Data Protection

Gloomtastic!

You wait months for a DP thread then two come along at the same time, typical!

My kids' school has all the parents' contact details - email addresses and phone numbers etc. These are all treated, as expected, with confidence.

For the purposes of organising parties and other social occasions, parents have to harvest the contact details of as many other parents as they can themselves and share. There are however, always some people who remain aloof and therefore their kids miss out.

What is to stop the school from announcing retrospectively that all contact details they hold will be released to, say one parent per class for the sole purpose of organising parties and other social occasions? If they can't do it retrospectively, can they do it going forward? i.e. If parents fill out a contact form and agree that their contact details can be shared with their kid's class.

Hope you can help!

soc

You're just overcomplicating things: you shouldn't have to 'harvest' details from anyone... a lot of kids get buses to/from school, and parents no where near the yard... then what?

In our school, when you enrol your child you provide contact details. Then for email & phone details, you simply check the box to say whether you want to share your contact info (i.e. only email & mobile phone) to other parents in the class. Then when term begins, children are given a printout listing of all students in class with consented parents details on it. Then when it comes to birthday parties/socialising, you just simply use the details from the printout sheet.

Gloomtastic!

Thanks soc. What I'm trying to ascertain is whether you can do this retrospectively i.e. Parents that have already supplied their details to the school. Can the school then write or communicate to the parents to let them know these details will, unless parents request not to, be shared with other parents for the sole purpose of allowing parents to communicate with each other.

silent_spark

Gloomtastic! wrote: »

Thanks soc. What I'm trying to ascertain is whether you can do this retrospectively i.e. Parents that have already supplied their details to the school. Can the school then write or communicate to the parents to let them know these details will, unless parents request not to, be shared with other parents for the sole purpose of allowing parents to communicate with each other.

I would think that permission would have to be positively given, so parents who wish their details to be shared would have to confirm this.

Lazarus2.0

Gloomtastic! wrote: »

What I'm trying to ascertain is whether you can do this retrospectively i.e. Parents that have already supplied their details to the school. Can the school then write or communicate to the parents to let them know these details will, unless parents request not to, be shared with other parents for the sole purpose of allowing parents to communicate with each other.

Absolutely not. Data cannot be processed for any reason other than was given at the time the data was submitted and if the school was crazy enough to try change that retrospectively it would have to be opt-in, not "we're giving out your info unless you tell us not to".

Far easier to send a letter/form home with each child and while teachers might distribute the form the sensible thing is for a parents group to head that up. The school's data processor will/should want no part in all those numbers being passed around like confetti...

(c) the data—

(i) shall have been obtained only for one or more specified, explicit and legitimate purposes,

(ii) shall not be further processed in a manner incompatible with that purpose or those purposes

troll_a_roll

No, the school cannot share the information, unless they stated their intention to share it at the time they were collecting the data.


This issue does raise some other interesting points. The Data Protection Act does apply to commercial entities and to the school, but it doesn't necessarily apply to a group of parents.

In other words, private individuals are entitled to collect and to store data without having to comply with the DP act. An example would be an address book containing your friends names, addresses and phone numbers.
It's also the case that a group of private individuals can compile data as a group, without having to comply with the DP act. An example would be an after-school study group, or an after-school play group, provided that the activity is organised only by the parents in a private capacity, and not by the school.
Another example might be a neighbourhood watch group. I am assuming that these groups are exempt from the DP act under the private and domestic exemption.


The reason I said this is interesting is because those cases above are probably borderline cases, where the line between domestic activities and commercial activities is blurred.




Another major point about the OPs case is that it'd be very rare for a company to explicitily specify why they are requesting a piece of data.
The law may say the purpose must be specific and explicity stated but in practice that rarely happens. Therefore, most purposes are implied in the real world.

An example is a request for an email address which is on a larger form. It's rare that a specific reason is given as to why an email address is being requested.
Therefore, the purpose is not clear, it's not specific, and it's certainly not explicitily stated.

The purpose of an email address is that the email address be used as an email address. Therefore, by providing an email address on a form, you are giving implied consent that you are prepared to receive email at that address.
The same thing applies if you provide a phone number on a form. The intention is that the phone number be used in some circumstances.



The reason I'm labouring the point about implied purposes is that the school could perhaps say that the parents provided the details on the basis that the details be used for school activities. An exhaustive list of purposes was not provided and therefore the parents cannot say that the purposes were clear.
The parents provided the information without knowledge of how the data would be specifically used, and so it must be said that the parents left themselves open to being surprised by some of the purposes.


