GDPR playgroup advice

[flowerpothead]

Please could someone who knows about GDPR give me a bit of advice. I help organise a playgroup. I always send out the rota to all our volunteers (approx 8 of us) jointly so we all have each other’s emails to arrange swaps, shopping for tea bags etc! My PTA chair friend kindly pointed out this probably falls foul of GDPR. Can I email each person and ask for their consent to do this then it’s ok? I don’t really want another app as email works really well for this. Thanks!

Consent is (more than) fine!

Is the concern that you're sharing everyone's email addresses?

You can just put all the email addresses in the bcc , instead of the 'to' or 'cc' fields, or, set up a distribution list.

It's also better in terms safety from viruses as one of the ways they work to spread is by finding email addresses from email headers.

It’s legitimate cause for contact, so no consent needed?

Consent is not the only lawful basis for processing personal information, there are six. Your lawful basis for processing could be legitimate interest rather than consent.

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

It might be a good idea to have a statement, maybe at the bottom of the message, saying the reasons for sharing everyone's email addresses.

Ive used the bcc approach for the last 3 years (re an annual collection for a teacher), to ensure nobody is given other people's email addresses.

I also request in italics at the foot of the email Please let me know if you do not want me to contact you about this anymore and I'll remove you from this distribution list. Nobody has, but the offer is always there.

That covers things from the perspective of opt in and not sharing people's contact details without their permission. I also have all my devices password protected to cover against loss or theft.

It might be a good idea to have a statement, maybe at the bottom of the message, saying the reasons for sharing everyone's email addresses.

That breaches GDPR. You shouldn't be telling people why you're distributing their email address without their permission. Using the bcc field means nobody gets to see others' email address in the first place.

Thank you for all your replies! Very helpful. So is it not acceptable to share emails (not BCC) within the group if I get consent from everyone? We help in random pairings so it’s helpful for everyone to have everyone else’s emails and means admin is shared amongst us all.

Honestly, it’s volunteers at a playgroup! Just cover yourself by getting permission, op, but being told you’re breaching GDPR is ridiculously hysterical.

If you have consent you can definitely share emails. Even without consent it may be ok to do so on the basis that there is a legitimate interest, but you would still have to remove the email address of anyone who objects to their address being shared with other volunteers.

Honestly, it’s volunteers at a playgroup! Just cover yourself by getting permission, op, but being told you’re breaching GDPR is ridiculously hysterical

You clearly don't understand the principles of GDPR. Volunteers at a playgroup are live humans. Every live human has exactly the same rights under GDPR, be they a helper in a nursery or a Senior Executive in a merchant bank employing 50,000 people. Rights to privacy are universal, so it is not being hysterical to be concerned. It just needs to be handled in a commensurate way, which still involves seeking consent.

Plus, importantly anyone who has already given consent has the ongoing right under GDPR to withdraw their consent whenever they choose. In this specific case of the volunteer team, if someone withdraws consent to use of their email, it may be a pragmatic solution for them to set up a dedicated [volunteername]@hotmail.co.uk address which segregates their communications if they don't want people using their personal email address.