Data Protection
ICO 12 Steps
ICO Step / Implications for PTAs
Implications for PTAs


1 - Awareness
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

Classlist’s short guide can be used with your Committee Members, Class Reps and any others who handle personal data


2 - Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

Most PTAs hold parent contact details supplied directly by parents so that you can communicate with them. Which is fine. If you pass this data in electronic format to any other organisations, which is quite likely (for example to organise events), please see the section on data processors below


3 - Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

Classlist provides a Privacy Notice for use by PTAs with whom we work. This has been fully reviewed by a leading UK law firm who confirm it complies with the relevant GDPR requirements


4 - Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Where Classlist acts your data processor we cover these elements for you


5 - Subject access request
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

Where Classlist acts your data processor we enable you to satisfy any subject access requests which you may receive. We can also enable you to meet requirements for the new Right to be Forgotten


6 - Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Classlist has taken legal advice on this and the lawful basis for processing is clearly set out in the Privacy Notice which we provide


7 - Consent
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

If the personal data you use has been supplied as described at Step 2 above, and has been used regularly and recently for contacting parents, a refresh may not be required. Classlist’s sign up procedure takes care of the new consents which are needed, and records these. We also provide a notice for you to circulate in advance of launch of the Classlist system.


8 - Children
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity

It is unlikely that you currently process very much child data. Classlist requires entry of child names by each parent and may verify these, but does not allow any child access to the system and does not child ages. Children over 12 have new rights regarding their data which parents should be aware of and are highlighted in our registration process.


9 - Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Requirements here are onerous and can require reporting within 72 hours. Where Classlist acts as your data processor we have procedures in place to help you comply


10 - Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Classlist can arrange training in Privacy Impact Assessments if required. Classlist’s system has been designed around the principles laid out by ICO.


11 - Data protection officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

It is helpful for one member of the PTA to take a lead on data protection. It is unlikely that you will need to appoint a Data Protection Officer – this is generally for larger organisations. You can also register your PTA with ICO but this is not a required if you are a not-for-profit organisation or a charity.


12 - International
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

It is unlikely that a UK based PTA will be governed by a supervisory authority in another country. Classlist’s processing is based in the UK so even if your students are foreign nationals, this consideration will not apply


Note on Data Processors
If your PTA collects and manage parent information it is likely to be a “data controller”. You may well work with other “data processors” (to arrange events, take payments, organise polls). If you share personal data (eg mail addresses) with these processors, you are legally required to have an agreement with them to ensure they follow the right procedures in managing data.

Classlist will act as your PTA’s data processor. Our Data Protection Agreement meets the requirements set out here. It shows how both parties will comply with the new regulations. Where parent data is supplied to us directly by the school, our agreement is with the school and PTA staff access the system under this agreement.