Sharing the details with other parents for the purpose of party invitations could be argued to be a part of school life, and to be part of the social aspect of school and of growing up. Therefore, it would be a legitimate use of the data.


I don't think this issue is as cut and dried as it may have appeared at first blush, unless an exhaustive list of purposes was given in respect of each piece of data collected by the school originally.

This is the legal forum which is why I've presented a formal type argument.

campo

Gloomtastic! wrote: »

Thanks soc. What I'm trying to ascertain is whether you can do this retrospectively i.e. Parents that have already supplied their details to the school. Can the school then write or communicate to the parents to let them know these details will, unless parents request not to, be shared with other parents for the sole purpose of allowing parents to communicate with each other.

This is what happened in the school that my 5 year old goes to, at the start of the year we got a letter asking was it OK to share our phone number with other parents so they could contact us for parties etc

GM228

troll_a_roll wrote: »

This issue does raise some other interesting points. The Data Protection Act does apply to commercial entities and to the school, but it doesn't necessarily apply to a group of parents.

In other words, private individuals are entitled to collect and to store data without having to comply with the DP act.

Any person - a natural or legal person (i.e a private individual or a company) who processes and stores personal information/data on a computer or in structured manual files is subject to the DP act even as a group.

troll_a_roll

Private individuals are not subject to the DP act in their private capacity. Your address book at home is not subject to the DP Act but your address book at work is.

GM228

troll_a_roll wrote: »

Private individuals are not subject to the DP act in their private capacity. Your address book at home is not subject to the DP Act but your address book at work is.

It's nothing to do with private capacity, but rather the purpose of the data.

Private individuals are not subject to DP when the data is processed for their own purely personal or household reasons, but processing data as a private individual for purposes which arn't a purely personal or household reasons is subject to DP.

Data which is exempt is data held for the management of your own personal/family or household affairs which is why an address book is exempt, but when in a parenting group for example you are dealing with information relating to other peoples personal and family affairs and so are subject to DP.

troll_a_roll

I don't agree. A group larger than a family can come together in a common purpose which remains private and exempt from data protection.

Examples like a neighbourhood watch group, or an after-school walk-home-together group, or a computer game playing group, or other informal groups are likely to be exempt from the data protection act.


I'm trying to remember what the qualifying criteria are for the data protection act and can't remember.

GM228

troll_a_roll wrote: »

I don't agree. A group larger than a family can come together in a common purpose which remains private and exempt from data protection.

Examples like a neighbourhood watch group, or an after-school walk-home-together group, or a computer game playing group, or other informal groups are likely to be exempt from the data protection act.


I'm trying to remember what the qualifying criteria are for the data protection act and can't remember.

You may not agree but the DP Act and the ECJ does (see František Ryneš vs Úřad pro ochranu osobních údajů for example).

I've outlined the qualifying criteria and the exception for personal reasons above, the exception is relation to personal data is specifically in relation to the management of your own personal affairs.

(1)(4) This Act does not apply to—

(c)personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

As you can see the exemption is specifically in relation to data you hold in relation to your personal, family or household affairs.

Robbo

This will seem like a fantastic idea right up until the point where you run into:

1. The parent who's just started a side hustle in pyramid selling
2. The parent who knows no boundaries when it comes to flooding a Whatsapp group with dozens of messages at 2 am
3. The breakaway Whatsapp group full of bitching and backbiting at the above

May god have mercy on your mute button.

troll_a_roll

GM228 wrote: »

DPP Law
(1)(4) This Act does not apply to—

(c)personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.


As you can see the exemption is specifically in relation to data you hold in relation to your personal, family or household affairs.

With respect , I feel you are misunderstanding what that means.

That exemption in the law is very broad.

Your family affairs involves many people outside your family, as do your household affairs.


If a group of three or four parents have a walk-home-together group, and there exists a sheet of paper with the parents names on it, and phone numbers and addresses, that sheet of paper, and the data it contains, is not subject to the DP act, as the sheet is used only for the personal use of the parents, despite the fact that there are several parents of separate families involved. All of the parents agree that the sheet is a personal matter.


The issue boils down to this. Your neighbour has no right to see your private address book. He cannot insist that you update his details if they change, as people can insist under DP law with other organisations.

You are entitled to have details of your neighbours and your frends, and details of businesses in your personal address book and those people have no rights under DP law.


Your personal affairs involve other people other than blood relatives and your immediate family.