Data Protection
Main implications for PTAs
What deadlines should I be aware of?
Your main deadline is 25 May 2018, when provisions from the General Data Protection Regulation (GDPR), translated into UK law, become effective. You must be fully compliant with new regulations by this date. It's been a moving feast as some of the key pieces of UK legislation such as the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulation (PECR) were still being finalised in late 2017, and more guidance and interpretation is regularly issued from the UK Information Commissioner's Office. So even after May 2018 a period of clarification is likely where courts interpret new concepts and determine how this new legislation will actually be applied in practice.
What are the "must dos" for data controllers?
  • Currently to comply with the UK Data Protection Act 1998, some of the principles relevant for PTAs are to make sure the information you hold is:
  • i) processed for limited purposes
  • ii) adequate, relevant and not excessive
  • iii) accurate and up to date
  • iv) not kept for longer than is necessary
  • v) held securely - which includes keeping it safe so that unauthorised individuals can't access it, and not disclosing it to anyone, - including other parents.

  • To comply with the GDPR by 25 May 2018 you will have to demonstrate more, for example that you have data protection policies and procedures in place; keep evidence of parents' consent to use their details; and ensure you have appropriate procedures for new elements such as the right to be forgotten; subject access rights; data portability; data breach notification within 72 hours and many other elements.

  • Classlist's system is designed to help you comply with all of the above.

    Does the PTA need a Data Protection Officer?
    We don't believe this is necessary. ICO guidance states that you need a DPO if you:
    - carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or:
    - carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
    A PTA doesn’t perform either of these activities at either small or large scale so you are not required to have a DPO.

    This is way too much info. I want everything on one A4 page
    That really would be spoiling the party. OK. Here you go. A one page summary with everything you need.
    What happens if there isn't a separate PTA, or the PTA organisation has been merged into the school?
    Some schools are re-integrating their PTAs into the school organisation. In this case the school will be the data controller and PTA officials are treated in the same way a as school staff.

    What's the difference between a Data Controller and a Data Processor?
    The difference between these two roles is critical but not always obvious. According to the Information Commissioner's Office, a "data controller" means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A "data processor", in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

    In the Classlist context the PTA or school is generally the data controller and Classlist is the data processor. However in specific circumstances these roles can change. This is set out in the legal documents in the Compliance Document Centre

    What's the difference between a Classlist Member and Non Member?
    A Classlist Member has completed the registration procedure, and the personal details they chose to share are visible to other users. They are a full member of the site and can access all its functionality.

    A Classlist Non Member will have been invited by email to join the site but has not registered. No information on them will be available to other users with the exception of site administrators. A Non Member who has been regularly and recently receiving a emails or similar communications from the PTA or school relating to the parent community will continue to be included in these communications through the Classlist email system. They have the option of unsubscribing at any point.
    What your school can do to help
    What information can the school lawfully supply to the PTA?
  • Where you set up a Classlist site your PTA is acting as a "Data Controller". The school is already a "Data Controller" because it manages lots of information about pupils and parents. In general, no personal data can be transferred between data controllers without a good legal justification, which sometimes requires specific consent from each parent.

    Classlist has obtained a legal Opinion from VWV, one of the top five legal firms working with UK schools, on this area. This confirms that as long as your PTA is following the practices and procedures set out by Classlist, the school can lawfully help you to verify and update information which you have collected through the Classlist system. This can include parent names, child names, child class details, and parent email details.

    The school may for example help you check applicants against a master list of parents. Or provide you with class lists at the end of each year or term so you can update your records and ensure each pupil is allocated to the correct class. Please bear in mind that you aren't permitted to use this data for any other purpose than to validate new applicants and make updates to your database. A draft letter to the school from PTAs launching Classlist is here and a draft letter for PTAs which currently operate Classlist is here.

    Where the school is providing you with any personal data about parents or their families, these must be transmitted using a secure, encrypted and private mechanism and you must have arrangements in place to manage this information on a completely confidential basis.

  • What does my school need to do? What can I send to explain everything?
    The Classlist website has lots of material describing how the app works and the benefits to schools and parents.

    Regarding data protection specifics, the school is already a Data Controller and will be working with you as another Data Controller. They have all the data needed to enable you validate new applicants, and should be keen to help as this ensures a well functioning trusted parent community. They can also assist with allocation of members to new classes at the beginning of each academic year which can otherwise become very time consuming. A draft letter to the school from PTAs launching Classlist is here and a draft letter for PTAs which currently operate Classlist is here.

