GDPR & confidentiality
GDPR & confidentiality
The APEEE collects personal information about parents and pupils, not only name, email address and other identifying information, but also highly sensitive information that parents may communicate to the APEEE, such as complaints against the school, issues to do with bullying, requests for learning support etc. The APEEE is therefore defined as a data controller under GDPR and so is required to establish measures for how this information will be managed and protected. The APEEE also processes personal information in this capacity, therefore is required to embed data protection policies and procedures into its operations.
GDPR legislation applies to all organisations operating in the EU that handle personal information. No exceptions are made for volunteer organisations such as the APEEE. GDPR compliance is an organisational responsibility, separate to any personal responsibility of individuals. If an organisation fails to manage personal information in compliance with GDPR it can lead to fines of up to 4% of turnover, i.e. for the APEEE €260,000. The APEEEs commitment to keeping all parent and pupil personal information secure is outlined in the APEEEs Privacy Statement, available on the APEEE website, and is referenced when parents join the APEEE or become APEEE class representatives.
The APEEE started a project on GDPR compliance in 2017, led by two Board members who were involved in GDPR in their professional lives. Part of this project is ensuring all staff and all Board members are aware of the APEEE’s GDPR obligations and commit to following these with respect to any personal information they receive via the APEEE. For staff, this is managed by their employment conditions; for Board members through the GDPR Confidentiality document. As a great deal of personal information passes through email, APEEE email accounts for Board members were introduced to ensure this information is treated securely, in compliance with GDPR. Prior to this Board members just used their own email accounts.
Confidentiality is included in this document in addition to GDPR because some of the information the APEEE is given is provided on the basis that the APEEE keeps it confidential. This includes all preparatory documents for Board of Governors and the important meetings of the European Schools’ system, as well as certain documents for the Woluwe School Admin Board meetings which are of a sensitive nature. This is only a very small proportion of the documents the APEEE deals with, but failure to respect the confidentiality requested by the Office of the Secretary General, the school Directors or whoever shares the document with the APEEE, will result in the APEEE not receiving such information in the future. This will prevent the APEEE participating in discussions on those topics and so restricting its ability to do its job of representing the interests of parents. On a number of occasions, the APEEE has struggled to get hold of key information because the school management or the office of the Secretary General were concerned confidentiality would not be maintained. There have also been cases where Board members, ex-Board members or parent volunteers have leaked sensitive information to other parties or have threatened to do so. The GDPR Confidentiality document addresses these situations.
The document is similar to other such documents used by organisations across the EU. All staff working for the EU institutions are required to make similar commitments to GDPR and confidentiality – it is entirely normal and contains no provisions or requirements that will not be found in similar documents in other organisations. The document was prepared for the APEEE by our lawyers, experts in AISBL law and well versed in the European School set-up.