The General Data Regulations 2018 (GDPR) came into force on May 25th 2018 and replaced the existing Data Protection Act 1988. GDPR Offers greater protection to individuals within the European Union (EU) and places greater obligations on organisations who process and or control personal or special/sensitive category data.
When providing Spencer Brown Photography Ltd certain information by which you can be identified, when using our services and website, you can be assured that it will only be used in accordance with this privacy statement. Spencer Brown Photography Ltd may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes.
What is personal 'Data'
Personal' Data' is understood to be any information that could be used to identify an individual and can comprise an email address, a name, a date of birth, a postal address, a national insurance number, a bank account number. A photograph is also considered 'Data'.
Who we are and what is our role?
Spencer Brown Photography Ltd is a professional photographic company specialising in school photography that has been operating since 2004. As such, our services to photograph individual pupils and groups of pupils are requested by predominantly schools, education establishments/institutes and the parents/guardians thereof as well as occasionally by individuals and commercial organisations (referred to in the remainder of this document as simply 'Schools').
Spencer Brown Photography Ltd by its very nature is contracted to photograph individuals typically <16yrs of age under permission of the School for whom it is contracted.
The School for whom we are contracted by are identified as the main Data Controller
Who Collects Information/Data
Spencer Brown Photography Ltd is identified as predominantly a Data Processor whereby the data is typically passed to Spencer Brown Photography Ltd by the applicable School and the parents thereof. As such, in our efforts to work towards GDPR 2018 compliance, it has been necessary for Spencer Brown Photography Ltd to initiate a signed DPA (Data Processing Agreement) with each School for whom we currently provide school photography services to.
As well as the photographs, we collect information when parents/guardians of the School voluntarily register with us or place an order for products or services. We also collect information when they voluntarily provide feedback to Spencer Brown Photography Ltd, complete any of our customer surveys and participate in any of our competitions.
By registering online and or placing an order with Spencer Brown Photography Ltd, the customer agrees to our terms and conditions and therein provides consent for Spencer Brown Photography Ltd and its identified subcontractors to manage provided personal information. Subcontractors are identified later on in this document under the heading 'Subcontractors' and whom also are obligated personally under GDPR 2018.
Why we do what we do/purpose.
The photographs are captured in order to provide a specific service to the school and to its pupil's parents and guardians, whereby the images are available to purchase from Spencer Brown Photography Ltd, as a personal momentum/ keepsake and to document their child/children's time at school. The images are also required for each school's admin database such as CAPITA SIMS or other in house pupil admin systems for pupil management and identification purposes.
For a School to utilise our services, they agree to our School Services Agreement, which sets out the obligations of the school and that of Spencer Brown Photography Ltd. The most important obligation of the school is to ensure that only children for whom they have permission under parental choice or safeguarding requirements are presented on the day for photographing. Should any parent or guardian not wish their child/children to be photographed, it is there responsibility to inform and document this choice with their school/organisation. Where a child is present for their school photo it is deemed by Spencer Brown Photography Ltd that permission has been granted. We think it is really important that children and young people are included in the decision making process and that their consent or non-consent is respected too.
Where images are required for any other purpose, i.e. by the school for marketing purposes such as on their website or advertising brochure or for alternative commercial gain, it is the schools responsibility to obtain a specific 'model release' for each pupil featured from the relevant parent/s and or guardian/s.
What information do we process?
To enable the creation of a unique secure password and an individual order form for each child. The following data must be provided by the school ahead of the photography day; as follows;
- Number of Pupils per class (Compulsory);
- Pupil’s Class/Year/Teacher (Compulsory).
The above data is considered generic and as such does not contain any personal data at this stage that is not otherwise available in the public domain.
Each school may voluntarily provide Spencer Brown Photography Ltd with additional pupil data to assist with the photography workflow/image recall and to integrate with the schools admin system. It is the responsibility of the school if providing this additional data to send it securely; either by password protecting or via a secure file transfer system;
- Pupil’s First Name (Voluntary);
- Pupil's Surname (Voluntary);
- Pupil’s Unique ID No. (Voluntary).
