FAQs data protection
How diligent are you about looking after parents'
contact details? Victoria Cetinkaya from the Information
Commissioner's Office (ICO) provides advice on how to comply with
data protection law when using parents' personal details and
contacting them for fundraising...
We want to send out a letter to parents asking them to give us
their email addresses so we can contact them more easily. Can we do
this? Do we need to include any special wording?
You can do this as long as parents would reasonably expect to
hear from the PTA by letter and they haven't asked you not to
contact them. In the letter you should clearly explain why the PTA
wants to collect the information and what you'll do with it,
including what you'll be using it to contact parents about. The PTA
needs to give parents a genuine choice and obtain their opt-in
consent for you to contact them by email or SMS. The ICO has
helpful guidance on this.
The school sends out a contact form at the start of every
academic year. Should we be doing the same for the PTA?
Absolutely! It would be good practice to do this on an annual
basis to check the accuracy and the relevance of the information
you hold. You can also use it to check parents' preferences on how
they'd like you to stay in contact with them - whether that's by
email, SMS, letter or not at all.
We have a database of parents' email addresses and phone
numbers - does this mean our PTA needs to register as a 'data
Generally, organisations which hold or process personal data do
need to register with the Information Commissioner's Office. There
are, however, some exemptions including not-for-profit
organisations. As long as your PTA is working on a not-for-profit
basis - regardless of whether you have charitable status - you are
NOT required to register as a data controller. You still have to
comply with the Data Protection Act 1998 though. Some of the
principles relevant for PTAs require you to make sure that the
information you hold is:
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept for longer than is necessary
- Held securely.
This includes keeping it safe so that unauthorised individuals
can't access it, and not disclosing it to anyone else - including
other parents, so if your PTA is emailing groups of parents, make
sure you use the 'bcc' option to ensure that personal details are
hidden from other recipients.
25 May 2018 saw a new data protection law coming into
force. The General Data Protection Regulation (GDPR)
builds on the principles set out above, so you'll still have to
comply with those, but in addition you have to be able to
demonstrate that you comply with data protection laws, for example
by having data protection policies and procedures in place, and
keeping evidence of parents' consent to use their details. The ICO
has published guidance on what you should be doing to prepare to
meet the legal requirements of the new General Data Protection
Are there any special criteria for making sure that our
database of contact information is held securely?
It depends what the risks are - for example, the nature of the
data, how it is stored and the harm that could be caused if the
information was accidentally or otherwise disclosed. I would
suggest that if the information is just names and addresses, the
database should be password protected. Those who have access to it
should understand that they need to keep it safe and not let
unauthorised people view or access it unless it is appropriate to
Other PTAs successfully use Facebook and Twitter to communicate
with parents, but our Headteacher is reluctant - what can I do to
There are a variety of ways in which social media sites can be
used to communicate - some of which might be compliant from a data
protection point of view, and some which will not be. Just because
parents have a publicly-accessible social media account doesn't
mean it's fair game for organisations to use that information as
they wish - parents might not want to be contacted in this way. As
mentioned earlier, you need consent from parents to be able to
contact them electronically, however, if you set up a private
Facebook group and let parents know the details, including how the
PTA will use the group to contact parents, they can choose whether
to join the group or not.
Last year we ran a PTA shopping and pamper night. I have
recently been contacted by a local nursery to ask for details of
our stallholders for an event they're planning, but can I pass
these details on?
NO! Unless you made it clear when you originally collected the
stallholders' data, that you might share details with third
parties, then you shouldn't pass this information on. I'd suggest
that you email your contact list and ask that they get in touch
with the nursery direct if they wish to get involved.
We often put photos of events on our noticeboard or videos on
our PTA website. Are there any data protection issues with
When taking photographs or videoing people in order to publish
on your noticeboard or website you should get their consent,
explaining what you intend to do with the photograph/footage
including whether it is to be published and where. In relation to
younger children, consent must be given by a parent or guardian on
their behalf. Consent should not be necessary when
photographing/videoing a crowd where the individuals remain
For more information, visit ico.gov.uk.
Share this page