search.noResults

search.searching

dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
intrusive. But without consent, you could not contact them by email. Don’t forget that you can try to gain new supporters too by publicising the event widely throughout the community. I’d suggest that when people sign up to this year’s event, you invite them to opt in to receive information for similar activities in the future. If this is an annual event, you can give them the option of opting in each year, and update your database accordingly.


Q


If schools are using an online ticketing platform such as


Eventbrite to sell tickets for a event, are there any issues to consider over using third-party software/payment systems?


AYou will need to consider data-sharing agreements and


where the data is held (not outside the EU otherwise this doesn’t comply with the GDPR). Most big platforms will be aware of the legislation and can guide you. However, you may like to include, as part of your privacy


policy, that such third-party websites are not covered by your own privacy policy and therefore advise that individuals using these platforms should check that they are happy with the third-party privacy policy before proceeding.


Q


Are there any other relevant issues to consider, such as


maintaining a database of past donors or those who have opted out of receiving information?


A You need a list of people who have opted out to prove you


are not contacting them; keep information about donations or financial transactions for a specified period of time – this is legal basis and mandatory; consider communication methods – unless people have opted in to receive emails, you cannot contact them that way; ensure that you are clear about who the communication has come from. Is it from your PTA, school fund or the school itself? What is the legal basis you have


A summary of the GDPR


On 25 May 2018 the GDPR replace the current Data Protection Act. Every organisation that processes personal data will have to comply and must process personal data in a lawful, fair and transparent way, and for specified, explicit and legitimate purposes.


LEGAL BASIS The GDPR places more emphasis on being accountable for, and transparent about, your lawful basis for processing data. The six lawful bases are: CONSENT: Individuals must give clear consent for you to process their personal data. This must be a freely given, specific, informed and unambiguous indication of their wishes (no pre-ticked boxes). CONTRACT: Processing is necessary for a contract you have with an individual, or if they have asked you to take steps before a contract starts. LEGAL OBLIGATION: Processing is necessary for legal compliance. VITAL INTEREST: Processing is necessary to protect someone’s life. PUBLIC TASK: Processing is necessary for you to perform a task in the public interest or for your official functions, and this has a basis in law.


LEGITIMATE INTEREST: Processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is good reason to protect the individual’s personal data, which overrides this. Review your existing lawful bases for


processing personal data, and check that these remain appropriate. For further information, visit ico.org.uk.


ACCOUNTABILITY AND TRANSPARENCY Clearly demonstrate compliance by documenting your purpose(s) for processing personal data and the appropriate lawful basis (or bases) in your privacy notice; tell individuals about how and why you are using their personal data. Consider when and if the purpose for processing data changes, e.g. when a pupil leaves school and you continue to communicate with them. Has the purpose changed, and is this in the school’s privacy policy?


INDIVIDUAL RIGHTS The GDPR strengthens an individual’s privacy rights to include: the right to be informed; right of access; right to rectification; right to erasure; right to restrict processing; right to data


portability; right to object; rights around automated decision-making and profiling.


Other key changes CONTRACTS: Whenever a data controller uses a data processor a written contract needs to be in place. DOCUMENTATION: If documenting your processing activities, cover areas such as the purpose for processing personal data, data sharing and retention. DPIAs: The GDPR introduces a new obligation to do a Data Privacy Impact Assessments (DPIA) before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk that you can’t mitigate, you must consult the ICO. DPOs: You must appoint a Data Protection Officer (DPO) if you are a public authority. SECURITY OF PERSONAL DATA: Schools must ensure the security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. DATA BREACHES: Under the GDPR, there is a duty to inform the ICO within 72 hours if a school has a data breach.


FundEd SUMMER 2018 13


for processing the data? To parents, they will all seem the same, but the reality is that they are separate legal entities and each needs to consider the retention, storage and processing of information. Make sure you have a Data Protection Officer (DPO)!


n This article has been supplied by IDPE and should only be used as a guide. Every school is different and therefore we recommend that schools seek legal advice or contact the ICO directly or visit ico.org.uk for further information.


Clare Atkinson is Development Director at Dr Challoner’s Grammar School in Amersham. Clare is also a Trustee of the Institute of Development Professionals in Education (IDPE) and has been working closely with the ICO and legal professionals to develop best practice in the GDPR, relating to fundraising and community engagement in schools. To find out more about IDPE visit idpe.org.uk.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60