• Contact Us

The Risks of Using Non-Corporate Email Accounts for Work

on Tuesday, 21 December 2021.

You may have seen it reported in the press that some politicians have been using private communication channels for work.

This is a topic that regularly comes up when we’re advising clients, so we thought this would be a good opportunity to set out the legal considerations.

Freedom of Information

First, the Freedom of Information (FOI) implications (if your organisation isn't caught by FOI feel free to skip ahead to the next section).

The Information Commissioner's Office recently published a blog post and updated its FOI guidance making it absolutely clear that information in private communication channels is covered by FOI when they are used for official business. Communication channels is wider than emails and would also include WhatsApp, Facebook Messenger, text messages etc.

The ICO stresses the importance of having appropriate IT provision for staff. As working arrangements become more agile, staff should not need to resort to using non-corporate communication channels and personal devices in order to do their job.

Data Protection

There are also data protection considerations around the use of non-corporate communication channels. As regular readers will know, information security is a high risk area of data protection compliance so let's start there.

The UK GDPR requires that organisations have appropriate technical and organisational measures in place to keep personal data secure. If a member of staff (or a volunteer such as a trustee) uses a non-corporate issued email account or messaging app, it will be more difficult to ensure compliance because your organisation has far less control over the security measures in place for those accounts.

Another challenge presented by staff using non-corporate email accounts is how to respond to individuals exercising their rights. The most commonly exercised right is the right of access - known as making a subject access request (SAR). Under this right the individual is entitled to a copy of their personal data (subject to certain exemptions). If the individual's personal data is held on non-corporate communication channels it might be more difficult to fully comply with your obligation to carry out a reasonable and proportionate search for their personal data.

There are other data subject rights, which although less commonly exercised, still require your organisation to have ready access to the individual's personal data. For example, the UK GDPR gives individuals, in certain circumstances, the right of erasure (ie the right to have their personal data deleted).

Take Action

Our recommendation is to prohibit staff (and volunteers) from using personal communication channels and for this to be included in your policies and training. This will make compliance with FOI and data protection law easier for your organisation to manage.

Coronavirus guidance employers

For more information on this complex issue, please contact Claire Hall in our Information Law team on 0117 314 5279, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input