book a demo

Managing privacy and consent within a digital asset management solution

March 13, 2024 Antra Silova

privacy and consent in DAM

These days we all have heard the phrase “amid rising privacy concerns”, however, this phrase is typically related to how our personal information is being kept, maintained and in some cases used on websites.

Privacy and consent extend beyond traditional notions of personal information. While we often associate consent with contact details or medical records, it's crucial to understand that any data where an individual can be identified falls under the purview of privacy regulations. This includes artworks, photos, and videos, making robust consent policies essential for Digital Asset Management (DAM) solutions to protect the privacy of individuals and comply with Australian regulations.

What can go wrong?

Consider a scenario where a random photo of someone on a beach appears on a local council website, or worse still in a product advertisement… without any consent being collected. With the upcoming changes to the Australian Privacy Act you can expect individuals seeking greater protection and right to sue in case of invasion of privacy. Now that we have the setting for a major out of court settlement which will not be cheap! 

So, what went wrong? When should we be concerned? How do we avoid inappropriately using content in our day-to-day job roles?

 Let's explore.

Privacy and consent book cover  (2000 x 1080 px)

What is consent?

In Australia, consent refers to the voluntary agreement of an individual to the collection, use, or disclosure of their personal information by an organisation for a specific purpose. Consent is a fundamental principle of privacy laws and is essential for ensuring that individuals have control over their personal data, as set out by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Key aspects of consent in Australia include:

  1. Voluntary Agreement: Consent must be freely given by the individual without coercion or pressure from the organisation.

  2. Specific Purpose: Consent should be obtained for a specific purpose, and individuals should be informed about how their personal information will be used or disclosed.

  3. Informed Consent: Individuals must be provided with clear and understandable information about the purposes of data collection, the types of personal information being collected, and how it will be used or disclosed.

  4. Explicit Consent for Sensitive Information: For sensitive information, such as health information or racial or ethnic origin, explicit consent is generally required.

  5. Withdrawal of Consent: Individuals have the right to withdraw their consent at any time. Organisations must provide mechanisms for individuals to easily withdraw consent and stop the use or disclosure of their personal information.

  6. Capacity to Consent: Organisations should ensure that individuals have the capacity to consent, particularly when dealing with vulnerable individuals such as children or people with disabilities.

What does it mean for photos and videos?

Note, "personal information" refers to all data related to an "identifiable individual", whose identity can be reasonably worked out, that includes photos and videos. The individual can request the asset deleted or removed.

This means the privacy laws apply and consent must be obtained and stored accordingly. 

But who is to obtain consent?

The duty lies on the owner of the asset. According to Australian copyright law, the owner is the original photographer, or a business or institution who have contractual agreement with the photographer. 

What is privacy?

Within the context of digital asset management… privacy is all about the images, videos, and recordings of people. The photo of you at an event, the footage of you and your family eating out, a recording of a conversation you had with a friend and the like.

While Australia lacks specific laws around publicity or personality rights, individuals' images are still protected as personal information under the Privacy Act 1988 (Cth). This means that businesses and agencies must tread carefully when publishing images, ensuring either non-commercial use or obtaining appropriate consent. Enter Digital Asset Management (DAM) solution, the unsung hero of privacy and consent management in the digital world. 

According to Arts Law website:

"There are no publicity or personality rights in Australia, and there is no right to privacy that
protects a person’s image. However, a person’s image can constitute ‘personal information’
under the Privacy Act 1988 (Cth) with the consequence that there are circumstances in which
businesses and agencies subject to that Act may breach the law by publishing a person’s image."

How to manage privacy and consent in a DAM

A modern DAM solution should offer features to properly manage privacy and consent in one central location. For real-life examples and strategies download our eBook: How to Manage Privacy & Consent in Your DAM Solution.

Consent forms

Most DAM solutions allow you to upload both image and documents such as pdf. So, you will need to digitalise the signed consent form and upload it with the image. Then how do you relate the two assets together?

In Canto, you will have the ability to relate assets together. This is a very direct association, does not require the creation of superfluous categories or references. Just select the two assets, click a button, and typically nominate which one is the main asset i.e. the photo that is being agreed to.

Consent expiration management

Approval statuses play a pivotal role in DAM solutions. From pending to approved and expired, these statuses govern the accessibility of content based on consent and duration. A robust DAM should offer customisable approval statuses and automated workflows for seamless content management. 

Most DAM solutions will have workflows implemented that ensures that content that has
been uploaded will either:
- Have an approval status applied as part of the upload process
- Go through further steps where a suitable DAM administrator applies the correct approval status to the content

Along with the application of approval status there should also be an Expiry Date set for the approval. Check back to the original definition of a consent form and you will note that there is an area of the form for duration of consent. Typically, the DAM solution should push over content from its assigned approval status to an expired status when this date is reached.

In Canto, notifications can be set up to inform DAM admin of upcoming expiration, which then allows to request extension of consent, or automatically remove asset from circulation.

Managing access

Sharing content securely is paramount, whether for one-off or multi-usage purposes. For one-off usage, simply store the content in the DAM and share it via a secure link. For multi-usage, ensure the content is accessible to your team via self-service portals while adhering to approval statuses and expiry dates. 

In Canto, you can set access permissions based on needs and structure of your organisation. Restricting access to an asset is the easiest way to avoid unnecessary privacy breach complaints, or worse - legal consequences. 

Notifiable_Data_Breaches_Report__January_to_June_2022___OAICHuman error caused data breach from July 2023 - Dec 2023. Source:

For a more comprehensive discussion and real-life examples download our eBook: Managing Privacy and Consent in a DAM Solution

Share This: