GDPR - A Guide for your School PTA
Any PTA based in the UK (or elsewhere in Europe) that has not been sleeping under a rock, will likely be aware of the General Data Protection Regulation (GDPR) that came into effect on 25th May 2018. If you may be wondering how this affects your PTA and what actions you might need to take, you came to the right place.
If you are having trouble sleeping and love a good 88-page document, you can get stuck in with the official EU GDPR Regulations here. A rather more palatable version can be found on the UK Information Commissioner’s Office (ICO) website.
However, you may find this article helpful as an overview of your main responsibilities and required actions, and we’ll try not to make it too boring. 🙂
Is your school PTA already using PTAsocial?
Firstly, understand that GDPR is really extending the rules already covered by the existing Data Protection Act of 1998. So if you are already following those rules, taking a common sense approach and treating your users’ data with respect, you may have to change very little in order to comply with GDPR.
However there are some specific details you may need to clarify when people provide you with their data, to make it abundantly clear how their data may be stored and used. There is a lot of scaremongering (reminiscent of the Millenium Bug for those who remember!).
So rather than panicking that you’ll be sent a humungous fine, first take a little time to sort fact from fiction.
What is the Point of GDPR?!
Basically, it’s aimed at stopping annoying and irresponsible marketers from taking people’s personal details and using it for nefarious purposes or just spamming them.
Take a sensible approach, follow the GDPR principles (which we’ll explain below), and this does not have to be complicated.
How does GDPR impact how you run your PTA?
As a PTA you are typically collecting parents’ names and email addresses, as well as details of the classes their children are in, and possibly the names of their children. You may also be noting any other roles that they hold at school, e.g. staff, PTA committee member or class rep.
In essence, you need to make sure that personal data that you collect from parents or teachers in school is:
– processed lawfully
– collected used for the purpose it was intended (and nothing else)
– not collected unnecessarily i.e. don’t ask for more info than you need!
– accurate and up to date (and always updated quickly on request), and not kept for longer than needed
– If stored for longer in some form, the rights and freedoms of individuals should be safeguarded
– stored and processed safely to protect against unauthorised access, loss or destruction
These are your responsibilities under GDPR. So take them seriously.
Good news! PTAsocial takes care of this for you
Using PTAsocial to manage your communications will make your job much easier. That’s because we record how and when each person joins your online community, who invited them, or whether they self-registered.
We allow them to manage their own settings, e.g. they can switch off email announcements if they want, or indicate that they just don’t want to receive private messages. They can follow a message conversation to stay notified by email, or unfollow it if they’ve had enough. This is a big advantage over being chucked on a regular ol’ email list.
We’ve always done things this way anyway, because we believe that if people are in control of their own destiny... ahem I mean data, they are more likely to engage in the first place!
Does consenting to school contact emails also include PTA communications?
This is an interesting question. According to GDPR, there are various lawful reasons for collecting data, including consent and legitimate interest.
Your school may have already collected email addresses from parents and guardians who have consented to be contacted about school-related matters, which may or may not be considered to include PTA news. (It’s rare that as a parent you actually get to pick and choose exactly what you hear about, but hopefully this sort of granular selection is where we are headed, to make communication more relevant to individuals.)
Anyhow, currently many school offices do already send out out communications on behalf of the PTA. In this case, you and they may jointly decide that the PTA have a legitimate interest in contacting those parents via other secure methods (like PTAsocial).
In this case, you can simply ask the school to contact our support team to upload the parent data securely to PTAsocial, and allow the PTA Committee to manage PTA communications themselves from now on, taking a load off the school office. As we comply with GDPR and are registered with the ICO, they can trust us to treat the data appropriately.
To be even clearer, ask your school if they will include another checkbox on their parent forms for next year’s intake to seek specific consent for PTA communications too via PTAsocial.
We recommend you do a Legitimate Interests Assessment (LIA), which is a light-touch risk assessment based on the specific context and circumstances of the processing. It does not need to be complicated, but is a good idea should the need ever arise to defend your approach. The ICO website has more information and a template you can use.
In any case, if the school decides not to share parent data with your PTA, don’t despair.
How PTAsocial helps you stay GDPR-compliant
PTAsocial offers a convenient way for you to collect parent data on behalf of the PTA in a GDPR-compliant manner using consent in the following ways:
When your Community Manager (usually the chairperson or another committee member of the PTA) starts a new PTAsocial community, you are provided with a unique link so that parents of your school can join this private online community. This is easy to share via social media, school-wide emails or include on bookbag flyers. There is also a handy PTAsocial registration button that your school can place on the school website.
Invitation with Prior Consent
When you (or another member) invite a new member, you need to enter their name and email address so we can send the invitation email. At this point, we ask you whether you have prior consent. Perhaps they signed up on a paper sheet at a PTA coffee morning.
If so, you can invite them to PTAsocial and opt them in to receive updates about your community going forward, by checking the checkbox provided. This is logged in the system, and the new member is notified that you were the one who invited them, providing automatic accountability.
As part of our enhancements for GDPR, we introduced a way for the inviter to add a note to the invitation stating how and when the person gave consent. This is recorded and shared within the invitation email itself.
Invitation without Prior Consent
If you do not have prior consent, we suggest that you invite them without ticking the opt-in checkbox. In this case, we send the invitation from you. However, we protect their privacy by encrypting their email address so that is it unusable thereafter in the system. It can only be deciphered if and when they decide to accept your invitation and give consent. Again, this is logged in the system.
This is an excellent way to reach your audience and invite them in, without compromising their rights or including them in further unwanted correspondence.
Right to Deletion
Any member who wishes to leave the PTA's private online community can do so instantly by clicking the Email Preferences link in the footer of any email they receive via PTAsocial. They can either switch off notifications to stop any further email notifications, or they can deactivate their membership and remove their email address. For the sake of continuity, their name is still displayed within the PTA's private community against any conversations or tasks in which they participated. However if they wish their name to be removed completely, their information can be anonymised if they contact our support team.
When you and your members sign up to use PTAsocial, the terms include guidelines on how to use the system appropriately. Common sense applies here e.g. not sending out messages too frequently, appropriate and relevant content etc. Using a system like PTAsocial, you have the flexibility and power to instantly remove any offending member yourself.
Registering as a Data Controller
As part of our enhancements for GDPR, we will spell out the responsibility a Community Manager takes on in terms of controlling the members’ data and managing communications appropriately. As a small non-profit you are not strictly required to register with the ICO as a Data Controller. However we recommend you familiarise yourselves with the responsibilities we have laid out here and explore the ICO website too.
That's all folks!
We hope this helps you to understand how your PTA can comply with GDPR. We'd be happy to help you if you have any questions for us -- just say hello!
If your school would like to trial PTAsocial for free, start your new website and event organiser in minutes here.