Parent Contact Information from the Annual Data-Check Returns – How to store and use the Data

22 August 2018
The HPCP is pleased to see that the Highland Council has now included a page for provision of parental contact data to Parent Councils on the annual data-check form (that parents are, or may be, asked to complete each year).
This means that most Parent Councils will get this information from their schools in the next few days or weeks.
Whether you get the actual paper slips or a consolidated list of email addresses for which consent has been received will depend on what you can agree with your school.
The schools are not obliged to put the data onto an electronic document for you, or to extract the consented data from their own office systems, but they may be able/willing to do that as long as they can confirm that only details that parents have agreed to being supplied to the Parent Council are transferred.
It is best practice to process this data within 30 days of receiving it, as technically if you have the data but do not then do something with it reasonably quickly it raises the question as to why you are holding it.
The easiest thing to do is send out a standard confirmation email from your PC email account as soon as you get the data, eg to say “you have been sent this email as you have provided your personal email address, on the data-check form or by other means, and we want to confirm that we have the correct details, including checking for any “failure to deliver” messages.  If you do not want to receive emails from the Parent Council, or want us to use a different or additional email address, then please let us know immediately.
For those concerned about holding personal data now that the GDPR (new data protection rules) are in force, do not panic!
It is not difficult to handle personal data securely as long as you are using a “corporate” email (like the gmail addresses every parent council has available to them or that the HPCP can set up) rather than a personal one, and you follow the basic rules.
So only use the “blind carbon copy” or bcc option when sending to multiple email addresses and not the “to” or “cc” fields – that way you do not divulge the email addresses of everyone on your mailing and thus commit a breach of the regulations.
If you do create or hold one or more electronic files with personal data like private email addresses then password-protect the file and make sure it is kept up to date.  You can share the password with other PC office bearers, but they should only hold copies of data if essential, so it general is better for just the Sec (and perhaps the Chair) to have the personal data.
Do have a Privacy Policy in place – which is easy to do if you just use the template that Connect has provided at https://connect.scot/application/files/9115/3442/7867/DP2_Data_Protection_template_policy_GDPR_FINAL_.pdf .
You do not have to put the policy on your school or PC website or facebook pages etc, but it is generally helpful if you do, just as the HPCP does http://www.highlandpcp.org.uk/privacy-policy/.
Your school should be willing to post it on their website, but you can also add a line to all your PC emails along the lines of “the abc School Parent Council Privacy Policy is available on request“, and you can put up a hard-copy version on the school public noticeboard.
If, as a Parent Council, you do not want to hold any personal data then you do have other options.
You may be able to agree with your school to have everything that you want to send outbound to parents posted on the school website or facebook pages, or you may set up your own website or facebook page to post messages and documents, but that does not solve all the issues if you still get inbound emails to the PC email address.
Your school may agree to the admin support team sending out and then receiving emails on your behalf, but you still have to work out how you get access to the replies, and the school may not be able or willing to support much more than occasional communications.
Even if you decide to do everything on paper you still have to secure the physical files (ie, keep them locked away) if they hold any personal data (including postal addresses).
In most cases using your PC Gmail account and keeping all the personal data in the Contacts list will be the easiest option.  You can add comments to each address held (eg when you got consent to hold it, when you last checked it was up to date, if there has been an access request by the owner of the data, etc.  When you delete data you should also record that, and tell the owner that you are about to delete it.  Follow the guidance on the HPCP websiteat http://www.highlandpcp.org.uk/essential-information-for-your-parent-group-about-general-data-protection-regulation/, and look at the NPFS and Connect websites as well for alternative ideas.
Finally, once you have processed the data on the paper return slips, and checked it is accurate, shred or burn the paper!

Add a Comment