Staff Photographs, Websites and ID Cards: What You Can and Cannot Do Under UK GDPR and the Data Use and Access Act 2025
- Stan Hebborn
- Nov 17, 2025
- 3 min read
(Updated to incorporate the DUAA 2025)
Many organisations like to use staff photographs on their websites and ID cards. It makes a business feel more human and helps with on-site security. Nothing wrong with that, but as soon as you publish a person’s face or use it in an identification system, you trigger the UK GDPR, the Data Protection Act 2018, PECR and now the Data Use and Access Act 2025. These laws expect you to handle personal data properly, explain what you are doing, and justify it.
The Legal Position
A photograph is personal data under the UK GDPR. If you use images for access control or automate any kind of recognition, you may slide into DUAA-regulated processing. Standard headshots for websites and ID cards remain normal personal data, but all the usual rules apply.
The essentials are:
Lawfulness, Fairness and Transparency
Explain clearly why you collect the photographs, how they will be used, who will see them, how long you will keep them, and how staff can exercise their rights.
Purpose Limitation
Define the purpose. A website profile, an ID card and marketing use are three separate purposes. Do not use the image for anything you haven’t told people about.
Data Minimisation
Only keep what you need. If you only require a small ID-card headshot, do not store large originals indefinitely.
Legal Basis
This is where most employers go astray.
For website photographs, consent is the only realistic option. Employees must be free to say no without losing opportunities or being treated differently.
For ID cards, you may rely on legitimate interests if the photograph is genuinely required for security or access. You must complete a Legitimate Interests Assessment and offer a practical alternative for those who prefer not to use a photograph.
If the photograph is not essential for security, treat it as consent-based.
DUAA 2025 Accountability
Under the DUAA, you must log the processing. That includes why you need the photographs, the legal basis, the risks and how long you will keep them.The organisation’s Accountable Person is responsible for making sure this information is written down, reviewed, and followed.
If the photograph is ever used in a system capable of automated matching or recognition, the DUAA’s enhanced duties apply immediately.
Using Staff Photographs on Your Website
If you want staff images on your website, do it properly.
Get clear consent.
Explain the risks. Once an image is online, anyone can copy it.
Offer alternatives such as avatars or job-title-only profiles.
Log the processing under your DUAA records.
Using Staff Photographs on ID Cards
ID cards are different, but the same principles apply.
Only require photographs where genuinely needed for identification or security.
If you rely on legitimate interests, complete an LIA and keep it on file.
Provide reasonable alternatives for staff who prefer not to use a photograph.
Set sensible retention rules and stick to them.
Never disadvantage staff who do not consent.
Final Thoughts
Using staff photographs is perfectly acceptable when handled correctly. Poor practice invites complaints, and the ICO deals with more of these cases than you might expect. With the DUAA now adding extra duties around logging and accountability, you need to show your workings.
If it is not essential, rely on consent
If it is essential, prove it
And whatever you do, document it properly!
If you want clarity on using staff photos or you need help making your approach DUAA-ready, email keith@hebborn.co.uk or call 0333 772 1510.
#DPO (Data Protection Officer)
Comments