The above data contains first name and surname, although does not include birth dates, addresses. The Unique ID is also only relevant to the individual school, so again would not be considered sensitive data.
Spencer Brown Photography Ltd is a professional School Photography company, as such, firstly and foremostly, we are appointed by each School to capture individual portrait and group images of their pupils and staff. Photographs are considered personal data, as such, it is necessary, as previously mentioned, for each parent/guardian to have a written agreement with their School should they not wish their child to be photographed. It will be the responsibility of the School to ensure only those children whom are allowed to be photographed are presented on the school photo day.
Once photographed the images become Spencer Brown Photography Ltd.'s intellectual property that is essential to the nature and the successful running of the business. For that reason, there are many legitimate reasons/interests for our storing and using of photographs of pupils/teachers/groups.
To re-cap, we may process the following data from the school:
- Child’s School Name & Address;
- Child’s Class/Tutor Name;
- Child’s Individual Photograph;
- Child’s Individual & Sibling Photograph;
- Child’s Class, Tutor, Sports, Nativity, Year Group and or Whole School Photograph or any other requirement at the direction of the school.
On the day of the school photo shoot, each child may be provided with A5 barcode in advance. Alternatively, all pupils will receive an A4 sized paper order form circa 2 weeks post shoot (often much sooner), that includes a proof of their school photo and unique online code.
This allows parents/guardians of the School to either return the completed paper order form to the School by the deadline stated with enclosed correct monies or order their child’s images securely via our on line shop using the unique code provided and secure checkout. Each ordering option will collect data differently - See Option 1 & 2 below for further details.
Sub-Processor - GotPhoto (specilaist cloud based management and sales for school photographers)
When received, the above data is uploaded to our school photography cloud based management system provided by our sub processor GotPhoto to create each child's unique password and account to integrate with their secure online shopping facility.
GotPhoto (Fotografen Online Service GmbH, Greifswalder Strabe 207, 10405, BERLIN) is an all in one specialist workflow and online sales system for school photographers with whom a DPA (Data Processing Agreement) exists in order to allow safe exchange of personal data. GotPhoto are identified as subcontracted data processor under the DPA chain held with the School. GotPhoto as will all subcontracted data processors in the chain, are obligated to comply personally with GDPR 2018 in their own right.
For more information about GotPhoto – please click on the following link https://www.gotphoto.co.uk
OPTION 1 - Return to School Orders - Data Capture
When returning an order to school, the order form voluntarily requests the purchasers name and best contact number, in the event that there is a query with their order only and for no other reason.
To re-cap, to ensure the successful processing of each order, the ‘Return to School’ orders may capture the additional following data directly from the customer:
- the purchasers Name (Voluntary);
- the purchasers Contact Number (Voluntary).
As the school may already provide basic pupil data, the order form may already contain the child’s name, surname and class name or just the class name. Where incomplete, the customer may voluntarily provide the child’s first name and surname.
- Child’s Name (Voluntary).
OPTION 1 - Return to School Orders - Payment Method
Customers are asked to include correct payment with their return to school order, either by Cash or Cheque. We do not offer the facility to pay by card for return to school orders and as such we do not capture any written personal card payment details for this method of ordering. A sealable envelope is provided with each proof for each child to provide a secure method for customers to return their order with their cash or cheque payment. It is Spencer Brown Photography Ltd.'s goal to phase out the option to pay by cheque so as to stop the handling of customers personal bank details and signatures, which are unavoidably present on each cheque. Return to school orders are collated by the School office and batched until the deadline after which, Spencer Brown Photography Ltd will arrange a collection. All orders are processed and banked either the same day or next day to avoid storage of cheques and cash on premises. Where such items are stored, these are kept in a lockable secure location. Spencer Brown Photography Ltd banks with Santander, which also offers the flexibility and convenience of banking with any Post Office branch to ensure quick and easy banking options.
