In our experience many trusts do not realise that staff and governors using their personal email addresses for governing body work raises data protection risks until it is too late.
Your trust must take measures to keep personal data secure. This is the case under the current Data Protection Act (DPA) and under the GDPR. By permitting staff and governors to use personal email accounts, it is unlikely that you will be doing enough to safeguard personal data.
Many households share computers or email accounts. In addition, home computers often remember passwords. All of this means that there is a risk of access to trust data by family members or, worse still, by anyone who gains unauthorised access to the computer either by theft or 'hacking'. In addition, personal email accounts will often 'sync' with other devices by default. This means that an email saved to a governor's personal smartphone may also appear on their PC, tablet and on their online 'cloud' account.
Under both the DPA and the GDPR individuals have rights in their personal data. The most commonly exercised of these rights is the right of subject access. If an individual makes a subject access request (SAR) your trust is obliged to provide them with a copy of their personal data subject to various exemptions.
Responding to a SAR will involve carrying out extensive searches for the requester's personal data and in many cases this will involve searching emails. If you know that staff and governors use email addresses which do not belong to the trust for work reasons, and you have good reason to believe that the requester's personal data might be held on a non-trust email account, then you are obliged to consider the contents of these email accounts when responding to the SAR.
This raises a number of issues. If a governor uses an email account which belongs to their employer, that employer is unlikely to provide your trust with access to the email account to carry out searches. Secondly, if a staff member or governor is away for the holidays you may need to carry out urgent searches of their emails in their absence and this will not be possible on a non-trust email account. This becomes problematic as there is a strict timeframe for complying with a SAR. Under the GDPR the timeframe is one month in most cases.
There are four key measures to take: