school classlist

FAQs data protection

Does your PTA use email and text messages to communicate with parents? How diligent are you about looking after their details? Dawn Monaghan, from the Information Commissioner's Office provides advice on data protection.

We want to send out a letter to parents asking them to give us their email addresses so we can contact them more easily. Do we need to include any special wording?

I'd recommend including a brief explanation of why you are collecting the information. It would be best practice to explain how their details would be used, how you would store this information, who would have access to it (for example, elected committee members only) and for how long you would keep their details. You should give parents the option to opt in or out of having their details kept on file.

The school sends out a contact form at the start of every academic year. Should we be doing the same for the PTA?

Absolutely! Best practice would suggest that you do this on an annual basis to check the accuracy and the relevance of the information you hold.

We have a database of parents' email addresses and phone numbers - does this mean our PTA needs to register as a 'data controller'?

Generally, organisations which hold or process personal data do need to register with the Information Commissioner's Office. There are, however, some exemptions including 'not for profit' organisations. As long as your PTA is working on a 'not for profit' basis - regardless of whether you have charitable status - you are NOT required to register as a 'data controller'. This means you are not legally obliged to adhere to the terms of the Data Protection Act 1998, however there are several 'best practice' principles that I'd recommend you comply with. Make sure that the information held is:

  • Processed for limited purposes

  • Adequate, relevant and not excessive

  • Accurate and up-to-date

  • Not kept for longer than is necessary

  • Held securely

Also, if your PTA is emailing groups of parents, make sure you use the 'bcc' option to ensure that personal details are hidden from other recipients.

Are there any special criteria for making sure that our database of contact information is held securely?

It depends upon the nature of the data and the harm that could be caused if the information was accidentally or otherwise disclosed. I would suggest that if the information is just names and addresses, the database should be password protected. Those who have access to it should understand that they need to keep it safe and not let non-approved people view or access it unless it is appropriate to do so.

To save time and effort, we want to use an online booking system for events, where people can view available slots and add their names (such as Does this pose any data protection issues?

It doesn't pose any data protection problems as you are not subject to the Act, but it would be ethical to ensure that people who are invited to input their information understand why you want it and who has access to it.

Other PTAs successfully use Facebook and Twitter to communicate with parents, but our head teacher is reluctant - what can I do to reassure him?

There aren't any real issues on this from a data protection perspective. Individuals voluntarily sign up to Facebook and Twitter, so you can only contact them through these means if they have made their details available. If their details can be accessed, or if parents ask to join a PTA's Facebook group, they have essentially given consent for their details to be used.

Schools are often reticent about PTAs using social networking as a means of communication, not for data protection issues, but out of concern that inappropriate comments might go unmoderated.

Last year we ran a PTA shopping and pamper night. I have recently been contacted by a local nursery to ask for details of our stallholders for an event they're planning, but can I pass these details on?

NO! Unless you made it clear, when you originally collected the data, that you may share details with third parties, then you shouldn't pass this information on. I'd suggest that you email your contact list and ask that they get in touch with the nursery direct if they wish to get involved.

We often put photos of events on our noticeboard or videos on our PTA website. Are there any data protection issues with this?

When taking photographs or videoing people you should get their consent, explaining what you intend to do with the photograph/footage including whether it is to be published and where. In relation to children, consent must be given by a parent or guardian, either in writing or verbally, depending on the circumstances. Consent should not be necessary when photographing/videoing a crowd where the individuals remain relatively anonymous.

For more information, visit

Share this page