Technical Review
Please follow the sections below. Click on the '+' plus symbol to reveal more information.
Summary of changes in data protection legislation relevant to PTAs
Handling of personal data is generally covered by country-based data protection legislation, which varies substantially from country to country. For example in the UK, requirements are set out in the 2018 Data Protection Act. This was the UK's implementation of the European Union's General Data Protection Regulation (GDPR), one of the most wide-ranging pieces of legislation ever passed by the EU. The GDPR introduced numerous new concepts and sought to harmonise laws across the EU's member states to enable the secure, free flow of data. Each EU member state passed its own legislation implementing GDPR, and similar legislation exists in many other countries around the world. These country based laws apply to any business trading with or operating within the UK or EU. The UK legislation hasn't been affected by Brexit, and it is anticipated that UK data protection regulations will be closely aligned with those pertaining across the EU for the foreseeable future. There are other country-by-country pieces of legislation which also have a bearing on privacy and data, for example in the UK the Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. There are also other regulations and agreements related to GDPR which outline ,for example, in what circumstances and with what protections personal data can be transferred to other countries.
The GDPR sets out how organisations must treat "personal data" – in the case of PTAs and schools, information about parents and their children. It gives people much more visibility and control over what this information is used for, and sets out severe penalties for organisations which don't comply. It affects:
- How your organisation collects, processes, manages and deletes electronic and physical records about parents
- How and when you can feed this information into other systems – which may include an online invitation management system, or a social media service – and how these systems must also comply
- How you inform or train members of your organisation about their new responsibilities in handling personal data
- How you manage and report on problems if anything goes wrong (for example if private data is accidentally made public) where you may need to take action within 72 hours
Many countries have established to special Government Departments to help citizens and businesses understand how data protection legislation affects them. In the UK, for example, the Information Commissioner's Office (ICO) is focused on this. Classlist, as a UK-based business, has consulted with ICO directly on a number of issues. ICO has also prepared a handy 12 step guide for those involved in managing personal data. We show which are most relevant to PTAs and Schools running Classlist sites here.
"Quick check" to see if your PTA falls under data protection legislation
- Does your parent association work as more than an ad hoc group of individuals? For example does it have an official name and engage in real, specific activities; or have one or more appointed officers (Chair, Secretary etc) or some form of financial resource such as a bank account? YES/NO
- Does your association collect, manage and store lists of parent names and other details (for example email addresses, telephone contacts, names of their children) in either electronic or paper format? YES/NO
- Do you organise events, raise funds, or manage volunteers and keep records and details of the parents involved either using your own system, or by entering parents' personal information (even email addresses) into a third party service like Eventbrite or Paperless Post? YES/NO
If you answered YES to question 1 and YES to either question 2 or 3, you are likely to be a "Data Controller" as defined by current UK legislation.
If on the other hand your PTA doesn't hold any personal data about parents, but occasionally asks the school to forward your announcements and messages, and you don't store parent email addresses, then you may not be subject to UK data protection legislation -
We have taken detailed advice from one the UK's top law firms on how schools can support PTAs using Classlist to build a vibrant parent community. There is lots which your school can do to assist you, and we believe working together is the best way to ensure all your school's parents are included in your Classlist site.
Three models which PTAs can use to comply with data protection legislation
1 - It's good practice to nominate somebody on your team to lead on data protection – this may be you!
4 - As parents apply to join they need to be validated to ensure they are bona-fide parents at the school. It is lawful for the school to assist you in this process through checking all applicants against a list of existing parent names and emails. The school is also able to assist you at the end of the term or year by providing updated lists of pupils and classes to help you allocate them correctly.
1 - Where the school works directly with Classlist it sets up the site and take the formal role of Data Controller. The PTA doesn't have an official role, although PTA members may assist the school with site administration.
2 - The school needs to confirm that Classlist will act as its Data Processor by accepting this Data Processing Agreement (this is an automatic part of the sign-up process for a new school)
3 - The school then needs to post on the school website, or include in regular parent communications, this notice about the launch of the Classlist site before inviting parents to join the site
4 - The school may appoint staff or parents as Ambassadors and Class Reps to act as site administrators, working with the school. They need to understand their responsibilities, described in Section 4 of the Classlist Terms & Conditions. These are broadly similar to those of any other parent using the system, but they need to take special care not to pass any personal data or other related information which they are privy to through their Ambassador or Class Rep role on to other organisations - including the PTA.
5 - With these arrangements in place the school can enter existing parent names and email addresses into Classlist to invite parents to join the site. In addition, we strongly recommend that the Head email parents directly from the school system, including a link to the site and inviting them to join.
If you want to use another system, the ICO 12 Step Guide which we've adapted for PTAs may be helpful. It sets out some of the steps we believe you will need to follow to ensure compliance with typical data protection regulations.
For example you should be able to demonstrate that you have data protection policies and procedures in place, including keeping evidence of parents' consent to use their details, and procedures for new elements such as the right to be forgotten; subject access rights; data portability; data breach notification within 72 hours, Data Processor Agreements for third parties you work with and other elements.
If you decide to use another system to manage personal data (for example WhatsApp) you will need to satisfy yourself that such a system will enable you to comply with the legal requirements above. Please also be aware that the guidance given on these pages is for schools using Classlist's documentation and approach, and may not apply to you.
Technical Note for Data Protection Officers and compliance specialists
Classlist's approach to data protection is based on advice from ICO and a detailed document and procedure review from VWV, one of the top five legal firms working with UK schools.
VWV's Opinion confirming how Classlist's practices and procedures comply with current and future regulations is available in our Compliance Document Centre found in the Resources section. The Opinion is limited in scope regarding two areas – consent to receive adverts, and child information. With both of these UK law is currently unsettled and these areas are therefore excluded from the Opinion, although we believe Classlist's approach complies with UK law.
In regulatory terms, the PTA or School typically acts as Data Controller, engaging Classlist as a Data Processor. There are some special circumstances where it is not clear if our customer would meet the legal definition of person or entity, in which case Classlist acts as Data Controller. Classlist also acts as Data Controller in the specific case where we manage advertising content in emails. Classlist is registered as a Data Controller with ICO.
Our overall approach and the options open to schools and PTAs are set out above. Our FAQs provide more detail.
Key documents can be found under the Resources tab, with more technical items in a protected area called the Compliance Document Centre
Classlist's Data Protection Officer can be contacted here. Data Protection requirements around the world are evolving quickly with new guidance and rulings published on a regular basis. If you have queries, comments or suggestions we would be delighted to discuss these.
1. Technical guidance is based on discussions with and information supplied by the UK Information Commissioner's Office (ICO), where Classlist is a registered Data Controller.
2. Classlist's processes and procedures were fully reviewed as the UK's 2018 Data Protection Act came into force. This review was undertaken by VWV, ranked as one of the top five law firms advising UK schools (see Chambers and Partners; The Legal 500). VWV's Opinion confirming how Classlist's business practices and procedures complied with UK legislation is available in our Compliance Document Centre