    Why should my school agree to help? What's in it for them?
    The school is likely to see some advantages in Classlist and may have some concerns. The advantages are typically around cost - a reduction in school office admin time; and around parent engagement - which is a new OFSTED metric - recent studies show that stronger parent communities can really improve student outcomes. They may also see benefits around safeguarding where parents can help each other with supervision and information both for junior and teenage years.
    A few school heads are concerned that Classlist will be used for complaining and tittle tattle. This would be contrary to our user guidelines and has proved extremely rare. What is far more common is parents using Facebook or WhatsApp to complain, where content can be difficult to moderate or remove. Heads often tell us they prefer Classlist for exactly this reason.
    Finally, where parents, school or PTA bring in local sponsors to support Classlist, 50% of the revenue goes back to the school which is always very welcome.

    What happens if my school doesn't agree to help, or can't do anything quite yet?
    If the school is too busy or doesn't have capacity to help right now, this is far from a show stopper. It certainly helps if the school head sends an announcement to parents encouraging them to join. However many PTAs using Classlist around the country have relied on their own resources to develop invite lists; get the word out, and get Classlist sites up and running. You don't have to wait for the school to be ready.

    Is it better to have the school as Data Controller?
    The choice of data controller needs to reflect the reality of who is administering the site. This organisation will have more privileges and can use it for more things. If you have an active PTA with lots of Class Reps, events and announcements then we generally recommend the PTA takes the lead. If the PTA doesn't communicate extensively with parents or has limited resources and the school is either very active in promoting the parent community, or wants to enable parents contact each other, it is fine for the school to lead. You do need to make it clear to parents who manages the site. If this changes later, you can always ask parents to reconfirm they are happy with new arrangements.

    Some schools prefer to be data controllers. This does make it easier for them to issue invitations and to build a very inclusive community. Where the school runs the site the PTA does not have an official role, although PTA members can send invitations and messages just as other members can. PTA officials can assist with some site administration tasks if the school has limited resources, but they must be careful not to use personal data or other information they obtain in this capacity for other PTA purposes. Classlist's Terms and Conditions explain this in more detail.

    Liabilities and risk
    How does new legislation change PTA liabilities? Do we need to review our insurance?
    Any organisation dealing with personal data will have additional responsibilities and liabilities from May 2018. This even applies if you simply circulate a spreadsheet of names. Working with Classlist means you have taken a big step to manage and reduce any potential liabilities, because our processes have gone through a legal audit and have a lot of data protection safeguards built in.

    - Through establishing a relationship with Classlist as your Data Processor you immediately become compliant in terms of using a legally validated, properly structured approach to data management. Classlist also becomes responsible for the technical and cybersecurity aspects of where personal data goes; who is authorised to access to it, and how it is protected from attack.

    - Regarding insurance, should there be a data breach where Classlist's systems are at fault, we are fully insured for public liability, professional indemnity and also have specific cover for cyber insurance. PTAs generally hold insurance policies designed to cover public and personal liability for the Association and its officers. You are advised to check your coverage to ensure all relevant contingencies are covered.

    - In choosing to work with Classlist, you have selected the market leader in this area. Classlist brings experience from working with over 1,800 schools across the UK. We have also invested heavily to obtain the best possible legal advice to ensure our procedures comply with current and anticipated legal requirements. You will therefore be seen to have acted in a prudent and conservative manner in selecting your supplier. Naturally Classlist cannot be held responsible for data breaches where the PTA is at fault. However through using Classlist's purpose-built system, which is designed entirely around security, privacy and meeting PTA requirements, we believe that the likelihood of personal data going astray is significantly reduced.

    What liability does my school take?
    Classlist's agreement to act as Data Processor for the PTA or school means that we take prime liability for any breakdown in our systems or processes. As you would expect, the school does still have liability for negligence on their part, and should have insurance in place to cover this.

    How real is the risk of a fine?
    To date we aren't aware of any school or body associated with a school being prosecuted or fined for anything related to data protection. But nobody knows how the courts will enforce new regulations, and there is likely to be a period of adjustment as things bed down.

    New legislation introduces a new set of penalties – the greater of 4% of turnover or €20 million. Under existing legislation ICO has handed out five and six figure fines not just to big corporates, but to well respected charities, who had systematically deployed fund-raising practices which weren't legal, or who failed to act appropriately after a data breach. Perhaps equally important is the reputational damage to the school and organisations associated with it if practices are found wanting in material respects.

    In assessing what corrective action to take ICO will typically look at the overall data safeguarding processes followed by an organisation as well as the detail of any particular incident. This is where working with Classlist can really help. You have taken a big step forward in electing to work with a company which has gone the extra mile in not only seeking legal advice but obtaining a legal Opinion setting out how our practices are compliant.