GDPR: The implications for fundraising

Just when you thought you were on top of the General Data Protection Regulations (GDPR), we’d like to add fundraising activity into the mix! We put some of the most common scenarios to Clare Atkinson, Trustee of the Institute of Development Professionals in Education (IDPE)

Clare Atkinson is a Trustee of the Institute of Development Professionals in Education, which has been working closely with the ICO and legal professionals to develop best practice in the GDPR, relating to fundraising and community engagement in schools. Clare is also Data Protection Officer and Development Director at Dr Challoner’s Grammar School in Amersham. Here, she answers some specific questions around the practicalities of implementing the GDPR in relation to fundraising activities...

Universities enjoy significant support from their alumni and FundEd encourages schools to do the same. On what basis can schools ask for contact information from students who are leaving?

For some time, we have been seeking permission from our alumni to keep in touch with them after they have left. We send newsletters and fundraising information, and encourage them to come back to help with our careers events or place adverts in the school magazine. The legal basis for collecting this information is legitimate interest. However, it is crucial that schools do not fall foul of the Privacy and Electronic Communications Regulations (PECR) and ensure that permission is sought for electronic communications such as email, SMS or telephone calls to numbers registered with the Telephone Preference Service (TPS). We would not contact a student without this consent; it would be counterproductive and potentially damaging. We have very few students who ask not to be contacted once they leave the school and we, of course, respect their wishes. Often, students will then renew contact at a time that it suits them to do so.

The ICO has indicated that doing this is acceptable, although schools should continue to review their lawful basis for processing, and ensure that legitimate interest to contact your alumni remains valid. Schools must be explicit in their privacy notice as to the reason why they are collecting any information and what they will be using that data for. You will also need to have a retention policy, which clearly states how long you keep your data for. Manage your communications so as not to bombard an alumnus. We want to build long-term, lasting relationships rather than something short-term.

Can admissions data be used to contact families of incoming students, for example to invite them to attend the PTA summer fair? If yes, on what grounds is this acceptable?

In most cases, your PTA is a separate entity from the school, therefore you cannot share data with them unless the parent (or future parent) has given specific permission for you to do so. I would recommend asking parents as part of the enrolment process if they are happy to receive information from the PTA, then you could invite them to such events. If you are sharing parent data with the PTA, however, you will need to consider how the PTA is processing this personal data as the school will still have a responsibility to ensure this is being used appropriately.

In many cases, schools will send communications out to parents on the PTA’s behalf, so the school doesn’t actually share data, however even in this context the school is processing the parents’ personal data to promote PTA activities. As such, you will still need to rely on either consent from the parents to receive this information or be able to demonstrate that the school has a legitimate interest in promoting the summer fair to future parents and this needs to be made clear in your privacy notice. Don’t forget that if relying on email you will need consent under the PECR.

Are there any restrictions on contacting local businesses to request support, i.e. for sponsorship. And how should this data list be maintained?

No, as long as the request relates to the actual business (rather than a request for personal support from the individual). With local businesses, you are more likely to be successful by asking someone from the school community to make this approach – a parent or governor. Our recent careers fair had many parents involved. We ask them for support and they then contact us if they can help. Of course, such information should only be kept for as long as necessary – i.e. while planning and executing the event. Exhibitors could however, be asked if they would be interested in helping again in the future, which would justify keeping such information for a longer period of time, with this specific purpose in mind.

Is it acceptable to maintain a database of local clubs – those who currently use the school’s facilities and those who don’t (but might want to)?

Yes, as long as the information stored is not personal data. If it is personal data, i.e. a personal email address for the contact you hold (rather than an email address relating to the club) then you will need to consider having consent to continue to contact that individual under the PECR. When clubs do use the school’s facilities regularly, you could consider introducing a consent form that clearly states why you intend to hold that data, for how long, and how you intend to use it.

How should schools collect Gift Aid information from parents? As this information will be uploaded to the HMRC website, does the school need special wording around the ‘sharing’ of this data with a third party?

Gift Aid information should be collected at the same time as a donation is made and needs to be kept for six full financial years after the financial year in which the donation is made. There are excellent examples of wording available from HMRC that should be followed. As there is a legal basis for retaining this data, there is no need for a data-sharing agreement in this case. Please see gov.uk/claim-gift-aid/gift-aid-declarations.

A local primary school organised a junior colour run last autumn, with many children from other schools in the area taking part. It was hugely popular and they plan to run it again this autumn. Can they contact those who took part last year, inviting them to join in this year?

It depends. You may be able to rely on legitimate interest to contact runners from last year, given you are inviting them to the same event, but you would need to ensure you carry out a legitimate interest assessment to ensure you have considered their privacy rights and whether your communication is intrusive. But without consent, you could not contact them by email. Don’t forget that you can try to gain new supporters too by publicising the event widely throughout the community. I’d suggest that when people sign up to this year’s event, you invite them to opt in to receive information for similar activities in the future. If this is an annual event, you can give them the option of opting in each year, and update your database accordingly.

If schools are using an online ticketing platform such as Eventbrite to sell tickets for a event, are there any issues to consider over using third-party software/payment systems?

You will need to consider data-sharing agreements and where the data is held (not outside the EU otherwise this doesn’t comply with the GDPR). Most big platforms will be aware of the legislation and can guide you. However, you may like to include, as part of your privacy policy, that such third-party websites are not covered by your own privacy policy and therefore advise that individuals using these platforms should check that they are happy with the third-party privacy policy before proceeding.

Are there any other relevant issues to consider, such as maintaining a database of past donors or those who have opted out of receiving information?

You need a list of people who have opted out to prove you are not contacting them; keep information about donations or financial transactions for a specified period of time – this is legal basis and mandatory; consider communication methods – unless people have opted in to receive emails, you cannot contact them that way; ensure that you are clear about who the communication has come from. Is it from your PTA, school fund or the school itself? What is the legal basis you have for processing the data? To parents, they will all seem the same, but the reality is that they are separate legal entities and each needs to consider the retention, storage and processing of information. Make sure you have a Data Protection Officer (DPO)!

This article has been supplied by IDPE and should only be used as a guide. Every school is different and therefore we recommend that schools seek legal advice or contact the ICO directly or visit ico.org.uk for further information.

More on marketing and communications

Join FundEd to access our database featuring over £14m of grants for schools