MANAGING YOUR PTA – Data protection
fundraising to a wider audience, so don’t feel that you can’t have a page. It may be safer, however, to have a secure, closed group for your committee and/or parents, as well as a page where only general information is posted. The changeable nature of a PTA
committee means that you may have a dedicated moderator one year, and then the page, or group, may go unmanaged the next. Try to overcome this by creating a
Storing data – databases Under GDPR it’s important to keep clear records of what a person has consented to and when they did so. This means procedures for using and protecting personal data need to be documented. If you are unable to show that you have ongoing consent and when you got it (or up-to-date information to justify legitimate interest) then you cannot use personal data for direct marketing. The best way to do this is to set up a secure and well-maintained database of all personal data you possess. Collins Dictionary describes a
database as ‘a collection of data that is stored in a computer and that can be easily used and added to’. This covers spreadsheets, Google Docs and Word documents – but lists on bits of paper still count! Of the 80% of schools who handle their own data, 56% use an Excel spreadsheet and 36% use Google Docs to keep information safe. To comply with GDPR you should
be able to demonstrate that: All personal data is stored securely in one place. Data is regularly reviewed and updated. Your database is password protected and the password is not handed out too freely. You keep track of who has access to the data and remove access/ update the password once members leave the committee. Have a written policy and keep a record of how you handle data. If you already have a database,
start as you mean to go on by updating it as best you can. If you
20 SPRING 2018
pta.co.uk
IS YOUR DATABASE SECURE AND UP-TO-DATE?
have individuals on your database where you don’t know when you last interacted with them or whether they gave consent, then you cannot safely contact them and need permission before doing so. You also need to keep the data of any business or sponsorship associates safe – all data needs to be treated and protected equally. Finding out who does and doesn’t
want to be contacted is one thing, but keeping this information safe within itself is also crucial. The easiest way to do this is by splitting your database between those who have opted in to receive PTA communications and those who haven’t, as well as those who have actively said they do not want to be contacted. Keeping all data in one place means it can be easily passed over when the committee changes, and there’s no risk of the new committee emailing those who have opted out. Keeping data contained is a
practice that should be extended to emails too. It’s hard to keep track of emails sent from numerous personal accounts – one PTA email account that various people can access means everything is in the same place and there are no concerns over personal data on private accounts.
What else do you need to know? Data breach: All organisations have a duty to report certain types of data breach to a relevant supervisory authority. A data breach leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. This means that a breach is more than
just losing personal data. You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals – this would need to be assessed on a case-by-case basis. A to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. For more information, visit
ico.org.uk. Check that your PTA insurance policy and the cost of seeking legal advice in the event of a data breach. Deletion policy: There is no stipulation for the length of time data is kept and some personal data will need to be retained for longer in certain cases. How long you retain different categories of personal data should be based on individual needs. A judgement must be made about: the current and future value of the information; the costs, risks and liabilities associated with retaining the information; and it remains accurate and up-to-date. For example, one to two years would seem reasonable for parent data (though if you are asking parents for consent annually, it might be easier to start your parent contact database afresh each year). That said, you may wish to
securely archive the previous year’s data in case of repeated activity, such as a Christmas pudding scheme in which parents have previously participated. Contact details for businesses who have provided sponsorship or donated reasonably be kept for longer. Make sure you agree a process and, if you can, attribute responsibility for data management to someone on your committee.
For more information
If in doubt, seek expert advice. Find more guidance from the following organisations: Fundraising Regulator:
https://goo.gl/FBTcdp ICO:
https://goo.gl/nVc4kP ICO has a helpline for smaller organisations preparing for GDPR: 0303 123 1113.
IMAGE: ELENABS/
THINKSTOCK.CO.UK
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60
