Is an employer under an obligation to seek employees' permission before placing their photographs on its intranet?
A photograph of an employee displayed on the organisation's intranet would represent "personal data" under the General Data Protection Regulation (2016/679 EU) (GDPR), and its display would also have implications under the privacy provisions of the Human Rights Act 1998.
Under the GDPR, employers are obliged to process personal data "fairly and lawfully". This means that data about an individual must not be processed unless either the employee has consented to its use or one of a restricted list of conditions is met. "Data processing" includes the collection, use and disclosure of personal information, whether held manually or on computer. An employee's consent will be a valid legal basis for publishing their photo only if it is freely given. There must be no adverse consequences for an employee who does not consent. Employees can withdraw their consent at any time.
Furthermore, individuals have the right under the GDPR to be informed if personal data about them is being processed and the reasons why it is being processed. They also have the right to be told to whom the data may be disclosed, as well as the right to request access to the data.
Under Article 8 of the Human Rights Act 1998, individuals have the right to respect for their private and family life, home and correspondence. Using an employee's photograph on an intranet system will be an infringement of that person's private life, unless the employee's consent has first been obtained.
It follows from all this that the employer would be obliged in all cases to obtain an employee's permission before placing their photograph on its intranet.