The most popular frequently asked questions
Below is a list of questions that get asked in relation to school communities, Classlist and data protection. Click on the '+' plus symbol to reveal the answer to each question.
How does data protection affect PTAs?
Do PTAs in the UK and EU have different obligations post Brexit?
Not to any significant extent. All EU countries passed legislation to implement the EU's General Data Protection Regulation (GDPR) in 2018. UK law is very similar to data protection law in other EU countries and is likely to remain closely in lockstep, to ensure data can be transferred seamlessly between the UK and EU countries. Other related pieces of legislation, such as the UK's Privacy and Electronic Communications Regulation (PECR) may diverge over time in some areas. Overall, court decisions on how to interpret GDPR made within the EU are still likely to have a significant bearing on how data protection laws are interpreted in the UK.
What are the "must dos" for data controllers?
This varies per country, but to comply with the GDPR requirement in force across Europe and the UK you must demonstrate that for example
- you have data protection policies and procedures in place;
- keep evidence of parents' consent to use their details;
- ensure you have appropriate procedures for new elements such as the right to be forgotten; subject access rights; data portability; data breach notification within 72 hours and many other elements.
Many other countries have data protection legislation with similar provisions. In general the EU GDPR requirements are some of the toughest in the world, although many other countries are tightening their requirements and moving in a similar direction.
Classlist's system is designed to help you comply with all of the above requirements.
Does the PTA need a Data Protection Officer?
We don't believe this is necessary. ICO guidance states that you need a DPO if you:
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or:
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
A PTA doesn’t perform either of these activities at either small or large scale so you are not required to have a DPO.
This is way too much info. I want everything on one A4 page
That really would be spoiling the party. OK. Here you go. A one page summary with everything you need.
What happens if there isn't a separate PTA, or the PTA organisation has been merged into the school?
Some schools are re-integrating their PTAs into the school organisation. In this case the school will be the data controller and PTA officials are treated in the same way a as school staff.
What's the difference between a Data Controller and a Data Processor?
The difference between these two roles is critical but not always obvious. According to the Information Commissioner's Office, a "data controller" means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A "data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In the Classlist context the PTA or school is generally the data controller and Classlist is the data processor. However in specific circumstances these roles can change. This is set out in the legal documents in the Compliance Document Centre
What's the difference between a Classlist Member and Non Member?
A Classlist Member has completed the registration procedure, and the personal details they chose to share are visible to other users. They are a full member of the site and can access all its functionality.
A Classlist Non Member will have been invited by email to join the site but has not registered. No information on them will be available to other users with the exception of site administrators. A Non Member who has been regularly and recently receiving a emails or similar communications from the PTA or school relating to the parent community will continue to be included in these communications through the Classlist email system. They have the option of unsubscribing at any point.
What your school can do to help
What information can the school lawfully supply to the PTA?
Classlist and GDPR
Classlist’s app enables school parents to share personal data with each other within a secure, structured, GDPR compliant framework. Classlist sites are run either by the School or the Parent Teacher Associations or Friends (the “PTA”), who act as Data Controllers with Classlist acting as their Data Processor. Data is obtained on a consent basis as parents create their own Classlist account and decide exactly what to share with whom.
How schools can lawfully share parent contact details with their PTA
Where PTAs run Classlist sites they may lack a comprehensive set of parent email addresses, and cannot systematically identify and invite new parents joining the school. This makes it more difficult for PTAs to build a fully inclusive parent community.
To help resolve this, Classlist has recently heard back from the Information Commissioner’s Office (ICO) and taken legal advice to establish how the school can lawfully share parent personal data with PTAs using Classlist, where both organisations share a common purpose of building a strong, supportive parent community.
ICO has indicated this data sharing should be covered through a short addition to the school’s Privacy Notice. A Data Sharing Agreement between the school and PTA can also be concluded through an exchange of emails - although this is optional and not a legal requirement, it is nevertheless considered good practice. It helps establish a paper trail and assists the school with its accountability obligations.
From a legal perspective the School, as one Data Controller, will already have authority to share data with other Data Controllers. These should already be listed in the school’s existing Privacy Notice.
Purpose and lawful basis for sharing data
In order to add the PTA to their Privacy Notice list, the School must state the purpose and the lawful basis for sharing data. Parents should also be notified that the Privacy Notice is being amended. This could be included as part of ongoing school communications highlighting the Classlist app.
The PTA will use Classlist for the purposes of informing parents/guardians about PTA activities, events and news and establishing and maintaining relationships and communication between parents/guardians and the PTA.
The lawful basis for sharing will either be to support the “legitimate interests” of both organisations, or to assist with the “public task” of the school, depending on the type of school involved.
A further lawful basis of “consent” is available (for example some schools specifically ask parents if they wish to share personal data with the PTA). However this is not necessary as it is within the reasonable expectations of parents that the School will share data with the PTA, who share a common purpose, reflected in the School’s Privacy Notice.
Management of data shared by the school
Schools will be keen to ensure that the PTA will comply fully with GDPR requirements when using parent data and Classlist has been designed to enable this. Administrators enter parent emails supplied by the school directly into Classlist’s secure system, making it easier both to invite parents and to include them in ongoing PTA communications. This data is only visible to PTA administrators. Each parent still needs to opt in and consent to share any personal data with other parents, and can unsubscribe at any point.
Recommended wording for the Privacy Notice, Data Sharing Agreement and note to parents is set out in the Appendix below should you wish to use it.
What does my school need to do? What can I send to explain everything?
