Employee Photos and Privacy: What You Need To Know

Key takeaways:

  • Employee photos may be personal information for the purposes of the Privacy Act, particularly if they are taken at social events (and so unlikely to be part of an ‘employee record’).
  • Although not necessarily required, the Australian Privacy Commissioner recommends that consent to the use of all photographic images (including videos) be obtained.
  • That consent may be withdrawn, so you should be prepared to take down images where that happens.
  • If the photographic images are personal information, then notice of collection should be provided, as well as your usual privacy notice.


Photo by Marily Torres from Pexels

Privacy108 Guidance: Employee Photos and Privacy

Pictures and videos of staff and teams working on projects or talking about products or just sharing down time together are widely used by companies. The corporate web presence is far more inviting when potential customers see that they are dealing with real people.  In the age of digital data transmission, where images can be duplicated, altered and sent via the Internet to the public with minimal effort, extra caution and care must be taken when taking and using employee photos.

This Guidance Note provides recommendations on ensuring that the use of photos of employees by organisations is compliant with the Australian Privacy Act 1988 (Cth).

Images are Personal Information

Images of individuals in photographs or video (images) are personal information under the Privacy Act where the person’s identity is clear or can reasonably be worked out from that image.

As an organisation, you can collect images of identifiable individuals which are personal information if it is reasonably necessary for one of your organisation’s functions or activities.

Stricter rules apply to the collection of sensitive information (for example, consent is required to collection of sensitive information). Images of individuals may contain sensitive information if, for example, the individual’s racial or ethnic origin or religious beliefs is apparent.  Some suggest that the test to determine whether a photo is sensitive information depends on the purpose of taking the photo. If a photo is of a particular event to show who is attending, the fact that that photo also may disclose a health condition (such as an arm cast) or religion, does not make the photo sensitive information.  If, however, the photo is taken to identify people attending a particular church or as part of diagnosing a health condition, then it is likely to be sensitive information.

Employee Record Exemption

Depending on the intended use, the photo may come within the employee record exemption in the Privacy Act and so fall outside the operation of the Australian Privacy Principles (APPs) that are in included in that legislation.

The employee record exemption applies to private sector employers who handle personal information that is directly related to an employee’s current or former employment relationship or the employee’s employee record.

An employee record means a record of personal information relating to the employment of the employee (section 6(1) Privacy Act). It includes health information about an employee and personal information relating to:

  • the engagement, training, disciplining, resignation or termination of employment of an employee
  • the terms and conditions of employment of an employee
  • the employee’s performance or conduct, hours of employment; salary or wages; personal and emergency contact details
  • the employee’s membership of a professional or trade association or trade union membership
  • the employee’s recreation, long service, sick, maternity, paternity or other leave
  • the employee’s taxation, banking or superannuation affairs.

Employers can not necessarily assume that all the information they hold that relates to an individual employee would be an employee record. For example, emails that an employee has received from third parties outside the organisation may not necessarily be an employee record. Similarly, photos taken at a work social function may not relate to the employee’s employment and so are likely to be considered to come outside of the exemption. However, photos taken for issuing corporate identity cards or for inclusion in the internal contact directory may be regarded as personal information relating to the employee’s employment, and so be exempt.

Do you need consent to use employee photos?

Under the Privacy Act, consent is not required to collect images of identifiable individuals unless the image records sensitive information about the individual. However, the Office of the Australian Information Commissioner has published guidance on using photos (available here).  This Guidance provides that ‘individuals are sensitive to photographs and video of them being published, particularly on the web.’ Accordingly, it recommends that express consent be sought from individuals being photographed after telling them, in as much detail as possible, about what their picture will be used for and who will be able to see it.

The consent required (and the formality of acquiring the consent) will depend on the type of photo and the intended use.

Formal Consent for Using Employee Photos

A formal consent form is recommended where the photo or video is to be permanently included in public facing websites, social media or other widely distributed marketing collateral.  Suggested wording for a formal consent form is included in Attachment A.

Where the photo or video is to be used in a less public or permanent way, for example, in an internal newsletter, it may not be necessary to have individuals sign a consent form.  A less formal method of obtaining consent may be used, including gaining ‘implied’ consent.

Consent may be implied by letting individuals know that photographs will be taken at the event and that they may be used for a particular purpose, for example in the company newsletter or in promoting the event, and asking that individuals who do not want their photograph to be take to let the organisers or the photographer know.  If they don’t let the event organiser or photographer know, and they let their photograph by taken, then consent to that taking and use of the image may be implied.

Employees could be advised about the intended collection and use of images:

  • In the information about the event when it is circulated prior to registration; and/or
  • As part of the event registration process; and/or
  • In the confirmation of attendance email sent following registration; and/or
  • By a physical notice posted at the registration or sign-in desk at the event.

