Clare Atkinson is a Trustee of the Institute of Development Professionals in Education, which has been working closely with the ICO and legal professionals to develop best practice in the GDPR, relating to fundraising and community engagement in schools. Clare is also Data Protection Officer and Development Director at Dr Challoner’s Grammar School in Amersham. Here, she answers some specific questions around the practicalities of implementing the GDPR in relation to fundraising activities...
For some time, we have been seeking permission from our alumni to keep in touch with them after they have left. We send newsletters and fundraising information, and encourage them to come back to help with our careers events or place adverts in the school magazine. The legal basis for collecting this information is legitimate interest. However, it is crucial that schools do not fall foul of the Privacy and Electronic Communications Regulations (PECR) and ensure that permission is sought for electronic communications such as email, SMS or telephone calls to numbers registered with the Telephone Preference Service (TPS). We would not contact a student without this consent; it would be counterproductive and potentially damaging. We have very few students who ask not to be contacted once they leave the school and we, of course, respect their wishes. Often, students will then renew contact at a time that it suits them to do so.
The ICO has indicated that doing this is acceptable, although schools should continue to review their lawful basis for processing, and ensure that legitimate interest to contact your alumni remains valid. Schools must be explicit in their privacy notice as to the reason why they are collecting any information and what they will be using that data for. You will also need to have a retention policy, which clearly states how long you keep your data for. Manage your communications so as not to bombard an alumnus. We want to build long-term, lasting relationships rather than something short-term.
In most cases, your PTA is a separate entity from the school, therefore you cannot share data with them unless the parent (or future parent) has given specific permission for you to do so. I would recommend asking parents as part of the enrolment process if they are happy to receive information from the PTA, then you could invite them to such events. If you are sharing parent data with the PTA, however, you will need to consider how the PTA is processing this personal data as the school will still have a responsibility to ensure this is being used appropriately.
In many cases, schools will send communications out to parents on the PTA’s behalf, so the school doesn’t actually share data, however even in this context the school is processing the parents’ personal data to promote PTA activities. As such, you will still need to rely on either consent from the parents to receive this information or be able to demonstrate that the school has a legitimate interest in promoting the summer fair to future parents and this needs to be made clear in your privacy notice. Don’t forget that if relying on email you will need consent under the PECR.
No, as long as the request relates to the actual business (rather than a request for personal support from the individual). With local businesses, you are more likely to be successful by asking someone from the school community to make this approach – a parent or governor. Our recent careers fair had many parents involved. We ask them for support and they then contact us if they can help. Of course, such information should only be kept for as long as necessary – i.e. while planning and executing the event. Exhibitors could however, be asked if they would be interested in helping again in the future, which would justify keeping such information for a longer period of time, with this specific purpose in mind.
Yes, as long as the information stored is not personal data. If it is personal data, i.e. a personal email address for the contact you hold (rather than an email address relating to the club) then you will need to consider having consent to continue to contact that individual under the PECR. When clubs do use the school’s facilities regularly, you could consider introducing a consent form that clearly states why you intend to hold that data, for how long, and how you intend to use it.
Gift Aid information should be collected at the same time as a donation is made and needs to be kept for six full financial years after the financial year in which the donation is made. There are excellent examples of wording available from HMRC that should be followed. As there is a legal basis for retaining this data, there is no need for a data-sharing agreement in this case. Please see gov.uk/claim-gift-aid/gift-aid-declarations.
It depends. You may be able to rely on legitimate interest to contact runners from last year, given you are inviting them to the same event, but you would need to ensure you carry out a legitimate interest assessment to ensure you have considered their privacy rights and whether your communication is intrusive. But without consent, you could not contact them by email. Don’t forget that you can try to gain new supporters too by publicising the event widely throughout the community. I’d suggest that when people sign up to this year’s event, you invite them to opt in to receive information for similar activities in the future. If this is an annual event, you can give them the option of opting in each year, and update your database accordingly.
You need a list of people who have opted out to prove you are not contacting them; keep information about donations or financial transactions for a specified period of time – this is legal basis and mandatory; consider communication methods – unless people have opted in to receive emails, you cannot contact them that way; ensure that you are clear about who the communication has come from. Is it from your PTA, school fund or the school itself? What is the legal basis you have for processing the data? To parents, they will all seem the same, but the reality is that they are separate legal entities and each needs to consider the retention, storage and processing of information. Make sure you have a Data Protection Officer (DPO)!
This article has been supplied by IDPE and should only be used as a guide. Every school is different and therefore we recommend that schools seek legal advice or contact the ICO directly or visit ico.org.uk for further information.