The most popular frequently asked questions
Below is a list of questions that get asked in relation to school communities, Classlist and data protection. Click on the '+' plus symbol to reveal the answer to each question.
How does data protection affect PTAs?
Do PTAs in the UK and EU have different obligations post Brexit?
Not to any significant extent. All EU countries passed legislation to implement the EU's General Data Protection Regulation (GDPR) in 2018. UK law is very similar to data protection law in other EU countries and is likely to remain closely in lockstep, to ensure data can be transferred seamlessly between the UK and EU countries. Other related pieces of legislation, such as the UK's Privacy and Electronic Communications Regulation (PECR) may diverge over time in some areas. Overall, court decisions on how to interpret GDPR made within the EU are still likely to have a significant bearing on how data protection laws are interpreted in the UK.
What are the "must dos" for data controllers?
This varies per country, but to comply with the GDPR requirement in force across Europe and the UK you must demonstrate that for example
- you have data protection policies and procedures in place;
- keep evidence of parents' consent to use their details;
- ensure you have appropriate procedures for new elements such as the right to be forgotten; subject access rights; data portability; data breach notification within 72 hours and many other elements.
Many other countries have data protection legislation with similar provisions. In general the EU GDPR requirements are some of the toughest in the world, although many other countries are tightening their requirements and moving in a similar direction.
Classlist's system is designed to help you comply with all of the above requirements.
Does the PTA need a Data Protection Officer?
We don't believe this is necessary. ICO guidance states that you need a DPO if you:
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or:
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
A PTA doesn’t perform either of these activities at either small or large scale so you are not required to have a DPO.
This is way too much info. I want everything on one A4 page
That really would be spoiling the party. OK. Here you go. A one page summary with everything you need.
What happens if there isn't a separate PTA, or the PTA organisation has been merged into the school?
Some schools are re-integrating their PTAs into the school organisation. In this case the school will be the data controller and PTA officials are treated in the same way a as school staff.
What's the difference between a Data Controller and a Data Processor?
The difference between these two roles is critical but not always obvious. According to the Information Commissioner's Office, a "data controller" means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A "data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In the Classlist context the PTA or school is generally the data controller and Classlist is the data processor. However in specific circumstances these roles can change. This is set out in the legal documents in the Compliance Document Centre
What's the difference between a Classlist Member and Non Member?
A Classlist Member has completed the registration procedure, and the personal details they chose to share are visible to other users. They are a full member of the site and can access all its functionality.
A Classlist Non Member will have been invited by email to join the site but has not registered. No information on them will be available to other users with the exception of site administrators. A Non Member who has been regularly and recently receiving a emails or similar communications from the PTA or school relating to the parent community will continue to be included in these communications through the Classlist email system. They have the option of unsubscribing at any point.
What your school can do to help
What information can the school lawfully supply to the PTA?
Where you set up a Classlist site your PTA is acting as a "Data Controller". The school is already a "Data Controller" because it manages lots of information about pupils and parents. In general, no personal data can be transferred between data controllers without a good legal justification, which sometimes requires specific consent from each parent.
Classlist has obtained a legal Opinion from VWV, one of the top five legal firms working with UK schools, on this area. This confirms that as long as your PTA is following the practices and procedures set out by Classlist, the school can lawfully help you to verify and update information which you have collected through the Classlist system. This can include parent names, child names, child class details, and parent email details.
The school may for example help you check applicants against a master list of parents. Or provide you with class lists at the end of each year or term so you can update your records and ensure each pupil is allocated to the correct class. Please bear in mind that you aren't permitted to use this data for any other purpose than to validate new applicants and make updates to your database. A draft letter to the school from PTAs launching Classlist is here and a draft letter for PTAs which currently operate Classlist is here.
Where the school is providing you with any personal data about parents or their families, these must be transmitted using a secure, encrypted and private mechanism and you must have arrangements in place to manage this information on a completely confidential basis.
What does my school need to do? What can I send to explain everything?
The Classlist website has lots of material describing how the app works and the benefits to schools and parents.
Regarding data protection specifics, the school is already a Data Controller and will be working with you as another Data Controller. They have all the data needed to enable you validate new applicants, and should be keen to help as this ensures a well functioning trusted parent community. They can also assist with allocation of members to new classes at the beginning of each academic year which can otherwise become very time consuming. A draft letter to the school from PTAs launching Classlist is here and a draft letter for PTAs which currently operate Classlist is here.
Why should my school agree to help? What's in it for them?
The school is likely to see some advantages in Classlist and may have some concerns. The advantages are typically around cost - a reduction in school office admin time; and around parent engagement - which is a new OFSTED metric - recent studies show that stronger parent communities can really improve student outcomes. They may also see benefits around safeguarding where parents can help each other with supervision and information both for junior and teenage years.
