Do we need parental consent for photos on our school website?

In almost all cases, yes. If your school website shows a photograph in which a pupil can be identified, that image is personal data, and you should have a clear lawful basis for publishing it. For public-facing use on a website, that basis is usually the consent of a parent or carer (or the pupil themselves, where they are old enough to decide).

But there is an important second point that is easy to miss. Consent makes publishing lawful. It does not make publishing safe. Those are two different questions, and a growing body of UK guidance now encourages schools to treat them separately.

Yes. Under UK GDPR, a photograph counts as personal data whenever a living individual can be identified from it, whether on its own or together with other information such as a name, a class, or a caption. A clear photo of a child’s face is one of the most obvious examples of identifiable personal data there is.

That means the usual data protection principles apply: you need a lawful basis to process it, you should only use it for the purpose you collected it for, and you should not keep it for longer than you need it. The Information Commissioner’s Office (ICO) and its Children’s Code place particular emphasis on protecting children’s data.

For photographs used in a public, promotional or open-ended way, such as on your website, prospectus, or social media, consent is the appropriate lawful basis. To be valid under UK GDPR, consent must be:

• Freely givenParents must be able to say no without disadvantage to their child.
• SpecificBe clear about where images will appear. Consent for the school hall display is not consent for the public website.
• InformedExplain what you will do, where images will be seen, and how long they will stay there.
• Easy to withdrawParents must be able to change their mind, and you must act on it promptly.

Keep a record of who has consented and to what. When a child leaves, or when consent is withdrawn, you need to be able to find and remove the relevant images.

Here is the part that often surprises schools. Even with perfect consent records, an identifiable photo of a child on a public website carries a safeguarding risk that consent cannot remove. Any image on an open web page can be copied, downloaded, or altered by anyone, anywhere, regardless of whether a parent agreed to its original use.

Guidance from the UK Online Harms Early Warning Working Group, developed with the NSPCC, the Internet Watch Foundation and the National Crime Agency’s CEOP command, encourages schools to ask whether identifiable images of children are needed at all, and to consider protective measures to reduce the risk of misuse. The consent question and the safeguarding question need answering separately.

• ✓Use a clear, specific photo consent form and refresh it regularly rather than relying on a one-off form from years ago.
• ✓Keep an up-to-date record of consents and withdrawals, and make it easy for staff to check before publishing.
• ✓Avoid pairing a child's full name with their photograph in public materials.
• ✓Review what is already live on your website. Old images can outlast the consent that covered them.
• ✓Have a simple, fast process for removing an image when consent is withdrawn or a child leaves.
• ✓Where you can achieve your aim without identifiable faces, consider doing so.

For many schools the simplest way to resolve both questions at once is to anonymise children’s faces in website photographs. It sidesteps the safeguarding risk, reduces the administrative burden of matching consent records to individual images, and keeps the warmth and life of real school photos without exposing identifiable pupils online.

This is exactly what we built Anonymé to do: batch-process your existing website images, replace faces while keeping the photo natural, and return them ready to publish, fully GDPR compliant.