The Classlist website has lots of material describing how the app works and the benefits to schools and parents.
Regarding data protection specifics, the school is already a Data Controller and will be working with you as another Data Controller. They have all the data needed to enable you validate new applicants, and should be keen to help as this ensures a well functioning trusted parent community. They can also assist with allocation of members to new classes at the beginning of each academic year which can otherwise become very time consuming. A draft letter to the school from PTAs launching Classlist is here and a draft letter for PTAs which currently operate Classlist is here.
Why should my school agree to help? What's in it for them?
The school is likely to see some advantages in Classlist and may have some concerns. The advantages are typically around cost - a reduction in school office admin time; and around parent engagement - which is a new OFSTED metric - recent studies show that stronger parent communities can really improve student outcomes. They may also see benefits around safeguarding where parents can help each other with supervision and information both for junior and teenage years.
A few school heads are concerned that Classlist will be used for complaining and tittle tattle. This would be contrary to our user guidelines and has proved extremely rare. What is far more common is parents using Facebook or WhatsApp to complain, where content can be difficult to moderate or remove. Heads often tell us they prefer Classlist for exactly this reason.
Finally, where parents, school or PTA bring in local sponsors to support Classlist, 50% of the revenue goes back to the school which is always very welcome.
What happens if my school doesn't agree to help, or can't do anything quite yet?
If the school is too busy or doesn't have capacity to help right now, this is far from a show stopper. It certainly helps if the school head sends an announcement to parents encouraging them to join. However many PTAs using Classlist around the country have relied on their own resources to develop invite lists; get the word out, and get Classlist sites up and running. You don't have to wait for the school to be ready.
Is it better to have the school as Data Controller?
The choice of data controller needs to reflect the reality of who is administering the site. This organisation will have more privileges and can use it for more things. If you have an active PTA with lots of Class Reps, events and announcements then we generally recommend the PTA takes the lead. If the PTA doesn't communicate extensively with parents or has limited resources and the school is either very active in promoting the parent community, or wants to enable parents contact each other, it is fine for the school to lead. You do need to make it clear to parents who manages the site. If this changes later, you can always ask parents to reconfirm they are happy with new arrangements.
Some schools prefer to be data controllers. This does make it easier for them to issue invitations and to build a very inclusive community. Where the school runs the site the PTA does not have an official role, although PTA members can send invitations and messages just as other members can. PTA officials can assist with some site administration tasks if the school has limited resources, but they must be careful not to use personal data or other information they obtain in this capacity for other PTA purposes. Classlist's Terms and Conditions explain this in more detail.
Liabilities and risk
How can new legislation change PTA liabilities? Do we need to review our insurance?
Your legal liabilities will vary depending on which country you operate in. For example any organisation working in the UK with personal data needs to comply with the 2018 UK Data Protection Act. This may well apply even applies if you simply circulate a spreadsheet of names. Many other countries are moving towards a data protection framework similar to the European GDPR, on which UK law is based. Working with Classlist means you have taken a big step to manage and reduce any potential liabilities, because our processes have gone through a legal audit and have multiple data protection safeguards automatically built in.
- Through using Classlist as your Data Processor you can immediately complying with the requirement, typical in many countries, to use a properly structured and secure approach to data management. Classlist also becomes responsible for some of the technical and cybersecurity aspects of where personal data goes; who is authorised to access to it, and how it is protected from attack.
- Regarding insurance, should there be a data breach where Classlist's systems are at fault, we are fully insured for public liability, professional indemnity and also have specific cover for cyber insurance. PTAs generally hold insurance policies designed to cover public and personal liability for the Association and its officers. You are advised to check your coverage to ensure all relevant contingencies are covered.
- In choosing to work with Classlist, you have selected the market leader in the area of school parent to parent communications. Classlist brings experience from working with over thousands of schools around the world. We have worked with some of the UK's best known lawyers specialising in data protection for schools to ensure that our procedures comply with current UK legal requirements. We also work with many data protection officers and specialist firms around the world to ensure our procedures are in line with with local legislation. Fortunately the GDPR based approach followed in the UK and EU is seen by many as the "gold standard" for data protection. You will therefore be seen to have acted in a prudent and conservative manner in selecting your supplier. Naturally Classlist cannot be held responsible for data breaches where the PTA is at fault. However through using Classlist's purpose-built system, which is designed entirely around security, privacy and meeting PTA requirements, we believe that the likelihood of personal data going astray is significantly reduced.
What liability does my school take?
Classlist's agreement to act as Data Processor for the PTA or school means that we take prime liability for any breakdown in our systems or processes. As you would expect, the school does still have liability for negligence on their part, and should have insurance in place to cover this.
How real is the risk of a fine?
To date we aren't aware of any school or body associated with a school being prosecuted or fined for anything related to data protection. But nobody knows how the courts will enforce new regulations, and there is likely to be a period of adjustment as things bed down.
New legislation introduces a new set of penalties – the greater of 4% of turnover or €20 million. Under existing legislation ICO has handed out five and six figure fines not just to big corporates, but to well respected charities, who had systematically deployed fund-raising practices which weren't legal, or who failed to act appropriately after a data breach. Perhaps equally important is the reputational damage to the school and organisations associated with it if practices are found wanting in material respects.
In assessing what corrective action to take ICO will typically look at the overall data safeguarding processes followed by an organisation as well as the detail of any particular incident. This is where working with Classlist can really help. You have taken a big step forward in electing to work with a company which has gone the extra mile in not only seeking legal advice but obtaining a legal Opinion setting out how our practices are compliant.