Victoria Cetinkaya from the Information Commissioner's Office (ICO) provides advice on how to comply with data protection law when using parents' personal details and contacting them for fundraising...
We want to send out a letter to parents asking them to give us their email addresses so we can contact them more easily. Can we do this? Do we need to include any special wording?
You can do this as long as parents would reasonably expect to hear from the PTA by letter and they haven't asked you not to contact them. In the letter you should clearly explain why the PTA wants to collect the information and what you'll do with it, including what you'll be using it to contact parents about. The PTA needs to give parents a genuine choice and obtain their opt-in consent for you to contact them by email or SMS. The ICO has helpful guidance on this.
The school sends out a contact form at the start of every academic year. Should we be doing the same for the PTA?
Absolutely! It would be good practice to do this on an annual basis to check the accuracy and the relevance of the information you hold. You can also use it to check parents' preferences on how they'd like you to stay in contact with them – whether that's by email, SMS, letter or not at all.
We have a database of parents' email addresses and phone numbers – does this mean our PTA needs to register as a 'data controller'?
Generally, organisations which hold or process personal data do need to register with the Information Commissioner's Office. There are, however, some exemptions including not-for-profit organisations. As long as your PTA is working on a not-for-profit basis – regardless of whether you have charitable status – you are NOT required to register as a data controller. You still have to comply with the Data Protection Act 1998 though. Some of the principles relevant for PTAs require you to make sure that the information you hold is:
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept for longer than is necessary
- Held securely.
This includes keeping it safe so that unauthorised individuals can't access it, and not disclosing it to anyone else – including other parents, so if your PTA is emailing groups of parents, make sure you use the 'bcc' option to ensure that personal details are hidden from other recipients.25 May 2018 saw a new data protection law coming into force. The General Data Protection Regulation (GDPR) builds on the principles set out above, so you'll still have to comply with those, but in addition you have to be able to demonstrate that you comply with data protection laws, for example by having data protection policies and procedures in place, and keeping evidence of parents' consent to use their details. The ICO has published guidance on what you should be doing to prepare to meet the legal requirements of the new General Data Protection Regulation.
Are there any special criteria for making sure that our database of contact information is held securely?
It depends what the risks are – for example, the nature of the data, how it is stored and the harm that could be caused if the information was accidentally or otherwise disclosed. I would suggest that if the information is just names and addresses, the database should be password protected. Those who have access to it should understand that they need to keep it safe and not let unauthorised people view or access it unless it is appropriate to do so.
Other PTAs successfully use Facebook and Twitter to communicate with parents, but our Headteacher is reluctant – what can I do to reassure him?
There are a variety of ways in which social media sites can be used to communicate – some of which might be compliant from a data protection point of view, and some which will not be. Just because parents have a publicly-accessible social media account doesn't mean it's fair game for organisations to use that information as they wish – parents might not want to be contacted in this way. As mentioned earlier, you need consent from parents to be able to contact them electronically, however, if you set up a private Facebook group and let parents know the details, including how the PTA will use the group to contact parents, they can choose whether to join the group or not.
Last year we ran a PTA shopping and pamper night. I have recently been contacted by a local nursery to ask for details of our stallholders for an event they're planning, but can I pass these details on?
NO! Unless you made it clear when you originally collected the stallholders' data, that you might share details with third parties, then you shouldn't pass this information on. I'd suggest that you email your contact list and ask that they get in touch with the nursery direct if they wish to get involved.
We often put photos of events on our noticeboard or videos on our PTA website. Are there any data protection issues with this?
When taking photographs or videoing people in order to publish on your noticeboard or website you should get their consent, explaining what you intend to do with the photograph/footage including whether it is to be published and where. In relation to younger children, consent must be given by a parent or guardian on their behalf. Consent should not be necessary when photographing/videoing a crowd where the individuals remain relatively anonymous.
The above is intended as guidance only. We recommend that you contact the relevant organisations with specific reference to insurance, legal, health and safety and child protection requirements. Community Inspired Ltd cannot be held responsible for any decisions or actions taken by a PTA, based on the guidance provided.