Parents
Classlist’s Data Protection Arrangements – Notes for Parents
- is never passed to third parties
- is never sold to anybody
- is never shared with advertisers
- is never used to profile you for advertising purposes
- can be inspected and modified at any time under your Profile
- is held within the EU and not transferred to the US or elsewhere
Classlist is custom-built to support school communities. It offers parents and administrators a wide range of tools not available on other social media platforms. Our focus is on security, trust and transparency. We fully authenticate every user. We don’t “profile” users or make commercial use of any parent’s individual data. Where we generate revenue from advertisers, this money can be shared back with your school.
How do I find out more about GDPR?
To receive our data protection updates please click here. Classlist hosts a free monthly GDPR Webinar with a data protection specialists Clayden Law. These are principally for parent associations and school staff, but parents are also very welcome to attend. Details are available on our data protection website here
What information does Classlist hold about me?
Classlist stores those contact and family member details which you have chosen to upload and share, along with your personal messages and posts. You can inspect, amend and delete these at any time. Your personal data is fully encrypted and stored within the EU.
How does Classlist protect my rights under GPDR?
GDPR gives you enhanced rights - for example to delete or transfer personal data; give specific consent before personal data is shared, and learn immediately about data breaches. These can all be readily exercised as described in the Privacy Notice. You don’t need to take any further action to ensure this.
What certifications does Classlist hold relating to data protection?
Classlist is registered with the UK Information Commissioner’s Office as a Data Controller, and holds the UK government endorsed Cyber Essentials Certification.
If you have any concerns or suggestions on this or anything else please email support@classlist.com
Summary of changes in data protection legislation relevant to PTAs
Handling of personal data is currently covered by the UK's 1998 Data Protection Act. This will be significantly extended from 25 May 2018 by the General Data Protection Regulation (GDPR), one of the most wide-ranging pieces of legislation ever passed by the EU. The GDPR introduces numerous new concepts and seeks to harmonise laws across the EU's member states to enable the secure, free flow of data. It applies to any business trading with or operating within the EU and as new UK legislation will be binding in the UK irrespective of Brexit negotiations. Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and are also being upgraded.
The GDPR sets out how organisations must treat "personal data" – in the case of PTAs and schools, information about parents and their children. It gives people much more visibility and control over what this information is used for, and sets out severe penalties for organisations which don't comply. It will affect:
- How your organisation collects, processes, manages and deletes electronic and physical records about parents
- How and when you can feed this information into other systems – which may include an online invitation management system, or a social media service – and how these systems must also comply
- How you inform or train members of your organisation about their new responsibilities in handling personal data
- How you manage and report on problems if anything goes wrong (for example if private data is accidentally made public) where you may need to take action within 72 hours
To help UK organisations prepare for the 25 May 2018 deadline, the UK government has provided detailed guidance about the changes. A special Government Department – the Information Commissioner's Office (ICO) is focused on this. Classlist has consulted with them directly on some of the issues we describe. ICO has also prepared a handy 12 step guide for those involved in managing personal data. We show which are most relevant to PTAs and Schools running Classlist sites here.
"Quick check" to see if your PTA will be affected
- Does your parent association work as more than an ad hoc group of individuals? For example does it have an official name and engage in real, specific activities; or have one or more appointed officers (Chair, Secretary etc) or some form of financial resource such as a bank account? YES/NO
- Does your association collect, manage and store lists of parent names and other details (for example email addresses, telephone contacts, names of their children) in either electronic or paper format? YES/NO
- Do you organise events, raise funds, or manage volunteers and keep records and details of the parents involved either using your own system, or by entering parents' personal information (even email addresses) into a third party service like Eventbrite or Paperless Post? YES/NO
If you answered YES to question 1 and YES to either question 2 or 3, you are likely to be a "Data Controller" as defined by current and upcoming legislation. Regulatory changes are therefore likely to affect the way you operate.
If on the other hand your PTA doesn't hold any personal data about parents, but occasionally asks the school to forward your announcements and messages, and you don't store parent email addresses, then you may not be affected - although some schools are now refusing to forward anything from the PTA unless they have specific written consent from each parent. However, these regulatory changes also create a new opportunity for you to engage in two-way dialogue with parents. We have taken detailed advice from one the UK's top law firms on how schools can support PTAs using Classlist to build a vibrant parent community. You can either get going and manage your own site, which we believe is the best option - or work with your school. In either case Classlist is specifically designed to support you every step of the way.
Three options which you can follow to comply with new data protection legislation
-
PTA starts or continues to work directly with Classlist. This is the route followed by most UK PTAs. Through following existing and new regulations you should be able to obtain more help from your school. To help you validate parent data they can lawfully supply specific parent information which could save you weeks of time. See how here..
-
The school works directly with Classlist, involving PTA officers as site administrators where the school has resources and is prepared to lead as data controller, they can lawfully use certain existing parent data with Classlist, making it much quicker to get the Classlist site up and running. PTA officials can help administer the site, which offers most of the advantages of running it directly as a PTA. See how here..
Technical Note for Data Protection Officers and compliance specialists
Classlist's approach to data protection is based on advice from ICO and a detailed document and procedure review from VWV, one of the top five legal firms working with UK schools.
VWV's Opinion confirming how Classlist's practices and procedures comply with current and future regulations is available in our Compliance Document Centre. The Opinion is limited in scope regarding two areas – consent to receive adverts, and child information. With both of these law is currently unsettled and these areas are therefore excluded from the Opinion, although we believe Classlist's approach is currently compliant. Clearer guidance is likely over the coming year and if necessary Classlist's approach will be adjusted. Such a period of legal refinement is relatively common where there is a significant change in legislation.
In regulatory terms, the PTA or School typically acts as Data Controller, engaging Classlist as a Data Processor. There are some special circumstances where it is not clear if our customer would meet the legal definition of person or entity, in which case Classlist acts as Data Controller. Classlist also acts as Data Controller in the specific case where we manage advertising content in emails. Classlist is registered as a Data Controller with ICO.
Our overall approach and the options open to schools and PTAs are set out above. Our FAQs provide more detail.
Key documents can be found under the Resources tab, with more technical items in a protected area called the Compliance Document Centre
Classlist's Data Protection Officer can be contacted here. Data Protection requirements are evolving quickly with new guidance and rulings published on a regular basis. If you have queries, comments or suggestions we would be delighted to discuss these.
1. Technical guidance is based on discussions with and information supplied by the UK Information Commissioner's Office (ICO), where Classlist is a registered Data Controller.
2. Classlist has also commissioned a full procedure review from VWV, ranked as one of the top five law firms advising UK schools (see Chambers and Partners - 2018; The Legal 500 - 2017). VWV's Opinion confirming how Classlist's business practices and procedures comply with UK legislation is available in our Compliance Document Centre