The photographer could also be asked to wear some sort of badge that asks people to let him know if people do not want their photo taken.

The following is an example of notice being given as part of the registration for an event (CiscoLive 2017 in Melbourne):

The following is an example of the wording that could be included on registration forms or posted at an event:

Use of Interviews or Images from this Event

During this event, we may conduct interviews, take photographs and/or videotape. Please let us know if you do not want to have your photograph or image taken. Any interview, photographs or videos taken at this event will only be used for [DESCRIBE INTENDED USE e.g. promotion or advertising on the company’s website and in other marketing collateral, such as brochures.]

 Unless you let us know otherwise, you will be taken to consent to our use of your photos or images for the purpose specified.  Your photos or images may be shared with other members of the Organisation, some of which may be located outside Australia. They will not be disclosed to third parties other than for the purposes as outlined above without your consent.

More details about how Organisation Name handles your personal information is included in our privacy policy: Organisation URL. 

A Note About Photos of Children

Extra care should be taken when using photos or images of children.  Consent may be required from their parents or guardians and more consideration should be given to the intended use to make sure it is appropriate.

The consent form could also be used to provide Notice of Collection, which is also required (see below).

Notice of Collection

Organisations that want to use photos must also provide some sort of notice of collection in accordance with Australia Privacy Principle 5, either before or soon as practicable after the photo is taken.  APP 5 requires that organisations take reasonable steps to make sure the individual is aware of, among other things:

  • what you are taking their image for
  • who may see it
  • any other organisations or people with whom you usually share personal information
  • how they can get access to it later, and
  • whether you are likely to send the images overseas (e.g. to a foreign hosts web-site).

For example, you need to tell the individual if you are taking photographs for a website which is not hosted in Australia. However, you may not need to explain when and how the photographs will be taken if it will be obvious from the circumstances and you won’t need to provide your contact details if the individual has them already.

More information about notifying individuals of the collection of their personal information can be found our Guidance: Privacy Collection Notices and in Chapter 5 of the OAIC APP Guidelines.

Withdrawal of Consent/Removal of Photos

Individuals have the right to withdraw their consent.  If that occurs then the images should be removed from publication.  Organisations should ensure they have some process in place to remove all images of a particular individual if so requested.

Are Photos Sensitive Data?

A common question is whether photos should be treated as sensitive or special category data.  Often a photo may reveal a medical condition, such as a broken limb, or other incapacitation.  A photo may also contain religious garb, such as a nun’s habit or a clerical collar, that might indicate a religious belief.

In the EU, the GDPR provides some helpful advice.  Recital 51 GDPR  suggests that the processing of photographs will not automatically be considered as processing of special categories of data (as had been the case in some Member States prior to GDPR); photographs or footage will be covered only to the extent they allow the unique identification or authentication of an individual as a biometric (such as when used as part of an electronic passport).

It may also be appropriate to consider photos as containing sensitive data where they are being used for the purposes of collecting that data (e.g. information about a health condition, religious beliefs or ethnicity).


This guidance only cover the use of photos and privacy law.  There may be copyright issues, depending on where the photo was taken and the intended use.  Additional advice should be sought on this.  Some guidance is available here.

Example: Consent to use of image(s)

Organisation Name


Employee Name: ______________________________


[Other identifying information e.g. job title, department, address]

Event (if applicable):

[Include the name or description of event where photo has been or will be taken]

This consent covers the use of photographic images of the Employee taken at the Event described above.

Intended use:

It is intended that the photographic images of the Employee will or might be used in the following:

□ Publication on one of Organisation’s public facing websites or Organisation social media sites.

□ Inclusion in Organisation marketing collateral (e.g. brochures).

□ Inclusion in other Organisation public facing material (e.g. training video).

□ Publication on a Organisation Internal website or Intranet.

□ Inclusion in Organisation internal newsletter.

□ Other use:  ……………………………………………………………………………………………………………………………………………………………………


Note of Collection of Personal Information:

Photographic images may be personal information for the purposes of relevant privacy laws. This Information will be used for the purpose indicated above.  It may be shared with other members of the Organisation group, some of which may be located outside Australia. It will not be disclosed to third parties other than for the purposes as outlined above without your consent. More details about how Organisation handles your personal information is included in Its privacy policy (include url).


The undersigned consents to the (unremunerated) use of the photographic images of his/her person for the purposes described above. Use of the photographic images for purposes other than those described above or for marketing via the transfer of the images to third parties is prohibited.  You may withdraw this consent at any time.

Signature: ________________________________________________

Date: ___________________





Privacy108 publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories.


Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.