Essential information for your parent group about General Data Protection Regulation
12th March 2018
Your Questions Answered and Key GDPR Terms
What is GDPR?
GDPR is a regulation by the European Parliament which adds to the UK’s data protection laws, and gives people more rights over their own information (or data).
What remains the same?
· Organisations that hold data (information) about people (like members or staff) need to handle it in a fair and lawful manner.
· You can only keep personal data if people know it is being held and why, if it is for lawful purposes, and when informed consent is gained. You cannot just gather lists of people’s personal information for no particular reason.
· Any personal data stored must be for the reason people are given – in other words you can’t collect email addresses to send out eNewsletters and then use the same list to send out something quite different.
· Personal data must be accurate and kept up to date.
· Personal data must not be stored for longer than necessary. Keeping details of people that you no longer need or use (for example, previous volunteers) is against the law.
· Personal data must be kept securely.
· Personal data can only be handled in a way that respects the rights of individuals.
What has GDPR changed?
· GDPR gives people more rights to know how their personal data is being used.
· The right to be ‘forgotten’ and their personal data deleted if they wish.
· To be able to see what personal data is being held about them, and to make sure their personal data is correct.
· Increased importance for the protection of children.
· Increased importance for not allowing people without permission to see or use others’ personal data.
· If someone’s personal data has been used by people without permission, they have to be told what happened.
When will it come into effect?
GDPR comes into effect on Friday 25 May 2018.
How will this affect my Parent Council?
All organisations need to follow the rules of GDPR no matter how big or small, so this will include Parent Councils, PTAs and other parent groups. As an organisation that decides to collect personal data and how it will be used, you must be clear about how and why you record the personal data. You must also keep it secure, to make sure people have given you permission to hold their data, and to make corrections if the person asks you. You could be fined by the Information Commissioners Office if you fail to do this.
What should my Parent Council do now?
The first thing to do is don’t panic! However, you should start thinking about what your group needs to do about GDPR.
· You should look again at your Data Protection policy, or put one in place if you don’t already have one. Connect has updated our sample version to help you with this.
· Now is the time to spring clean your data. Do you still hold data on parents whose children have left the school, or volunteers who have left the group? Now is the time to delete or destroy the data you no longer use. You should also ask people who you want to stay in touch with that it is still ok to hold their data, make sure they know what you use it for, and record that they have given you permission.
· You need to make sure data is secure. Are spreadsheets kept on a password protected laptop/computer or online service? Are paper files locked up? Do you have a dedicated Parent Council email account, to keep all email contact with parents in one place?
· Think about ways people without permission could get access to the data you hold, and what you can do to prevent this. Do you update your passwords when people leave the Parent Council? If you use a private Facebook group (or other platforms) to discuss Parent Council matters, do you promptly remove people who are no longer members?
· Consider mapping out how personal data moves through your group, to show you are keeping track of the data you hold, and to look for potential weak spots. Where is data gathered from, where is it held, and where does it go?
It is also important to record all the steps you are taking to meet the needs of GDPR, in case you are asked the question.
What about holding children’s personal data?
Children have the same rights over their personal data as adults do. If you are gathering personal data from children under 13 years, you need to make sure you also have consent from their parent/carer.
Does my group’s membership linked insurance cover GDPR fines?
No, the Connect membership linked insurance does not provide cover for any illegal activity, which includes not meeting the needs of GDPR.
Keep these points in mind when dealing with a person’s information:
· If you don’t use it, don’t collect it.
· Only those who need to should have access to it
· Delete it when it is no longer needed (remember to empty your recycle bin too!)
· Remember to get permission.
· Make sure they know how, why, and for how long you will hold it.
A cheat sheet on GDPR terms
Personal Data: Personal data is any information which identifies an individual, including things like names, addresses, phone number and email addresses.
Data Controller: A data controller is a person/organisation that collects personal data and decides how it will be used. This would be the parent group.
Data Processor: A data processor is a person/organisation who uses personal data on behalf of the data controller. For example, an outside company who sends addressed mailings on the group’s behalf.
Both Data Controller and Data Processor must follow GDPR rules.
Informed Consent: This is the safest way to meet the rules of GDPR, by making sure everyone you hold information on gives their ‘informed consent’. That means they have agreed to you holding data, and they know why, how and for how long you will use it.
In other words, you cannot hold information because people have not opted out, or just ask people to tick a box without giving them full information. They must also understand how they can withdraw consent.
Legitimate Interests: You may have heard of this term as a way to justify holding personal data without explicit consent. GDPR does allow for data processing without consent in some circumstances but it would be very unlikely that a parent group could justify holding data in this way, so we strongly recommend gaining informed consent as the safest and most reliable way to meet the rules of GDPR.
Remember, you can still get information to parents in ways that don’t need their personal data. For example, unaddressed leaflets sent home with pupils, or noticeboards in the school.
Data Breach: A Data Breach is when someone without permission has seen or used peoples’ personal data. GDPR says you must keep personal data safe from data breaches, as well as giving the people whose data has been breached the right to know it has happened, and what personal data was accessed.