specific consent before public use (see §7 & Appendices B–C). Avoid making participation conditional on consent unless strictly necessary.

5.3 Crowd and context images

Wide shots where individuals are not reasonably identifiable may fall outside data protection law. If identification is reasonably possible, treat as personal data and apply §5.1 or §5.2.

5.4 Live streaming and audio recording

Treat livestream like public disclosure of personal data. Provide advance notice, signage, and no‑film seating.

5.5 Children and adults at risk

• Public sharing: parental/guardian consent (child under 18) and, where appropriate, the child’s own assent.
• Do not publish names with images of children or adults at risk.
• Never take or use images that could be misinterpreted or compromise dignity. Extra caution for activities like swimming, beach trips, gymnastics.

Back to top

6) Data Protection Impact Assessment (DPIA)

A DPIA is required where processing is likely to be high‑risk (e.g., livestreaming, large‑scale distribution, systematic filming). The event lead will complete and retain a DPIA before the event.

Back to top

7) Consent Management (when consent is the basis)

• Use Church of Scotland SG19 Media Consent (or local equivalent) and retain securely.
• Consent must be informed, specific, freely given and recorded in writing, stating purposes, channels, retention, and right to withdraw.
• Refresh consent if purposes or channels change, or at reasonable intervals (e.g., every 3 years).
• Withdrawal: provide easy routes to withdraw; cease new uses immediately; where content is already public, take reasonable steps to remove (but cannot guarantee full deletion beyond our control). Record withdrawals and actions taken.

Back to top

8) Event Planning Controls

• Advance notice: advertise that photography/filming may occur (website, tickets, joining emails).
• Signage on the day: place clear, prominent signs at entrances and filming zones (sample in Appendix A).
• Briefing: ensure stewards and photographers know who must not be photographed.
• Opt‑out mechanisms: e.g., coloured lanyards/wristbands, designated no‑photo seating/areas, or discreet stickers.
• Platform/participants: obtain written consent from anyone appearing in leading roles (readers, choir, band, speakers).
• Mobile phones: discourage casual photography during children’s activities; leaders must not post images to personal accounts.

Back to top

9) Taking Images — Do & Don’t

Do

• Focus on groups/activity rather than individuals where consent is absent.
• Show diversity appropriately and respectfully.
• Check backgrounds for sensitive information (name badges, contact details, locations).
• Keep a shot list and mark any opt‑out individuals.

Don’t

• Publish names with children’s images, or personal details that increase risk.
• Take images in areas where people reasonably expect privacy (toilets, pastoral rooms).
• Take or share images that could be exploitative, sexualised, or otherwise inappropriate.

Back to top

10) Storage, Security, Retention and Deletion

• Storage: store originals in password protected device until transfer to church cloud storage can be done. Avoid personal devices where possible; if used, transfer promptly and delete from device. Use strong access controls and encryption at rest for cloud storage.
• Access: limited to Session approved leaders and consultants for declared purposes.
• Retention: keep raw image sets no longer than 12 months unless selected for approved archives or ongoing use covered by a valid lawful basis/consent.
• Deletion: promptly delete images of anyone who exercised an opt‑out or withdrew consent. Ensure secure deletion from backups and social media groups where feasible.

Back to top

11) Attendees Using Their Own Devices

We cannot generally regulate purely personal/family photos.

However, for safeguarding and courtesy:

• Ask attendees not to photograph other people’s children or adults at risk without the consent of a parent/guardian/carer (and the individual where appropriate).
• Ask that images from church activities are not posted publicly without the subject’s consent.
• Leaders/volunteers must never post images taken in their role to personal accounts.

Back to top

12) Sharing With Third Parties

• Press/Media: provide images only where consent covers press use. Do not share personal contact details without separate consent.
• Processors/Platforms: where using external photographers or cloud services, put written contracts/data processing agreements in place and check international transfer safeguards (many social media platforms store data outside the UK).

Back to top

13) Individual Rights

People can exercise their data protection rights: access, rectification, erasure, restriction, objection and complaint.

How to contact us: session@eccos.org.uk.

Complaints:

• Raise concerns with us first;
• Individuals can also contact the Information Commissioner’s Office (ICO).

Back to top

14) Incident & Breach Reporting

Any accidental or unauthorised disclosure, loss or misuse of images must be reported immediately to the Data Protection contact. We will assess risk and, where required, notify the ICO and affected individuals without undue delay.

Back to top

15) Review

The Kirk Session/Trustees will review this policy at least annually and after any incident or material change in practice.

Accepted as policy by East Caithness Church of Scotland Kirk Session on ……

Iain A Maclean — Session Clerk

Rev Linda J Broadley — Interim Moderator

Back to top

Appendix A — Sample Signage (edit and print)

Photography & Filming Today
Images may be captured during [Event name] by [Church] for [purposes, e.g., website, social media, printed newsletter]. If you prefer not to be photographed, please speak to a steward, use our no‑photo seating and/or request an opt‑out sticker/wristband.
We avoid naming individuals and take extra care with images of children and adults at risk.
Questions/concerns: [contact name/point].

Back to top

Appendix B — Adult Consent (Public Use)

Event: [name/date]
Controller: [Church], [address], [privacy email]

Purpose & channels: I consent to the capture and public use of my image/audio by [Church] for [list purposes] via [list channels, e.g., website, livestream, social media, printed materials, press].

Expiry/retention: Consent lasts until [date/period] or withdrawal. Images may be retained in archives if consent remains valid.

Right to withdraw: I can withdraw at any time by contacting [email]; new uses will stop, and reasonable steps will be taken to remove existing public images.

International transfers: Images may be processed outside the UK when using third‑party platforms.

Signature / name / date / contact

Note: Do not make participation conditional on consent unless necessary.

Back to top

Appendix C — Parental/Carer Consent (Public Use of a Child’s Image)

Child’s name & age: __________
Parent/Carer: __________
Event: __________
Controller: [Church]

I am the parent/carer of the above child and consent to the capture and public use of their image/audio by [Church] for [purposes] on [channels].

I understand:

• Names will not be published with images;
• I can withdraw consent at any time;
• Images shared on third‑party platforms may be stored outside the UK.

Signature / name / date / contact
Child’s assent (where appropriate): __________________

Back to top

Appendix D — Third‑Party/Volunteer Photographer Agreement (Summary)

Before shooting, photographers must agree in writing to:

1. Follow this Policy and any steward directions;
2. Capture only what is necessary; respect opt‑outs and no‑photo zones;
3. Transfer originals to [Church system] within [x days] and delete local copies;
4. Not use images for any personal portfolios or other purposes without written permission;
5. Keep images secure and confidential; and
6. Assist with takedown/erasure requests promptly.

Back to top

Quick Setup Checklist (for event leads)

• Choose lawful basis & (if needed) Article 9 condition; update privacy notice.
• Complete DPIA (for livestream/large‑scale filming).
• Prepare consent forms (Adults & Children), shot list and opt‑out list.
• Book/brief photographer(s); sign agreement.
• Prepare signage; plan no‑photo seating and opt‑out identifiers.
• Brief stewards/leaders; disable casual photography in children’s groups.

After the event:

• Select images;
• Document consents;
• Delete non‑selected images within 12 months;
• Upload to approved systems;
• Publish only in line with this Policy.

Back to top