A few school heads are concerned that Classlist will be used for complaining and tittle tattle. This would be contrary to our user guidelines and has proved extremely rare. What is far more common is parents using Facebook or WhatsApp to complain, where content can be difficult to moderate or remove. Heads often tell us they prefer Classlist for exactly this reason.
Finally, where parents, school or PTA bring in local sponsors to support Classlist, 50% of the revenue goes back to the school which is always very welcome.
What happens if my school doesn't agree to help, or can't do anything quite yet?
If the school is too busy or doesn't have capacity to help right now, this is far from a show stopper. It certainly helps if the school head sends an announcement to parents encouraging them to join. However many PTAs using Classlist around the country have relied on their own resources to develop invite lists; get the word out, and get Classlist sites up and running. You don't have to wait for the school to be ready.
Is it better to have the school as Data Controller?
The choice of data controller needs to reflect the reality of who is administering the site. This organisation will have more privileges and can use it for more things. If you have an active PTA with lots of Class Reps, events and announcements then we generally recommend the PTA takes the lead. If the PTA doesn't communicate extensively with parents or has limited resources and the school is either very active in promoting the parent community, or wants to enable parents contact each other, it is fine for the school to lead. You do need to make it clear to parents who manages the site. If this changes later, you can always ask parents to reconfirm they are happy with new arrangements.
Some schools prefer to be data controllers. This does make it easier for them to issue invitations and to build a very inclusive community. Where the school runs the site the PTA does not have an official role, although PTA members can send invitations and messages just as other members can. PTA officials can assist with some site administration tasks if the school has limited resources, but they must be careful not to use personal data or other information they obtain in this capacity for other PTA purposes. Classlist's Terms and Conditions explain this in more detail.
Liabilities and risk
How can new legislation change PTA liabilities? Do we need to review our insurance?
Your legal liabilities will vary depending on which country you operate in. For example any organisation working in the UK with personal data needs to comply with the 2018 UK Data Protection Act. This may well apply even applies if you simply circulate a spreadsheet of names. Many other countries are moving towards a data protection framework similar to the European GDPR, on which UK law is based. Working with Classlist means you have taken a big step to manage and reduce any potential liabilities, because our processes have gone through a legal audit and have multiple data protection safeguards automatically built in.
- Through using Classlist as your Data Processor you can immediately complying with the requirement, typical in many countries, to use a properly structured and secure approach to data management. Classlist also becomes responsible for some of the technical and cybersecurity aspects of where personal data goes; who is authorised to access to it, and how it is protected from attack.
- Regarding insurance, should there be a data breach where Classlist's systems are at fault, we are fully insured for public liability, professional indemnity and also have specific cover for cyber insurance. PTAs generally hold insurance policies designed to cover public and personal liability for the Association and its officers. You are advised to check your coverage to ensure all relevant contingencies are covered.
- In choosing to work with Classlist, you have selected the market leader in the area of school parent to parent communications. Classlist brings experience from working with over thousands of schools around the world. We have worked with some of the UK's best known lawyers specialising in data protection for schools to ensure that our procedures comply with current UK legal requirements. We also work with many data protection officers and specialist firms around the world to ensure our procedures are in line with with local legislation. Fortunately the GDPR based approach followed in the UK and EU is seen by many as the "gold standard" for data protection. You will therefore be seen to have acted in a prudent and conservative manner in selecting your supplier. Naturally Classlist cannot be held responsible for data breaches where the PTA is at fault. However through using Classlist's purpose-built system, which is designed entirely around security, privacy and meeting PTA requirements, we believe that the likelihood of personal data going astray is significantly reduced.
What liability does my school take?
Classlist's agreement to act as Data Processor for the PTA or school means that we take prime liability for any breakdown in our systems or processes. As you would expect, the school does still have liability for negligence on their part, and should have insurance in place to cover this.
How real is the risk of a fine?
To date we aren't aware of any school or body associated with a school being prosecuted or fined for anything related to data protection. But nobody knows how the courts will enforce new regulations, and there is likely to be a period of adjustment as things bed down.
New legislation introduces a new set of penalties – the greater of 4% of turnover or €20 million. Under existing legislation ICO has handed out five and six figure fines not just to big corporates, but to well respected charities, who had systematically deployed fund-raising practices which weren't legal, or who failed to act appropriately after a data breach. Perhaps equally important is the reputational damage to the school and organisations associated with it if practices are found wanting in material respects.
In assessing what corrective action to take ICO will typically look at the overall data safeguarding processes followed by an organisation as well as the detail of any particular incident. This is where working with Classlist can really help. You have taken a big step forward in electing to work with a company which has gone the extra mile in not only seeking legal advice but obtaining a legal Opinion setting out how our practices are compliant.