Prior to new data protection legislation introduced across Europe in 2018, Parent Associations and Class Reps often relied on spreadsheets and email to contact parents. This practice has rapidly disappeared, as it creates a host of potential legal liabilities for PTAs, Class Reps and schools. As spreadsheets and email data may survive on laptops and phones and in email accounts for years, these liabilities could persist for a long period. Simply obtaining parent permission to share their data doesn’t mitigate these risks.
The legal advice we have received since 2018 is therefore that schools, PTAs and Class Reps should avoid collecting and holding personal data in email lists or spreadsheets.
The main risks are that PTAs or schools could be held responsible for data breaches from holding email lists are where parent data inadvertently falls into the hands of someone else (this could occur from something as simple as sending a group email without using bcc). They are also required to have a system in place to immediately delete any parent’s personal data from every device and account where it is held (this would potentially include hundreds of parent devices if you have emailed a list out to lots of parents or not used bcc), and to be able to document what personal data is held across all these devices.
All these risks are greatly mitigated through using a system like Classlist, where data is stored securely in one database which can be viewed and modified by users and deleted instantly.
Organisations which have reviewed their legal obligations and chosen a system of this type are also seen to be taking data protection seriously, which further reduces their liability.
Data Protection Liabilities arising from use of email
Data protection or “GDPR” legislation doesn’t generally cover use of email for social and domestic purposes - there are no issues using it to keep in touch with families and friends. However, the moment you start acting as the representative of an official group or organisation - which includes acting as a Class or Year Group rep - things change. You are classified as a “Data Controller”, and automatically assume a new set of legal responsibilities - whether you are aware of them or not. Most countries have a government department responsible for providing guidance, enforcing compliance and levying fines. In the UK this is the Information Commissioner’s Office (ICO). In addition to working with our legal advisors, Classlist keeps in regular contact with ICO to make sure we are up to date with the latest interpretations and judgements about data protection legislation.
As a data controller, storing and managing electronic personal data, you assume some quite onerous responsibilities. For example you are required to: :
- Design your information system to ensure security and privacy. Basing your system around email makes this a challenge. This choice therefore puts you in a vulnerable position should problems occur.
- Report “data breaches” within 72 hours. The Information Commissioner’s Office take this requirement seriously. Where personal data has been compromised, you are expected to be aware of this; inform the ICO, and depending on the circumstances inform the “data subjects” concerned. Distributing personal data through email can make it impossible for you to fulfill this legal requirement. If you have sent email addresses (which count as personal data) to dozens of individual parent devices, you have no way of knowing if any of these devices has been hacked, stolen, or simply passed to other users.
- Comply with Subject Access Rights - this gives individuals the right to know what information you hold on them, which becomes a challenge if this has been shared widely
- Comply with the Right to be Forgotten - through which individuals can legally require you to delete all personal data you hold on them. If you have deliberately designed a data management system which embeds personal data across multiple parent devices, this would in theory require you to contact all the parents with whom you have shared this data; and ensure that they have deleted the entries pertaining to this individual.
This may all sound like fantasy land - could fines really be levied simply for sending class parents email lists? In the UK ICO takes a common sense approach but doesn’t look kindly on organisations which ride roughshod over new data protection legislation, particularly if they persist in using systems which make it all but impossible for them to comply. Ignorance was a reasonable excuse in 2018, but organisations are now expected to have a better appreciation of their obligations.
Courts across Europe use a broadly similar set of regulatory guidelines and have begun to levy fines on a wide range of companies of all sizes.
But more important than these legal concerns, parents themselves can be put at risk through poor data protection practices. A couple of real-life examples:
- Class Rep Alex sends out a class meetup invitation but forgets to bcc recipients. Every parents’ name and email address is instantly distributed to dozens of computers. One of these computers is used by kids to play games, hacked, and the address book details stolen. Personal data from multiple families is now in at risk - and nobody is aware of what has happened. Class Rep Alex is responsible for the data breach.
- A couple split up acrimoniously, with a court order preventing one party contacting the other. One partner’s new email is provided to the Year Group rep, who sends it out, unaware of this restriction. The Year Group rep is responsible for the breach.
Other issues with email lists
Finally, using email lists is time-consuming and prone to user error - in particular mistakes using the blind copy functionality. Senders often forget to include addresses as bcc, meaning the whole class or year group’s emails can be inadvertently revealed. This can be serious if the parent wished to hear from the PTA or Rep but did not wish to share their personal email address with other parents for instance.
Worse, putting multiple emails into the bcc field makes emails far more likely to be rejected by spam filters, meaning some parents may never even receive emails. Some PTAs have told us that they have found that emails with more than 10 bcc email addresses can get categorised by some email providers as marketing or spam.
When a parent changes their email address, or leaves the school, or a new parent joins, it becomes an ongoing hassle to update email lists and make sure they synchronise if several people need to use the list.
Overall, to quote one of our Ambassadors, “Classlist was a dream come true - I could finally forget about email” .
So how is Classlist different?
With Classlist, parents choose whether or not to share their phone number, address or just approximate location with other parents. They can keep everything private and still participate on Classlist. This means Classlist can include everybody, regardless of what they wish to share. Parents can message each other without any need to collect personal data.
Parents can remove their account themselves from Classlist any time. Their data is deleted immediately, and no longer available to other parents.
Because data is held securely in the cloud, once deleted centrally it is instantly and automatically removed from every device as these are refreshed.
Every Classlist user is authenticated by a human being, making it difficult for non-parents to penetrate a school.
There are pages more we could cover on data protection. The need to protect parents and: comply with new regulations was one of the reasons Classlist was launched back in 2016. However the landscape is changing all the time and if you feel there is any way in which our system could be improved, we are only too keen to have your feedback here.
What about WhatsApp? Is that alright for reps?
See our article on the differences between Classlist and WhatsApp