It is also Spencer Brown Photography Ltd's goal to phase out Return to School Orders all together in favour of online ordering only to further minimise data handling. Online ordering has increased year on year and we have offered incentives by means of reduced prices to encourage the switch to online only ordering. However, this is balanced with our ongoing need to provide equal opportunities to customers whom may not own a personal computer or whom may not have access to an active bank card or whom simply do not wish to order online out of personal choice/security concerns.
OPTION 2 - Online Shop/Ordering Process - Data Capture
When viewing or ordering a child’s school photograph/s online, the customer is directed via either of our websites www.spencerbrownphotography.co.uk and www.spencerbrownphotography.com to our Sub Contractor website https://ordermypicture.co.uk/login - https://sbphoto.gotphoto.co.uk/login.
Our online shop provided by sub-processor GotPhoto (detailed earlier) requires an email address only to register for an online account. The online account allows secure viewing of the school photo images whereby you can tag favourite images and or order through an online checkout for delivery back to the school before the deadline date or via postage at cost to an address of choice.
To recap, registering with the secure online viewing system and shop provided by GotPhoto and completing an online order will capture, yet not necessarily store, the following data about you/ the customer:
- Email address;
- Address (where the postage option is selected) As the school may already have provided basic pupil data, the online account may already contain the child’s name, surname and class name or just the class name;
- Child’s Name;
- Child’s Class;
- Child’s School We do not capture or collect individual’s birth dates or sensitive data.
OPTION 2 - Online Shop/Ordering Process - Payment Method
GotPhoto utilises financial acquirers/payment providers to complete transactions through its secure checkout. As a service provider to us, GotPhoto is obliged to ensure that their partnering service providers are also compliant with GDPR. Our online shop utilises the payment provider Stripe.
- Card Payment Details
Please see section below titled 'Other Acquirers' for further payment acquiring systems
Other Financial Payment Providers
Spencer Brown Photography Ltd may occasionally take online payments separate to GotPhoto for other photography sales. We do not take card details over the telephone, only by a secure online provider. For this we may use Worldpay, Worldpay Zinc and Paypal. Links to their Terms and Privacy Policies are included below;
How else is the data/information used
Primarily, we collect information about the customer in order to successfully process and deliver their order correctly. Other reasons are as follows;
- Internal administration, accounting and auditing;
- Monitoring and analysis;
- We may use the information to improve our products and services;
- We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided;
- From time to time, we may also use customers information to contact you for market research purposes; • We may contact customers by email, phone, fax or mail. We may use the information to customise the website according to their interests.
- We do not share information for marketing purposes with any other third party.
Spencer Brown Photography Ltd is committed to ensuring that customers information is secure. In order to prevent unauthorised access or disclosure, suitable physical, electronic and managerial procedures exist in place to safeguard and secure the information we collect. Such procedures include but are not restricted to the following;
- 1. Organisation of information security
· Entry controlled to premises. Keys held in custody of authorised personnel only;
· CCTV (3 x cameras surrounding premises);
· No front of house sales, no customer visitor policy to premises, no sales on premises;
· In-house dog - Best alarm for alerting occupants to the arrival/presence of unauthorised visitors;
· Maintained Privacy Statement/Policy – see link https://sbphoto.gotphoto.co.uk/privacy.
2. Access Control – data storage devices/equipment
· Lockable external premises doors and windows;
· Password protected desktop and laptop computers with automated screenlock following a period of inactivity;
· Password protected online access to third party data storage providers and handlers (see Appendix 2 of DPA);
· Limited users (2 no.) Least privilege rule applied – See Appendix 3 of DPA;
· Antivirus/malware software configured to applicable devices processing or managing personal data.
3. Security of communications
· Transfer of data between Photographer and Schools via secure provider mail big file https://www.mailbigfile.com/terms/;
· Password protected broadband access;
· Online data uploads via encryption;
· Access to secure online shop and image viewing by unique password only via the following links, https://sbphoto.gotphoto.co.uk/login and/or https://ordermypicture.co.uk/login is provided to each school for each pupil for their parent/guardians attention. Once supplied, the passwords security becomes the responsibility of the respective parent/guardian.
