Data Protection
Technical Review
Summary of changes in data protection legislation relevant to PTAs
Handling of personal data is currently covered by the UK's 1998 Data Protection Act. This will be significantly extended from 25 May 2018 by the General Data Protection Regulation (GDPR), one of the most wide-ranging pieces of legislation ever passed by the EU. The GDPR introduces numerous new concepts and seeks to harmonise laws across the EU's member states to enable the secure, free flow of data. It applies to any business trading with or operating within the EU and as new UK legislation will be binding in the UK irrespective of Brexit negotiations. Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and are also being upgraded.

The GDPR sets out how organisations must treat "personal data" – in the case of PTAs and schools, information about parents and their children. It gives people much more visibility and control over what this information is used for, and sets out severe penalties for organisations which don't comply. It will affect:

  • How your organisation collects, processes, manages and deletes electronic and physical records about parents
  • How and when you can feed this information into other systems – which may include an online invitation management system, or a social media service – and how these systems must also comply
  • How you inform or train members of your organisation about their new responsibilities in handling personal data
  • How you manage and report on problems if anything goes wrong (for example if private data is accidentally made public) where you may need to take action within 72 hours

To help UK organisations prepare for the 25 May 2018 deadline, the UK government has provided detailed guidance about the changes. A special Government Department – the Information Commissioner's Office (ICO) is focused on this. Classlist has consulted with them directly on some of the issues we describe. ICO has also prepared a handy 12 step guide for those involved in managing personal data. We show which are most relevant to PTAs and Schools running Classlist sites here.

"Quick check" to see if your PTA will be affected
Most organisations will be affected but it's worth checking your PTA's precise status - and how far you really control and process personal data about parents at your school. Three questions should help clarify this:

  • Does your parent association work as more than an ad hoc group of individuals? For example does it have an official name and engage in real, specific activities; or have one or more appointed officers (Chair, Secretary etc) or some form of financial resource such as a bank account? YES/NO
  • Does your association collect, manage and store lists of parent names and other details (for example email addresses, telephone contacts, names of their children) in either electronic or paper format? YES/NO
  • Do you organise events, raise funds, or manage volunteers and keep records and details of the parents involved either using your own system, or by entering parents' personal information (even email addresses) into a third party service like Eventbrite or Paperless Post? YES/NO

If you answered YES to question 1 and YES to either question 2 or 3, you are likely to be a "Data Controller" as defined by current and upcoming legislation. Regulatory changes are therefore likely to affect the way you operate.

If on the other hand your PTA doesn't hold any personal data about parents, but occasionally asks the school to forward your announcements and messages, and you don't store parent email addresses, then you may not be affected - although some schools are now refusing to forward anything from the PTA unless they have specific written consent from each parent. However, these regulatory changes also create a new opportunity for you to engage in two-way dialogue with parents. We have taken detailed advice from one the UK's top law firms on how schools can support PTAs using Classlist to build a vibrant parent community. You can either get going and manage your own site, which we believe is the best option - or work with your school. In either case Classlist is specifically designed to support you every step of the way.

Three options which you can follow to comply with new data protection legislation
  • 1 - PTA starts or continues to work directly with Classlist. This is the route followed by most UK PTAs. Through following existing and new regulations you should be able to obtain more help from your school. To help you validate parent data they can lawfully supply specific parent information which could save you weeks of time. See how here..

    What do I need to do? ( PTAs already working with Classlist)

    • 1 - It's good practice to nominate somebody on your team to lead on data protection – this may be you!
    • 2 - As Data Controller you must have this formal Data Protection Agreement in place with Classlist, who will act as your Data Processor. No signature is needed – acceptance by email from a PTA officer is fine. Classlist will be in touch with existing clients about this or you are welcome to email your acceptance to us now; please include your position with the PTA on the email.
    • 3 - If you intend to invite more parents, you should display this notice about how Classlist works so parents have the opportunity to opt out of even receiving the invitation. You might also want to display Classlist's Privacy notice and Terms & Conditions for Classlist's service
    • 4 - Review the UK Information Commissioner's Office 12 step Guide for Data Controllers. Implications for PTAs are summarised here. Simply using Classlist will help you comply with much of this.
    • What do I need to do? (New Classlist clients)

        1 - Our standard Classlist sign up procedure walks you through most of the data protection steps required. You will be asked to accept the new Data Protection Agreement which regularises the relationship between the PTA as Data Controller, and Classlist as Data Processor. You also need to post this notice on your PTA website two weeks before you get going, to alert parents that launch is imminent.
      • 2 - If you are already in contact with parents by email within the last year you can enter their email addresses into the Classlist system and they will receive an email invitation. Parents who opt to join Classlist will then decide what information they wish to share. Those who don't wish to join will still receive PTA emails but have the choice of opting out at any time.

