On Pictures as Personal Data
Pictures may or may not contain sensitive personal information.
Although it seems logical to think that every picture is sensitive personal information, considering that sensitive personal information is defined under the Data Privacy Act:
Section 3(l)
Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person...
When taking a look at a picture of a person, you get to see their race, ethnic origin, age, color, and health. Does this mean that a picture is always sensitive personal information?
Not necessarily. Recital 51 of the GDPR states:
The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Although the DPA does not have a concept of "biometric data" (it is different than "genetic data"), I believe we can surmise from the Recital, applying to the DPA, that photographs only become sensitive personal information if the purpose for the processing is to determine sensitive personal information from the individual. If the purpose of the controller is to only identify an individual, but not specific characteristics like their race, age, or health, I think a photograph can only be considered as only ordinary personal information.