This is a topic that regularly comes up when we’re advising clients, so we thought this would be a good opportunity to set out the legal considerations.
First, the Freedom of Information (FOI) implications (if your organisation isn't caught by FOI feel free to skip ahead to the next section).
The Information Commissioner's Office recently published a blog post and updated its FOI guidance making it absolutely clear that information in private communication channels is covered by FOI when they are used for official business. Communication channels is wider than emails and would also include WhatsApp, Facebook Messenger, text messages etc.
The ICO stresses the importance of having appropriate IT provision for staff. As working arrangements become more agile, staff should not need to resort to using non-corporate communication channels and personal devices in order to do their job.
There are also data protection considerations around the use of non-corporate communication channels. As regular readers will know, information security is a high risk area of data protection compliance so let's start there.
The UK GDPR requires that organisations have appropriate technical and organisational measures in place to keep personal data secure. If a member of staff (or a volunteer such as a trustee) uses a non-corporate issued email account or messaging app, it will be more difficult to ensure compliance because your organisation has far less control over the security measures in place for those accounts.
Another challenge presented by staff using non-corporate email accounts is how to respond to individuals exercising their rights. The most commonly exercised right is the right of access - known as making a subject access request (SAR). Under this right the individual is entitled to a copy of their personal data (subject to certain exemptions). If the individual's personal data is held on non-corporate communication channels it might be more difficult to fully comply with your obligation to carry out a reasonable and proportionate search for their personal data.
There are other data subject rights, which although less commonly exercised, still require your organisation to have ready access to the individual's personal data. For example, the UK GDPR gives individuals, in certain circumstances, the right of erasure (ie the right to have their personal data deleted).
Our recommendation is to prohibit staff (and volunteers) from using personal communication channels and for this to be included in your policies and training. This will make compliance with FOI and data protection law easier for your organisation to manage.