If your staff are photographing their screens with a mobile phone to send data to external clients, you have a data governance problem, a systems integration problem, or both — and probably some uncomfortable questions to answer about your organisation's security posture. This isn't a quirky workaround. It's a symptom of something genuinely broken in how your organisation manages and shares information.
The good news is that this is an extremely common problem, and it is entirely fixable. The bad news is that fixing it properly requires more than buying a new tool — it requires someone to actually care about the underlying process.
Why Are Organisations Forcing Staff to Do This in the First Place?
This situation almost never starts with malice. It starts with a gap — a client needs data, the system that holds the data doesn't have an export function, or the export function produces a format the client can't read, or the data is locked behind a firewall with no approved external sharing mechanism. So someone, somewhere, improvised.
And then the improvisation became the process.
I've seen this pattern in organisations of every size. A workaround that one person invented on a Tuesday afternoon becomes, over six months, the official way of doing things — documented in an onboarding guide, referenced in a team meeting, and defended in a steering committee as "how we've always done it." The photograph of the screen is rarely the original sin. It's usually the fossilised evidence of a decision nobody remembers making.
What are the most common root causes?
- System lock-in: The data lives in a legacy system with no API (Application Programming Interface — a way for software to talk to other software) and no modern export capability.
- Security policy gaps: IT has locked down direct data exports or external email attachments, but hasn't provided an approved alternative mechanism.
- Licensing restrictions: Some enterprise software limits data export rights based on licence tier, leaving teams with no legitimate extraction route.
- Poor data architecture: Data is scattered across systems with no single source of truth, making structured sharing practically impossible.
- Procurement failure: A system was purchased without anyone checking whether it could share data with the clients who needed it.
Is Photographing a Screen Actually a Problem? (Yes. Here's Why.)
Beyond the obvious indignity of asking a professional to use their phone as a photocopier, this practice creates real and serious risks that most organisations have not formally assessed.
What are the data security and compliance risks?
Under the UK GDPR (General Data Protection Regulation), personal data must be processed lawfully, securely, and only for specified purposes. A photograph taken on a personal or work mobile device creates an uncontrolled copy of that data — one that may be stored in a personal photo library, backed up to a consumer cloud service, or transmitted via an unencrypted messaging app.
The Information Commissioner's Office (ICO) has been clear that organisations are responsible for the security of personal data throughout its lifecycle. "We didn't know it was going to end up in someone's iCloud" is not a defence that tends to go well in a regulatory investigation.
Beyond GDPR, consider:
- Financial data: If the data includes commercially sensitive figures, a screenshot sent via personal email may breach contractual confidentiality obligations.
- Healthcare data: In NHS or social care contexts, photographing patient data on a screen is a potential serious incident under CQC (Care Quality Commission) standards.
- Audit trails: A photograph creates no audit trail. There is no record of what was shared, with whom, when, or whether the recipient was authorised.
What does this cost the organisation in human terms?
There is also a quieter cost that rarely makes it into a risk register. Staff who are asked to photograph screens know, on some level, that this is not how things should work. It signals to them that the organisation's systems are not fit for purpose, and that leadership either doesn't know or doesn't care.
According to a 2023 Gallup study, only 23% of employees globally feel engaged at work. Broken processes are a significant contributor to that disengagement. Asking someone to use their phone as a workaround for a £50,000 enterprise system is a reliable way to accelerate the feeling that nobody is in charge.
What Are the Legitimate Alternatives to Photographing Screens?
The right solution depends on what's actually driving the problem. Here are the main categories of fix, from the quick-and-tactical to the properly structural.
Quick fixes (days to weeks)
- Approved screenshot tools with audit logging: If screen capture is genuinely unavoidable in the short term, replace ad hoc phone photography with a controlled screen capture tool that logs what was captured, by whom, and when. Tools like Snagit or built-in OS screenshot functions combined with a document management system can at least make the process auditable.
- Secure file sharing platforms: Microsoft SharePoint, ShareFile, or even a well-configured OneDrive shared folder can give external clients access to approved data without requiring any screen capture at all.
- Approved export formats: If the system can export to CSV, PDF, or Excel but staff don't know this, or IT has blocked it, that's a solvable problem in a meeting rather than a project.
Medium-term fixes (weeks to months)
- Client portal implementation: Many CRM (Customer Relationship Management) and case management systems support external client portals where clients can log in and view their own data directly — removing the need for any manual sharing at all.
- Scheduled automated reports: If the client needs a regular data extract, most modern systems can be configured to generate and send this automatically on a schedule. This is often a configuration task, not a development project.
- Middleware or integration tools: Platforms like Zapier, Power Automate, or MuleSoft can connect systems that don't natively talk to each other, enabling automated data flows without manual intervention.
Structural fixes (months to longer)
- API-first data strategy: Organisations that share data regularly with external parties need a formal approach to how data is exposed externally — typically via a managed API layer. This is a genuine architectural investment, but it pays for itself quickly in reduced manual effort and risk.
- Master Data Management (MDM): If the root problem is that data is fragmented across systems with no single source of truth, MDM is the discipline — and the technology investment — that addresses it at source.
- System replacement: Sometimes the honest answer is that the system holding the data is not fit for purpose. That's a harder conversation, but it's better to have it now than after a data breach.