4. Secure Online Card Transactions by Professional Financial Acquirers GDPR Compliant in their own right
5. Restricted Group Photo Ordering - Only permissable to order a hard copies, no digital copies are available to avoid ease of distribution on social media. See our 'Terms and Conditions' for further detail.
Paper storage is minimised thanks to our cloud based specialist school photography online shop and processing system provided by our sub contractor, GotPhoto (Detailed above). Returned school order forms that contain the school name, class and where volunteered, the child's firstname and surname and are collected from the school and processed by Spencer Brown Photography Ltd, in that they are married up to the correct order product and then returned back to the parent/guardian with their order. As such, completed paper order forms are not stored permanently.
Controlling customers personal information
You may choose to restrict the collection or use of your personal information in the following ways:
- You are asked voluntarily to complete the ‘Return to School’ order form with a contact name and number and or Child’s Name. This is useful for processing the order more effectively in the case of an order query that requires resolving, but is not compulsory.
- If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by writing to or emailing us at firstname.lastname@example.org or by selecting the opt out option on the email.
- We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so. We may use your personal information to send you promotional information about third parties that we think you may find interesting if you tell us that you wish this to happen.
- If you believe that any information we are holding on you is incorrect or incomplete, please write to or email us as soon as possible at email@example.com. We will promptly correct any information found to be incorrect.
- You have the right to request a copy of the information that we hold about you.
- If you would like a copy of some or all of your information, please email us at firstname.lastname@example.org.
Please allow up to 30 days to comply with your request. We may make a small charge for this service.
You have the right to request that your online account be erased at any time by emailing your request to email@example.com.
Data Breach Policy
If you feel your data has been mishandled and or wish to report a data breach, please contact us immediately firstname.lastname@example.org or telephone 01359 240351. The director of Spencer Brown Photography Ltd will be immediately notified in the first instance and an investigation will be carried out to ascertain the circumstances. A response with findings will be provided within 5 working days. Spencer Brown Photography Ltd does not collect or hold birth dates or sensitive client data, and as such a serious data breach is unlikely.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information that you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.
How to Contact Us
By email email@example.com or telephone 01359 240351.
The policy sets out the different areas where user privacy is concerned and outlines the obligations and requirements of the users, the website and website owners. Furthermore the way this website processes, stores and protects user data and information will also be detailed within this policy.
Cookies are small files saved to the user's computers hard drive that track, save and store information about the user's interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.
Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website and its external serving vendors.
Other cookies may be stored to your computers hard drive by external vendors when this website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However in a few cases some of our website features may not function as a result.
For further information visit www.aboutcookies.org or www.allaboutcookies.org
Contact & Communication
Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk.
This website and its owners use any information submitted to provide you with further information about the products / services they offer or to assist you in answering any questions or queries you may have submitted. This includes using your details to subscribe you to any email newsletter program the website operates but only if this was made clear to you and your express permission was granted when submitting any form to email process. Or whereby you the consumer have previously purchased from or enquired about purchasing from the company a product or service that the email newsletter relates to. This is by no means an entire list of your user rights in regard to receiving email marketing material. Your details are not passed on to any third parties.
This website operates an email newsletter program, used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.
Email marketing campaigns published by this website or its owners may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity [this is by no far a comprehensive list].
This information is used to refine future email campaigns and supply the user with more relevant content based around their activity.
In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to un-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will by detailed instead.
Adverts and Sponsored Links
This website may contain sponsored links and adverts. These will typically be served through our advertising partners, to whom may have detailed privacy policies relating directly to the adverts they serve.
Social Media Platforms
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
Shortened Links in Social Media
This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy urls [web addresses] (this is an example: http://bit.ly/zyVUBo).
Users are advised to take caution and good judgement before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.
Resources & Further Information
v.3 May 2018 - ©2018 Copyright of Spencer Brown Photography Ltd
Spencer Brown Photography Ltd, Bridge Farm Haughley New Street, Stowmarket, Suffolk, IP14 3JN