        3 - As parents apply to join they need to be validated to ensure they are bona-fide parents at the school. It is lawful for the school to assist you in this process through checking all applicants against a list of existing parent names and emails. The school is also able to assist you at the end of the term or year by providing updated lists of pupils and classes to help you allocate them correctly.
  • 2 - The school works directly with Classlist, involving PTA officers as site administrators where the school has resources and is prepared to lead as data controller, they can lawfully use certain existing parent data with Classlist, making it much quicker to get the Classlist site up and running. PTA officials can help administer the site, which offers most of the advantages of running it directly as a PTA. See how here..
    What do I need to do?

    How Schools can work directly with Classlist – with assistance from PTA officers

    1 - Where the school works directly with Classlist it sets up the site and take the formal role of Data Controller. The PTA doesn't have an official role, although PTA members may assist the school with site administration.

    2 - The school needs to confirm that Classlist will act as its Data Processor by accepting this Data Protection Agreement (this is an automatic part of the sign-up process)

    3 - The school then needs to post on the school website, or include in regular parent communications, this notice about the launch of the Classlist site two weeks before inviting parents to join the site

    4 - The school may appoint staff or parents as Ambassadors and Class Reps to act as site administrators, working with the school. They need to understand their responsibilities, described in Section 4 of the Terms & Conditions. These are broadly similar to those of any other parent using the system, but they need to take special care not to pass any personal data or other related information which they are privy to through their Ambassador or Class Rep role on to other organistions - including the PTA.

    5 - With these arrangements in place the school can enter existing parent names and email addresses into Classlist to invite parents to join the site. In addition, we strongly recommend that the Head email parents directly from the school system, including a link to the site and inviting them to join.

  • 3 - Go it alone without our help. See how here..
    I'm not ready to use Classlist. Is your advice still relevant to me?

    Going it alone may require a fair bit of research, organisation and time. The legal advice and ICO guidance which we've obtained won't apply if you create all the paperwork by yourself, rather than following the practices, procedures and documentation which we provide.

    The ICO 12 Step Guide which we've adapted for PTAs may be helpful. It sets out some of the steps we believe you will need to follow to ensure compliance with new regulations.

    You should be able to demonstrate that you have data protection policies and procedures in place, including keeping evidence of parents' consent to use their details, and procedures for new elements such as the right to be forgotten; subject access rights; data portability; data breach notification within 72 hours, Data Processor Agreements for third parties you work with and other elements.

    If you do decide to handle everything yourself please do bear in mind that the guidance given on these pages is for schools using Classlist's documentation and approach and may not apply to you.

Technical Note for Data Protection Officers and compliance specialists
Classlist's approach to data protection is based on advice from ICO and a detailed document and procedure review from VWV, one of the top five legal firms working with UK schools.

VWV's Opinion confirming how Classlist's practices and procedures comply with current and future regulations is available in our Compliance Document Centre. The Opinion is limited in scope regarding two areas – consent to receive adverts, and child information. With both of these law is currently unsettled and these areas are therefore excluded from the Opinion, although we believe Classlist's approach is currently compliant. Clearer guidance is likely over the coming year and if necessary Classlist's approach will be adjusted. Such a period of legal refinement is relatively common where there is a significant change in legislation.

In regulatory terms, the PTA or School typically acts as Data Controller, engaging Classlist as a Data Processor. There are some special circumstances where it is not clear if our customer would meet the legal definition of person or entity, in which case Classlist acts as Data Controller. Classlist also acts as Data Controller in the specific case where we manage advertising content in emails. Classlist is registered as a Data Controller with ICO.

Our overall approach and the options open to schools and PTAs are set out above. Our FAQs provide more detail.

Key documents can be found under the Resources tab, with more technical items in a protected area called the Compliance Document Centre

Classlist's Data Protection Officer can be contacted here. Data Protection requirements are evolving quickly with new guidance and rulings published on a regular basis. If you have queries, comments or suggestions we would be delighted to discuss these.

1. Technical guidance is based on discussions with and information supplied by the UK Information Commissioner's Office (ICO), where Classlist is a registered Data Controller.
2. Classlist has also commissioned a full procedure review from VWV, ranked as one of the top five law firms advising UK schools (see Chambers and Partners - 2018; The Legal 500 - 2017). VWV's Opinion confirming how Classlist's business practices and procedures comply with UK legislation is available in our Compliance Document Centre