I can see this turning into another hideous CRoW debate and I think we can all agree that we don't need another of those so please, it isn't a CRoW debate!

Many clubs have websites and publish photos from which people can be recognised so they are likely to be deemed personal data under data protection act. In May this year clubs, including caving clubs, are going to have to comply with the new General Data Protection Regulations, I'm hoping the BCA are on this and will be producing pro-forma policies etc. but failing that hopefully the BMC will. However I have recently seen a data protection policy from a different kind of organisation which seemed very concerned about photos of people and how these should be handled.

in general my understanding of UK law is that if you are in a public place then you have no expectation of privacy and you can be photographed without consent and those photos can be published (otherwise the paparazzi and tabloid press would go out of business).
So  a few questions:
[list type=decimal]
[*]Is a cave a public place?
[*]Even if it is, as a caving club do we still need consent to hold and publish photos under the GDPR?
[*]If consent is needed is blanket consent, say as part of a membership form, enough?
[/list]

Personally I would want to steer clear of any of this but it seems worth getting some understanding, ideally from someone in-the-know with regards to the GDPR.

Thanks

Actually one other question. Data Protection regs generally only allow for personal data to be kept for "as long as necessary". How will clubs with archives of data be affected? Will they have to contact everyone identifiable from the archive data and make them aware of the club data protection policy?

This may help, from http://privacylawblog.fieldfisher.com/2016/what-you-think-you-know-about-the-gdpr-and-why-you-may-be-wrong/

What you think you know about the GDPR? and why you may be wrong.

5. Biometric data is sensitive data under the GDPR: WRONG(ISH)!  You can be forgiven for thinking this.  Biometric data can be sensitive data under the GDPR - but only if used for the purpose of ?uniquely identifying? someone (Art. 9(1)).  A bunch of photographs uploaded onto a cloud service would not be considered sensitive data, for example, unless used for identification purposes - think, for instance, of airport security barriers that recognize you from your passport photograph.

Click to expand...

This article DATA PROTECTION ISSUES FOR PHOTOGRAPHERS gives the current situation under the Data Protection Act. From a clubs point of view I don't think it will change much under GDPR.

From the document Cookie linked to:

Where consent is not needed
The following circumstances may not require the written consent of the individual being photographed:
If it is reasonable to assume that the person is aware that their photograph may be published and that neither the photograph itself nor the context in which it is used could cause any potential harm or distress to that person.

I would have thought this covers people on a trip where someone has a camera.  Possibly if we're talking about publishing the pictures (in print or online) where individuals are named, then it would be prudent to obtain consent.

In practice, I guess this only becomes an issue if an individual complains - the ICO is unlikely to randomly demand to see the records of a club.
So if you take a picture of me and ask for written consent to publish it, and I say "FFS, just do it", you're in the clear (in practice, not in law) - no-one else will know or care whether I've given my consent, and I won't complain

OK, so it seems that in general photos are not considered personal or identifying data for the purposes of the data protection act/GDPR.

Thanks all.