Forum menu
My picture on my staff profile at work is terrible. It's a few years old when I was about 4 stone heavier so it's not the most flattering photo. I have managed to have it removed from my staff profile on the website and from the staff directory, but I can't seem to delete it on my Outlook 365 account. So I have 2 questions:
1) Does anyone know how to remove it from Outlook365? I have tried deleting it on the account settings page but it is still there.
2) After the GDPR go live in May do my employers have the right to keep using it if I request that they don't?
Have you tried changing your profile picture from the office.com portal?
If you request its deleted, then they have to delete it unless they have another lawful basis for keeping it. In this case I doubt they will have reason to keep it.
If you have deleted it from O365, you may have to wait before it gets removed from the address book. Maybe 24 hours.
you could try overwriting the existing with a new one? yes a photo is classed as personal data but your employer would probably be narked if you started quoting GDPR to update your staff picture, they'll be dealing with a lot of other stuff 🙂
Just put on 4 stone. Then the picture will be an accurate likeness. Problem solved.
You're welcome.
I’m quite happy that my staff photo looks nothing like me (I’m now 10 years older, a couple of stone lighter and bearded)
did you change it here?
Rather than coming over as confrontational, have you actually spoke to HR and asked if your photo can be changed?
They can refuse your request if they have a legitimate reason for doing so. I'd have thought "you work here" would be a legitimate reason.
I fail to see why you can't just send IT / HR a new photo and say "can you update my photo please?" They must have the ability to upload it in the first place.
They can refuse your request if they have a legitimate reason for doing so. I’d have thought “you work here” would be a legitimate reason.
That should read lawful, not legitimate and I don't think that they will have a lawful reason for keeping a photograph, its not necessary for them to comply with the terms of your employment contract.
You do realise that you used to look like that to everyone.
Will you be asking them to delete that from their memory as well ?
I have the opposite with my PHC(taxi) ID renewal. The council won't accept the same mugshot as the expired ID despite me assuring them I've not changed.
That should read lawful, not legitimate and I don’t think that they will have a lawful reason for keeping a photograph, its not necessary for them to comply with the terms of your employment contract.
There are still plenty of legal basis for keeping a staff photo .. one of which is the one used for any ID badge etc.
So long as this is documented in their Article 30 Data Register they are not doing anything wrong...
It may well be this later gets tested .as the GDPR isn't very specific and companies can write their legal basis and it essentially stands but might later be challenged.
.. but as of now if they define a legal basis (and it half sane) they can keep it.
HOWEVER: In this case it seems that the problem is NOT the company but Office365...
This is a whole level of extra complexity.
Personally I'd be very unhappy my company sharing my personal data with Microsoft.
The company need a document in place by May 25th where Microsoft as the data processor agree to follow the the companies policies on personal data. Technically this has been required for 11 months... the GDPR has been enacted since May 25th 2017... it's just the fines are not being levied!
One of these should be use of photo's and to what end Microsoft NEED a photo to provide the service.
This would seem to be beyond tenuous....
Ask HR how to update your picture, simple answer really.
I would phone the IT support desk first, if you phone HR as soon as the words 'office365' are used they'll point you to IT, so if it really is HR then IT will tell you this and you can then tell HR that you've already been via IT
In this case it seems that the problem is NOT the company but Office365…
This is a whole level of extra complexity.
From a GDPR perspective perhaps. It's not necessarily more complex at a technical level.
We use O365 at work here. Staff photos are uploaded to the HR database, and a script runs overnight to push employee details up to O365. If I were to go and change my details in Outlook (assuming I even can), they'd be reverted back the following day to what the HR system says.
The gotcha with GDPR at the moment is as stevextc suggests - it's a fairly vague framework and English law relies heavily on precedence set by previous legal cases, of which there are none. The answer to "can I ask...?" is yes, of course you can. The answer to "... and do they have to comply?" is somewhat trickier to answer as no-one's tested it in court yet. It's down to individual interpretation of the EU legislation.
To my mind the 'spirit' of GDPR is to dissuade all and sundry from holding loads of personal data about you for no good reason, it refers a lot to the "processing" of data. Invoking GDPR with your own employer seems somewhat barking to me, especially when you could just ask them to update the photo with a new one.
That should read lawful, not legitimate and I don’t think that they will have a lawful reason for keeping a photograph, its not necessary for them to comply with the terms of your employment contract.
We're splitting hairs but IIRC "legitimate" is the term used by GDPR; if it's legitimate for them to hold that information then that's what makes it lawful.
I'd have thought that an employer holding photographs of its employees for identification purposes would certainly count as legitimate reason.
We’re splitting hairs but IIRC “legitimate” is the term used by GDPR; if it’s legitimate for them to hold that information then that’s what makes it lawful.
If you are going to split hairs its probably best to be right! GDPR uses both terms - there are 6 Lawful reasons for processing data - one of those is Legitimate Interest.
I’d have thought that an employer holding photographs of its employees for identification purposes would certainly count as legitimate reason.
It would, but (and this applies to the current DPA too) the Data Controller (employer) is required to keep data - up-to-date (GDPR Article 5(d) and DPA 1988 Schedule 1 Part 1, Principle 4.
The gotcha with GDPR at the moment is as stevextc suggests – it’s a fairly vague framework and English law relies heavily on precedence set by previous legal cases, of which there are none. The answer to “can I ask…?” is yes, of course you can. The answer to “… and do they have to comply?” is somewhat trickier to answer as no-one’s tested it in court yet. It’s down to individual interpretation of the EU legislation.
To my mind the ‘spirit’ of GDPR is to dissuade all and sundry from holding loads of personal data about you for no good reason, it refers a lot to the “processing” of data. Invoking GDPR with your own employer seems somewhat barking to me, especially when you could just ask them to update the photo with a new one.
Exactly...
We’re splitting hairs but IIRC “legitimate” is the term used by GDPR
It's ONE of the terms ... the whole thing is full of vague half definitions (e.g. data minimisation)
but going back ... if we had a clear codified law there would be a lot less to test but until test cases are run under UK case law it's a pigeon shoot.
To my mind the ‘spirit’ of GDPR is to dissuade all and sundry from holding loads of personal data about you for no good reason
If (as I do) you have to follow Elizabeth Denning's blog and the ICO Blog then this is certainly the UK is seeing to implement on those lines.
Companies are (from experience) in two camps ... there are those in outright denial "Oh it wasn't written for companies like ours" and those saying "Holy cow... this is going to be difficult"
Those in denial will be hammered and cease to exist as companies due to fines. Any company not having an article 30 data register will just have the book thrown at them to set an example.
Any company with a data register .. that can show they have tried, are continuing to try and have a plan to be more complaint will likely get a "try harder"... (normal disclaimers around seek your own in dependent councel apply)
The last thing you really want to do with your employer that is trying is make a big fuss and claim GDPR say's...
If your company isn't trying and has taken the "it doesn't affect us" attitude then you probably have little to lose as you won't have a job in a few months anyway when the company gets hit with a maximum fine.
It's not rocket science after all!
It's like turning up to court with a suit and such... vs turning up (or not) and telling a judge you don't recognise their authority. If you try telling the ICO "it doesn't apply to us"... you can expect them to throw the book at you.
What are your credentials in this field Stevextc? A lot of the things you are saying here are not matching with what my qualified GDPR practitioner are telling me.