HR and Corporate Photo Metadata: A Compliance Guide for Businesses

The headshot on your employee directory, the photos from your last team-building event, the product shots from your warehouse — all of these were taken on devices that embedded GPS coordinates, timestamps, and device identifiers in every file. Most businesses store and process this data without realising it qualifies as personal data under UK GDPR.

Why Corporate Photo Metadata Is a Compliance Issue

Under UK GDPR, any information that relates to an identifiable living person is personal data. Photo metadata meets this threshold in several ways:

GPS coordinates in employee photos — headshots taken by an employee on their personal phone contain GPS coordinates. If the photo was taken at home, those coordinates reveal the employee's home address. If taken at a previous workplace, they may reveal a location the employee has not disclosed.

GPS coordinates in HR documentation — photos submitted as part of ID verification, visa applications, or compliance workflows carry whatever GPS was embedded when the photo was taken.

Timestamps in event photos — photos from staff events record who was photographed, where, and when. This creates a record of employee attendance at locations and times that was not necessarily consented to as part of employment.

Device identifiers in photographs — camera serial numbers can link photos across different contexts, potentially revealing information about employees' use of their personal devices.

Common Corporate Scenarios Carrying Metadata Risk

Employee headshots for directories and intranets — the most common HR photo use case. Employees typically photograph themselves or are photographed by colleagues. The resulting files usually contain GPS data. These are then stored in HR systems, published on the intranet, and sometimes on external websites.

Right-to-work and ID verification — some employers collect photos of identity documents. These photos carry GPS from whatever device was used to photograph the document — potentially the employee's home.

Onboarding documentation — photos submitted digitally as part of onboarding paperwork follow the same pattern.

Corporate event photography — professional photographers typically deliver images with copyright and technical metadata intact. GPS data is often present. These images are stored in shared drives, emailed to teams, and published in internal communications.

Facilities and health and safety documentation — photos taken at workplace locations during inspections, incident reporting, or facility surveys may be shared externally with insurers, consultants, or regulators. GPS metadata confirming precise workplace locations travels with these files.

Building a Compliant Photo Handling Policy

A practical compliance policy for business photo metadata covers four areas:

Collection — wherever possible, employees should be instructed to disable GPS on the Camera app before submitting photos for HR purposes. This prevents sensitive location data from being collected in the first place.

Processing — before storing any submitted photos in an HR system, intranet, or shared drive, strip all metadata. This is data minimisation under GDPR Article 5(1)(c). ExifVoid can be used for individual files; ExifTool can automate batch processing.

Storage — retain only the processed (metadata-stripped) version. There is no legitimate business purpose for retaining GPS coordinates from an employee's home photo in a staff directory.

Sharing — if photos are shared with third parties (marketing agencies, web developers, publishers, external systems), ensure the shared versions have been stripped. Third-party data sharing with personal data requires appropriate contractual and privacy notice provisions.

What Your Privacy Notice Should Say

Your employee privacy notice (under UK GDPR Article 13 and 14) should describe the categories of personal data you collect. If you collect photos, you should consider whether to explicitly describe the processing of photo metadata, particularly GPS data, as a category.

If employees are sending photos from personal devices, the privacy notice should accurately describe what data is collected and what happens to it.

Practical Steps for HR Teams

1. Instruct employees to turn off location on their camera app before submitting headshots or any photos for HR purposes. Provide simple written instructions covering iPhone and Android.

1. Establish a metadata-stripping step as part of the process for receiving and storing employee photos. This can be manual (ExifVoid) or automated (ExifTool in a workflow).

1. Audit existing photo storage — review what photos are held in HR systems and shared drives with metadata intact. For files already stored, a batch strip using ExifTool cleans existing archives.

1. Update your privacy notice and Article 30 records to reflect photo metadata as a category of personal data and describe the retention and processing practices in place.

Frequently Asked Questions

Do we need employee consent to collect headshots?

Headshots collected for legitimate employment purposes (staff directories, ID cards, access systems) typically rely on legitimate interests as the lawful basis rather than consent — provided the processing is proportionate and described in the privacy notice. The same lawful basis extends to processing the associated metadata, but data minimisation applies: only collect what is necessary.

Can employees object to their photos being stored with metadata?

Under GDPR, employees have the right to object to processing on legitimate interests grounds. A practical response to any such objection is to strip metadata from all photos as standard practice — removing the concern entirely.

Do we need to notify the ICO if we discover we have been storing GPS data in employee photos?

Discovering that metadata has been retained does not automatically constitute a reportable breach. A breach requires a risk assessment: has the data been accessed by unauthorised parties? Has it been shared externally? If metadata was retained internally and was not accessed inappropriately, internal remediation (stripping and updating policies) is typically sufficient without a mandatory notification.

Is stripping metadata from employee photos a reasonable step to expect businesses to take?

Yes. The ICO expects organisations to implement technical measures proportionate to the risk. Stripping metadata from employee photos is straightforward, low-cost, and directly addresses a real data minimisation obligation.