Classlist is compliant with GDPR
The General Data Protection Regulation (GDPR) runs to more than 200 pages. Data protection is a complex, rapidly evolving subject - and the regulation can get a bit technical - but you can rest assured that Classlist is fully compliant with the new legislation came into force in May 2018.
Important: new guidance from the Information Commissioner's Office (ICO) says that your school can now share parent email addresses with you for you to invite parents to Classlist, whilst complying with GDPR. Yes you read that right! See below for more information or go to our dedicated data protection website.
Please note there are several options for inviting parents to Classlist - so if you don't have parent email addresses - don't worry! Sending out a QR code to all parents is another great way to get your parents on board. However with that method parents won't receive admin announcements in the time before they join like they would if invited by email.
What do I need to know as a Classlist site Ambassador?
- In regulatory terms, either the PTA or school continues to act as ‘Data Controller’, engaging Classlist as a ‘Data Processor’. If the PTA is a separate entity from the school and manages parent data it is very likely to be a Data Controller in its own right. You must accept Classlist's revised Data Protection Agreement. This describes how Classlist will work as a Data Processor to support the PTA or School as a Data Controller. This normally happens as part of the site set-up procedure. The Agreement does not require signature. Where necessary (for example with a site run solely by a Class Rep) Classlist is registered with ICO to act as a Data Controller.
- If the Data Controller using Classlist (PTA or school) has contacted parents using a particular email address within the past year for PTA or school purposes, this email can lawfully be entered into Classlist, which becomes their new data processor dealing with email communications. This will fall within parents’ reasonable expectations. The PTA or school should give users adequate notice of this change in case any parent objects to being invited to Classlist. Mentioning this in a newsletter; a note on the PTA or school website or noticeboard or other system regularly used to contact parents is sufficient. The notice is to inform parents that the PTA is introducing a new communication system, and they may receive an email inviting them to join if they have previously supplied their email address to the PTA.
- Where the PTA is data controller, it is lawful for the school, as another data controller, to assist in verifying details of new applicants. In addition at the end of each term or year, or when any relevant change occurs, the school can lawfully assist the PTA with lists of new classes and pupils in each class to ensure the Classlist database is accurate. Any personal data provided by the school must only used for verification and updating and not be for any other purpose. Any personal data sent from the school to the PTA must be transmitted using a secure, encrypted form of communication.
- Where the school is the data controller they can lawfully engage Classlist as a new data processor and enter parent emails directly into Classlist’s invitation system where this data has been used within the last year to contact parents.
- Where a parent receives an invitation to join Classlist and decides to register, they have full control over what personal data they input and share. The only mandatory fields are name, email and child’s name & class. If they decide not to join, it is lawful for the school or PTA (whichever is data controller) to continue to email them regular updates and other information through Classlist. Apart from their name and email, no personal data has been uploaded and no information at all is visible to other parents. They can unsubscribe from these emails at any time.
- Members must accept the T&Cs which include strict user guidelines, and also the Privacy Notice which details how members’ personal data is protected, and never passed to third parties except where this is consistent with data protection law (eg a court order).
- Full documentation including the Privacy Notice, Terms & Conditions, Data Protection Agreement, VWV Opinion, FAQs and notes on Classlist’s approach to data processing is available through Classlists’s Data Protection website. We can also be contacted directly at firstname.lastname@example.org
If that sounds a little daunting, just remember that simply by using Classlist you become compliant with most of the requirements of GDPR and we are here to help: simply email us at email@example.com if you have any questions. One of the really positive aspects of working with Classlist is that your PTA/Friends Association can lawfully ask the school to help with approving parents and also with move-up lists at the end of the year. For busy PTAs that is a massive win.
Article is closed for comments.