Privacy and Photography in Singapore

5 September 2016

Dharma Sadasivan

​Singapore's privacy regulators, the Personal Data Protection Commission ("PDPC") released advisory guidelines on photography ("Photography Guidelines"), which I think are helpful to photographers, hobbyists, events organizers, bloggers, and generally across the board. I have endeavored to condense the most salient and useful points in this post.

First principles
An image of an identifiable individual captured in a photograph is personal data about the individual. Therefore a photo is personal data.

Under the Personal Data Protection Act 2012 ("PDPA"), an organization (including an individual) collecting, using or disclosing personal data must obtain consent on or before collecting or using the personal data for particular purposes. Therefore, consent must be obtained before taking a photo of an identifiable individual.

Exceptions
In addition to the general exceptions for collection, use and disclosure set out in the Second, Third and Fourth Schedules of the PDPA (covering things like collecting, using or disclosing personal data for emergencies, national security, managing or terminating employment relationships, etc), you don't need consent if you are taking photos in a personal or domestic capacity, such as if you're taking family photos or photos of friends at a birthday. It largely depends on the circumstances, but the key question you should be asking yourself is whether you're doing it for work or strictly in a personal capacity.

Taking photos in the course of business
If you're taking photos in the course of business, the consent requirement applies. The question then is: who does the consent requirement apply to? This depends.

If you're an employee and you're taking photos in the course of your employment or for your employer, then your employer is the organization collecting the personal data. Your organization is therefore responsible for ensuring it obtains consent. It may do this in a variety of ways, including asking you, as the photographer, to help obtain the consent. So the job of obtaining consent may still come back to you, but you won't be personally liable for a failure to do so - your company will be the responsible party.

If you're a professional photographer (e.g. a freelance independent contractor) you will ordinarily be responsible for complying with the full set of PDPA data protection obligations, including the consent obligation. However, if you are hired by an organization to take photos of identifiable individuals for them, and you take the photos strictly on behalf and for the purposes of the hiring organization, then you may be a data intermediary. Data intermediaries are not required to obtain consent - conceptually they behave as an extension of the organization. Therefore, the organization is the party responsible for obtaining consent.

However, as a data intermediary, you will still have an independent obligation to protect the personal data and to retain it only as long as necessary for the purposes for which you were hired, or if necessary for business or legal purposes (and it may be possible for a professional photographer to argue that it's necessary to keep some photos for portfolio purposes and that portfolios form part of a professional photographer's necessary business practices - but that's just my opinion).

If you want to be considered a data intermediary, you should be engaged pursuant to a written contract that makes clear that the scope of your services is strictly limited to taking the photos on behalf and for the purposes of the company.

Examples

• If you're at a corporate event and you run into a friend, have a personal chat and take selfies which you then upload to your social media pages, you don't need consent from your friend. You're taking photos in your personal capacity.
• If you're at the same corporate event but you're the in-house photographer taking photos for the event organizer, the organization needs to obtain consent (but may ask you to do so on its behalf).

Photos in public places
The PDPA provides an exception for collection, use and disclosure of personal data that is publicly available. So when an individual appears at an event or location open to the public, taking the individual's photograph is collection of personal data that is publicly available.

But what does "open to the public" mean? There isn't a strict definition of this, so it falls to what's reasonable. The primary question you need to consider is whether members of the public can easily access the location with few or no restrictions. This applies even to spaces that you would traditionally consider "public".

For example, if you take a photo of a person in a big open park, that's public and you don't need consent. But if you're in that same park and there's a cordoned-off space in which a private event is being held and people are admitted only if they are on a guest-list, then that would probably be considered a private space. Since it's a private space, the "publicly available" exception would not apply and you'd need to obtain consent before taking a photo of someone in that private space.

How to obtain consent?
No specific form is prescribed in the PDPA. Generally, written or recorded consent is preferred, but you can also rely on deemed consent. An individual is deemed to have granted consent when they volunteer their personal data for a purpose that would be reasonable in the circumstances. So if a person poses for you to take a photo of them, they're deemed to have granted you consent to take their photo.

What about people in the background?
If they can be identified, consent is required (unless an exception applies). If they can't be identified, consent is not required, because it's not personal data. If someone intentionally photobombs the photo, you may be able to argue that they provided deemed consent.

What if I'm taking an artistic photo of someone?
There is an exception under the PDPA that allows for the collection of personal data solely for artistic or literary purposes. Whether something is "artistic" or "literary" is generally highly subjective, so you should obtain consent just to be sure.

Publishing photos online
If you're a blogger or online magazine, you may publish photos of individuals from time to time. Under the PDPA, an individual has the right to withdraw their consent to your collection, use or disclosure of their personal data at any time, for any or no reason. How does this affect publishing photos?

• Where a photo has yet to be published publicly, the individual can withdraw their consent, meaning you should cease all continued use and future use or disclosure of the photo.
• Where a photo has already been published publicly, the individual's withdrawal of consent does not affect the published photo. As good practice, you may cease further use or disclosure of the photo, but this is not a requirement because the photo is already publicly available and was made so at a time when the individual had consented to it becoming publicly available.

No right to cease retention
The PDPA doesn't provide a right for individuals to compel an organization to cease retaining their personal data, so if an individual asks you to delete all your copies of his or her photos, you don't need to comply with this request. However you still need to ensure that you comply with the retention obligation - i.e. you should only retain personal data if it serves the purposes for which it was collected, or if retention is necessary for business or legal purposes. The onus will be on you to prove that your retention is justifiable.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com