Classlist is compliant with GDPR
The new General Data Protection Regulation (GDPR) runs to more than 200 pages. It's a complex, rapidly evolving subject - and can get a bit technical - but you can rest assured that Classlist is fully compliant with the new legislation which comes into force in May 2018.
What do I need to know as a Classlist site Ambassador?
- In regulatory terms, either the PTA or school continues to act as ‘Data Controller’, engaging Classlist as a ‘Data Processor’. If the PTA is a separate entity from the school and manages parent data it is very likely to be a Data Controller in its own right. You must accept Classlist's revised Data Protection Agreement. This describes how Classlist will work as a Data Processor to support the PTA or School as a Data Controller. This normally happens as part of the site set-up procedure. The Agreement does not require signature. Where necessary (for example with a site run solely by a Class Rep) Classlist is registered with ICO to act as a Data Controller.
- If the Data Controller using Classlist (PTA or school) has contacted parents using a particular email address within the past year for PTA or school purposes, this email can lawfully be entered into Classlist, which becomes their new data processor dealing with email communications. This will fall within parents’ reasonable expectations.
The PTA or school should give users adequate notice of this change in case any parent objects to being invited to Classlist. Mentioning this in a newsletter; a note on the PTA or school website or noticeboard or other system regularly used to contact parents is sufficient. The notice is to inform parents that the PTA is introducing a new communication system, and they may receive an email inviting them to join if they have previously supplied their email address to the PTA. A draft Notice is available on the dedicated GDPR website mentioned above.
- Where the PTA is data controller, it is lawful for the school, as another data controller, to assist in verifying details of new applicants. In addition at the end of each term or year, or when any relevant change occurs, the school can lawfully assist the PTA with lists of new classes and pupils in each class to ensure the Classlist database is accurate. Any personal data provided by the school must only used for verification and updating and not be for any other purpose. Any personal data sent from the school to the PTA must be transmitted using a secure, encrypted form of communication.
- Where the school is the data controller they can lawfully engage Classlist as a new data processor and enter parent emails directly into Classlist’s invitation system where this data has been used within the last year to contact parents.
- Where a parent receives an invitation to join Classlist and decides to register, they have full control over what personal data they input and share. The only mandatory fields are name, email and child’s name & class. If they decide not to join, it is lawful for the school or PTA (whichever is data controller) to continue to email them regular updates and other information through Classlist. Apart from their name and email, no personal data has been uploaded and no information at all is visible to other parents. They can unsubscribe from these emails at any time.
- Members must accept the T&Cs which include strict user guidelines, and also the Privacy Notice which details how members’ personal data is protected, and never passed to third parties except where this is consistent with data protection law (eg a court order).
- Full documentation including the Privacy Notice, Terms & Conditions, Data Protection Agreement, VWV Opinion, FAQs and notes on Classlist’s approach to data processing is available through Classlists’s Data Protection website. We can also be contacted directly at firstname.lastname@example.org