Your PTA & GDPR: easy steps to take today!
See our latest GDPR guidance for PTAs in full here.
You cannot have escaped news about the General Data Protection Regulations (better known as GDPR) which will come into force on 25 May 2018.
It might seem daunting but, at its heart, GDPR is pretty simple. It's about making sure organisations only keep information about people if they've got sound reasons to, don't hang onto it for too long and keep it safe while they have it.
As a PTA committee member, GDPR will affect you. As a small charity (independent of the school), you are a ‘data controller’ that makes your own decisions about what you send to parents, and how you keep their information.
And it doesn't matter whether you put together the summer fair rota from a database or a dog-eared address list, you're still handling personal data. But don't panic - with a bit of common sense and respect for privacy, getting GDPR-ready shouldn't be a huge challenge. It's also a great opportunity to engage with the school community about what your PTA does.
So, if you haven’t already taken action or aren’t sure if everything’s been covered, start by answering these questions and then look at our top tips on what steps you can take right away:
Question 1 - Are you and your fellow PTA committee members clued up or clueless about GDPR?
For a bit of fun to get you started, why not take the Parentkind GDPR quiz, read and share this blog and also access our comprehensive GDPR guidance for Parentkind members.
To keep in the loop make sure your PTA chair, treasurer, secretary and other committee members sign up to receive Parentkind bulletins.
Question 2 - Do you have a good reason for collecting, using and keeping people's data?
The GDPR sets out a range of bases upon which personal data may be handled legally - some of which are relevant to PTAs. Having the consent of the person the information relates to is a pretty major one.
Or it may be that, without handling data, you can't do what's expected of you by the people the data belongs to, in which case you have what is known as a "legitimate interest".
What does that mean in a PTA context? Well, you may have a "legitimate interest" in using parent data to make sure they can be involved in your PTA, however, be careful not to send them anything classed as ‘marketing’ without consent. Take a look at our detailed guidance for more on this.
Question 3 - Have you explained what personal data you're collecting and are you only collecting what you really need?
When you collect data, you'll need to make sure you tell people what information you're gathering and what for. Don't collect more than you need – you cannot hold on to it ‘just in case’!
And GDPR is also hot on organisations getting rid of data once its purpose has been served - so do shred that sheet of Guess the Teddy's Name entrants as soon as the winner is chosen. If you expect to need this information longer term, make sure this is clear to parents when you ask for it.
Question 4 - Are you keeping people's information secure?
No one wants their personal data to end up in the wrong hands and GDPR includes some potentially hefty penalties for data leaks. But once again, a lot of what you need to do is common sense. Keep data secure behind passwords, or under lock and key. Don't copy personal information if you can avoid it.
And don't neglect the other side of data security - keeping on top of who can access data and for what reasons. Just being on the PTA committee is not a good enough reason alone. Work out some policies around who has access to what and why, perhaps including someone on your committee to be responsible for data protection alongside your secretary or chairperson.
Now you've considered questions one, two, three and four...
Do this right away
- Make sure you and other PTA members are signed up for updates and guidance from Parentkind.
- Seek out an expert in your school community. GDPR will affect lots of people in their day jobs, so there's bound to be a parent with experience to share.
- Be committee ready! Make sure your committee have read the Parentkind guidance and nominate a data protection lead.
- Audit your information with our easy to use Data Audit Template. Think about the what, where and why of the personal data you already hold and make sure it’s accurate and up to date.
- Agree and document how long you're going to hold data for. Use our Data Retention Template to keep a record of what you've decided.
- Agree policies on who needs access to what data, and make a note of them.
- Work out what data you don't need any more, or don't have the right to hang onto, and destroy it. Still got the signup sheets for the Christmas Fair? Old raffle books with mobile numbers on? Get rid of them NOW!
- Consider moving electronic data storage to a secure online file store or database which committee members can log into, rather than emailing copies of documents.
- Work with your school but be aware that there are different rules for schools as they are a 'public body'.
Stop doing this
- Adding to a never ending list of parents' contact details without regularly tidying this up after events.
- Creating multiple copies of personal data by emailing, printing or copying it to different places.
- Allowing people access to the data without good reason.
- Storing personal data insecurely, e.g. in unlocked cupboards, or on USB sticks or computers without password protection.
Where to find more advice
The Infomation Commissioners Office website
has a a huge amount of advice on GDPR, including: