Parent WhatsApp Groups and GDPR liability for administrators


A recent Q&A discussion between Chris King, CEO IAPs and a specialist data protection lawyer - suggested that parents administering Class, Year or PTA WhatsApp groups are likely to qualify as “data controllers” and could therefore have legal responsibility, and potential legal liability, for managing personal data shared within these groups. 

Parents administering these groups become data controllers because they decide what personal data to collect, and how and why it is processed. There is an exemption under GDPR for processing personal data “in the course of a purely personal or household activity”. However this wouldn’t apply to WhatsApp class or year groups.

As a data controller, a parent Class or Year Group rep needs to ensure they are collecting and managing personal data in a responsible, secure manner. This can be difficult with WhatsApp as there is no systematic way of validating who has joined a group; members can remain relatively anonymous, and group membership can become difficult to manage over time. 

Data controllers also need to be able to meet very specific GDPR requirements, for example complying where needed with:

  • Subject Access Requests - where a parent has the right to see what personal data is held on them within the system Right to Erasure Requests, also known as “right to be forgotten” - where a parent or “data subject” can request that all data held on them is deleted.
  • Data controllers also need to recognise where a data breach has occurred, involving unauthorised disclosure or access to personal data, and know what to do about it. This could include reporting a material breach to the relevant data protection agency (in the UK the Information Commissioner’s Office) within 72 hours. 

The WhatsApp messaging platform is not set up to allow data controllers to meet these legal requirements. This is for a simple reason - WhatsApp’s own T&Cs restricts users to personal use - which may exclude using the system to set up school class or year groups. Where users are in breach of these T&Cs, there may be little obligation for WhatsApp to help users comply with GDPR.  

Parents administering WhatsApp groups may feel that because other parents have agreed to join a group and share their personal data, there is no need to comply with GDPR - they are somehow exempted. This is not correct. Many data controllers, whether individuals or businesses, manage information which has been voluntarily shared by users. This does not diminish their legal obligations. 

Parents may consider the real world legal risks of administering WhatsApp groups are small. However, other complications can arise. Groups can be helpful but can also amplify misleading or scurrilous information. Occasionally more serious issues arise with abusive comments, safeguarding challenges where inappropriate information is shared about children, or bullying. In such cases the aggrieved party may insist that material is removed, or may wish to escalate matters. If the Data Controller running the group is unable or unwilling to help (for example deleting comments on WhatsApp can be difficult) this can lead to complications. These situations can cause unnecessary stress to families, tie up a lot of time, and in extreme cases could lead to legal implications for those administering WhatsApp groups.

In conclusion, parents acting as Class or Year group reps should be aware that they are taking responsibility for other people’s personal data. They are likely to qualify as data controllers and have an obligation to manage and protect this in compliance with GDPR. WhatsApp is a convenient, readily available platform, but current legal advice is that it is unlikely to offer appropriate levels of protection and should not be used for this purpose.

Book a demo 

Register for one of our demonstrations now to see how Classlist Schools provide a safe and legal way for parents to communicate and engage with other parents.

Book a demo

Or if you prefer book a private meeting now.