Your school must take measures to keep personal data secure. This is the case under the current Data Protection Act (DPA) and under the GDPR. By permitting staff and governors to use personal email accounts, it is unlikely that you will be doing enough to safeguard personal data.
Many households share computers or email accounts. In addition, home computers often remember passwords. All of this means that there is a risk of access to school data by family members or, worse still, by anyone who gains unauthorised access to the computer either by theft or hacking. In addition, personal email accounts will often 'sync' with other devices by default. This means that an email saved to a governor's personal smartphone may also appear on their PC, tablet and on their online cloud account.
Under both the DPA and the GDPR, individuals have rights in their personal data. The most commonly exercised of these rights is the right of subject access. If an individual makes a subject access request (SAR), your school is obliged to provide them with a copy of their personal data subject to various exemptions.
Responding to a SAR will involve carrying out extensive searches for the requester's personal data and in many cases this will involve searching emails. If you know that staff and governors use email addresses which do not belong to the school for school work reasons, and you have good reason to believe that the requester's personal data might be held on a non-school email account, then you are obliged to consider the contents of these email accounts when responding to the SAR.
This raises a number of issues. If a governor uses an email account which belongs to their employer, that employer is unlikely to provide your school with access to the email account to carry out searches. Secondly, if a staff member or governor is away for the holidays you may need to carry out urgent searches of their emails in their absence and this will not be possible on a non-school email account. This becomes problematic as there is a strict timeframe for complying with a SAR. Under the GDPR the timeframe is one month in most cases.
There are four key measures to take: