BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

Privacy and Photography in Singapore

 
5 September 2016
Dharma Sadasivan
Picture
​Singapore's privacy regulators, the Personal Data Protection Commission ("PDPC") released advisory guidelines on photography ("Photography Guidelines"), which I think are helpful to photographers, hobbyists, events organizers, bloggers, and generally across the board. I have endeavored to condense the most salient and useful points in this post.
First principles
An image of an identifiable individual captured in a photograph is personal data about the individual. Therefore a photo is personal data.

Under the Personal Data Protection Act 2012 ("PDPA"), an organization (including an individual) collecting, using or disclosing personal data must obtain consent on or before collecting or using the personal data for particular purposes. Therefore, consent must be obtained before taking a photo of an identifiable individual.

Exceptions
In addition to the general exceptions for collection, use and disclosure set out in the Second, Third and Fourth Schedules of the PDPA (covering things like collecting, using or disclosing personal data for emergencies, national security, managing or terminating employment relationships, etc), you don't need consent if you are taking photos in a personal or domestic capacity, such as if you're taking family photos or photos of friends at a birthday. It largely depends on the circumstances, but the key question you should be asking yourself is whether you're doing it for work or strictly in a personal capacity.

Taking photos in the course of business
If you're taking photos in the course of business, the consent requirement applies. The question then is: who does the consent requirement apply to? This depends.

If you're an employee and you're taking photos in the course of your employment or for your employer, then your employer is the organization collecting the personal data. Your organization is therefore responsible for ensuring it obtains consent. It may do this in a variety of ways, including asking you, as the photographer, to help obtain the consent. So the job of obtaining consent may still come back to you, but you won't be personally liable for a failure to do so - your company will be the responsible party.

If you're a professional photographer (e.g. a freelance independent contractor) you will ordinarily be responsible for complying with the full set of PDPA data protection obligations, including the consent obligation. However, if you are hired by an organization to take photos of identifiable individuals for them, and you take the photos strictly on behalf and for the purposes of the hiring organization, then you may be a data intermediary. Data intermediaries are not required to obtain consent - conceptually they behave as an extension of the organization. Therefore, the organization is the party responsible for obtaining consent.

However, as a data intermediary, you will still have an independent obligation to protect the personal data and to retain it only as long as necessary for the purposes for which you were hired, or if necessary for business or legal purposes (and it may be possible for a professional photographer to argue that it's necessary to keep some photos for portfolio purposes and that portfolios form part of a professional photographer's necessary business practices - but that's just my opinion).

If you want to be considered a data intermediary, you should be engaged pursuant to a written contract that makes clear that the scope of your services is strictly limited to taking the photos on behalf and for the purposes of the company.

Examples
  • If you're at a corporate event and you run into a friend, have a personal chat and take selfies which you then upload to your social media pages, you don't need consent from your friend. You're taking photos in your personal capacity.
  • If you're at the same corporate event but you're the in-house photographer taking photos for the event organizer, the organization needs to obtain consent (but may ask you to do so on its behalf).

Photos in public places
The PDPA provides an exception for collection, use and disclosure of personal data that is publicly available. So when an individual appears at an event or location open to the public, taking the individual's photograph is collection of personal data that is publicly available.

But what does "open to the public" mean? There isn't a strict definition of this, so it falls to what's reasonable. The primary question you need to consider is whether members of the public can easily access the location with few or no restrictions. This applies even to spaces that you would traditionally consider "public".

For example, if you take a photo of a person in a big open park, that's public and you don't need consent. But if you're in that same park and there's a cordoned-off space in which a private event is being held and people are admitted only if they are on a guest-list, then that would probably be considered a private space. Since it's a private space, the "publicly available" exception would not apply and you'd need to obtain consent before taking a photo of someone in that private space.

How to obtain consent?
No specific form is prescribed in the PDPA. Generally, written or recorded consent is preferred, but you can also rely on deemed consent. An individual is deemed to have granted consent when they volunteer their personal data for a purpose that would be reasonable in the circumstances. So if a person poses for you to take a photo of them, they're deemed to have granted you consent to take their photo.

What about people in the background?
If they can be identified, consent is required (unless an exception applies). If they can't be identified, consent is not required, because it's not personal data. If someone intentionally photobombs the photo, you may be able to argue that they provided deemed consent.

What if I'm taking an artistic photo of someone?
There is an exception under the PDPA that allows for the collection of personal data solely for artistic or literary purposes. Whether something is "artistic" or "literary" is generally highly subjective, so you should obtain consent just to be sure.

Publishing photos online
If you're a blogger or online magazine, you may publish photos of individuals from time to time. Under the PDPA, an individual has the right to withdraw their consent to your collection, use or disclosure of their personal data at any time, for any or no reason. How does this affect publishing photos?
  • Where a photo has yet to be published publicly, the individual can withdraw their consent, meaning you should cease all continued use and future use or disclosure of the photo.
  • Where a photo has already been published publicly, the individual's withdrawal of consent does not affect the published photo. As good practice, you may cease further use or disclosure of the photo, but this is not a requirement because the photo is already publicly available and was made so at a time when the individual had consented to it becoming publicly available.

No right to cease retention
The PDPA doesn't provide a right for individuals to compel an organization to cease retaining their personal data, so if an individual asks you to delete all your copies of his or her photos, you don't need to comply with this request. However you still need to ensure that you comply with the retention obligation - i.e. you should only retain personal data if it serves the purposes for which it was collected, or if retention is necessary for business or legal purposes. The onus will be on you to prove that your retention is justifiable.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 5/9/2016


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Archives

    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

    Categories

    All
    Commercial Transactions
    Conveyancing
    Corporate Law
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Disclaimer

    ​The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.

    You should contact your lawyer for legal advice if you need legal assistance.

Download Our Firm Brochure

Download

Our ecosystem

We now also offer a spectrum of legal-related services for estate planning and secure document storage. Visit our dedicated BR Family Assets and BRIEFCASE websites.
 
BR Family Assets
​BR - IG Consulting
BRIEFCASE

Practice Areas

Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
Subscribe to Newsletter

Contact Us

+65 6899 9888 Telephone
+65 6338 5377 Fax
 
br@brlawcorp.com
 
4 Battery Road #29-00
Bank of China
Singapore 049908
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).