All Parent Councils will be affected to some extent by the implementation of the new EU-wide GDPR that come into effect on 25 May 2018.
Pending publication of more detailed information specific to Parent Councils by the National Parent Forum for Scotland, you can find very comprehensive information on the Information Commissioners Office website here.
Firstly, do not panic! GDPR implementation does mean that PCs will have to apply new rules, processes and procedures because you will almost certainly hold ‘protected data’ such as names, email addresses and perhaps phone numbers and home addresses. As you (PC Chair, Sec, Treasurer etc) will be holding this data for use by an organisation – your PC – you will be a ‘data controller’ for the purposes of the GDPR.
The requirements are not unduly onerous but include the need to set up some basic processes and controls, eg to:
- Ensure that PCs conduct an audit of what personal data they hold (initial and then at least annual).
- Decide the defined Legal Basis of holding protected data (likely to be Informed Consent – as of April 2018 the advice is that Legitimate Interest is unlikely to be the best option).
- Ensure that all data held is up to date, accurate, subject to password-protected access control and/or encrypted, and not passed on to others without the consent of the data owners. Data (eg email lists) held on USB sticks for example should be encrypted.
- Generate a compliant statement to use with all emails etc that explained why any communication was being sent out (ie the Legal Basis) and how recipients can be removed from future communications.
- Ensure that anyone contacted by the PC had a simple way of requesting that their data was removed/deleted.
- Employ simple housekeeping techniques such as ensuring that emails to individuals used the “blind carbon copy” or bcc option for all addressees to prevent the inadvertent (and thus probably unauthorised) release of personal email addresses.
- Contact all those that data was held on to confirm positively that the PC could continue to hold and use that data (ie, that they agreed to opt in). This should be part of the initial data audit.
- Delete completely all data held on those who did not positively opt in, except potentially data held for meeting (for example) a Legitimate Interest (but only if that is one of the Legal Basis options chosen for holding data).
- Review the information at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ and take all other necessary steps for compliance.
The information here will be updated as soon as more specific recommendations become available. Meanwhile, have a review of what you hold, how you hold it, and whether you still need it.