How Do You Choose the Right Solution?
| Solution Type | Best For | Typical Cost | Implementation Time | Risk Reduction | Limitations |
|---|---|---|---|---|---|
| Audit-logged screen capture | Bridging gap while a proper fix is built | Low (£0–£500/year) | Days | Moderate (creates audit trail) | Doesn't solve the underlying problem |
| Secure file sharing | Sending static documents or extracts | Low–Medium (often included in M365) | Days–Weeks | High (encrypted, auditable) | Still requires manual data extraction step |
| Client portal | Repeat data sharing with same clients | Medium (£500–£5,000+ setup) | Weeks–Months | Very high | Client adoption required; UX must be good |
| Automated scheduled reports | Regular, predictable data extracts | Low (configuration, not usually new cost) | Days–Weeks | High | Only works for standardised, recurring needs |
| Integration middleware | Connecting disparate systems | Medium–High (£2,000–£20,000+) | Months | Very high | Requires technical resource; ongoing maintenance |
| API layer / MDM | Organisations sharing data at scale | High (£20,000–£200,000+) | Months–Years | Highest | Significant investment; requires data strategy |
| System replacement | Legacy systems with no integration capability | Very High | Years | Highest (if done well) | Organisational disruption; high failure rate if rushed |
How Do You Make the Case Internally for Fixing This?
This is, frankly, often the hardest part. The photograph-of-the-screen workaround has usually been running long enough that it feels normal, and proposing a fix requires someone to admit that the current situation is a problem — which implicitly means someone failed to prevent it.
In my experience working with public sector and third sector organisations, the most effective way to make this case is not to lead with the technical solution. It's to lead with the risk.
How do you frame this as a risk issue?
- Quantify the exposure: What data is being shared? Does it include personal data under UK GDPR? What would a breach cost — financially, reputationally, regulatorily?
- Document the current process: Write down exactly what happens today. "A member of staff photographs their screen with a personal mobile phone and sends the image via WhatsApp to the client contact." Read that sentence aloud in a board meeting. It tends to focus minds.
- Identify the ICO risk: Under UK GDPR, fines for serious breaches can reach £17.5 million or 4% of global annual turnover, whichever is higher. For most organisations, the cost of a proper solution is considerably less than either of those numbers.
- Propose a proportionate fix: Don't walk in asking for a £200,000 data platform. Walk in asking for approval to implement a secure file sharing solution that costs nothing because it's already included in your Microsoft 365 licence.
What if leadership doesn't see it as a priority?
Then you document that you raised it, record the response, and keep the paper trail. This is not cynicism — it's professional self-protection. If a breach occurs because a known process risk was not addressed after being formally escalated, the question of who knew what and when becomes very relevant very quickly.
I've sat in enough post-incident reviews to know that "we raised it in March" is considerably more useful than "we assumed someone else was dealing with it."
What About Staff Who Are Already Doing This — What Do You Tell Them?
Be direct and be fair. Staff who are photographing screens are almost certainly doing so because they were told to, or because no alternative was provided. They are not the problem. The process is the problem.
- Don't blame the individual. The workaround exists because the organisation failed to provide a proper mechanism. Disciplining someone for following a process leadership implicitly sanctioned is both unfair and likely to damage trust.
- Communicate clearly when you change the process. Tell staff why the old approach was a risk, what the new approach is, and how to use it. Don't assume people will figure it out.
- Acknowledge the gap. "We know this has been a painful workaround and we should have fixed it sooner" goes a long way. People appreciate honesty from leadership. They're often not getting much of it.
Frequently Asked Questions
Is photographing a screen at work illegal in the UK?
It is not automatically illegal, but it can breach UK GDPR if the photograph contains personal data and is not handled securely. It may also breach employment contracts, confidentiality agreements, or sector-specific regulations. The act itself is less important than what data is captured and how it is subsequently handled.
What should I do if I've been asked to photograph my screen and I'm uncomfortable?
Raise it formally. Document the request and your concern in writing — an email to your line manager is sufficient. If your organisation has a data protection officer (DPO), you can raise it with them. You are not obliged to participate in a process you believe creates a compliance risk.
Can we just use WhatsApp to share client data instead of photographing screens?
No. Consumer messaging apps including WhatsApp are not appropriate for sharing client data in most professional contexts. Data shared via WhatsApp is stored on Meta's servers and may be processed outside the UK. This is incompatible with most organisations' data protection obligations and almost certainly with your client contracts.
What is the cheapest way to fix this problem?
If your organisation already uses Microsoft 365, you almost certainly have access to SharePoint and OneDrive, which can be configured to share files securely with external parties at no additional cost. This is often the fastest and cheapest legitimate solution for organisations that haven't yet explored what their existing licences include.
How do I know if this is a GDPR breach?
If personal data — defined under UK GDPR as any information that can identify a living individual — is being shared in a way that is not secure, not auditable, and not covered by a lawful basis for processing, you are likely in breach. You should consult your Data Protection Officer or an external data protection adviser. The ICO website (ico.org.uk) also provides practical guidance for organisations assessing their compliance position.
Does this apply to the public sector and charities too?
Yes, and arguably more so. Public sector bodies and registered charities are subject to UK GDPR, and many handle sensitive categories of personal data — health information, financial vulnerability data, safeguarding records — where the consequences of a breach are particularly serious. The fact that an organisation is not-for-profit provides no regulatory protection.
What if our client is the one asking us to send data this way?
Your data protection obligations are not determined by what your clients ask for. If a client asks you to send personal data via an insecure channel, you are still responsible for how that data is handled on your side. You can — and should — explain that you are unable to share data in that way and propose a secure alternative. Most clients, when the risk is explained clearly, will accept a better method.
Nicholas Hodder is a digital transformation and technology leader with over 20 years of experience working across public sector, charity, and commercial organisations. He speaks and writes on the gap between digital strategy and the lived reality of making technology work for people — including the moments where that gap is best illustrated by someone photographing a screen with their phone in a shared office.
