• Careers
  • Contact Us

Does Your School Prevent Staff and Governors from Using Their Personal Email Addresses?

on Monday, 09 October 2017.

This is a data protection issue which is not often appreciated by schools. In our experience many schools do not realise that staff and governors using their personal email addresses for school work raises data protection risks until it is too late.

Information Security 

Your school must take measures to keep personal data secure. This is the case under the current Data Protection Act (DPA) and under the GDPR. By permitting staff and governors to use personal email accounts, it is unlikely that you will be doing enough to safeguard personal data.

Many households share computers or email accounts. In addition, home computers often remember passwords. All of this means that there is a risk of access to school data by family members or, worse still, by anyone who gains unauthorised access to the computer either by theft or hacking. In addition, personal email accounts will often 'sync' with other devices by default. This means that an email saved to a governor's personal smartphone may also appear on their PC, tablet and on their online cloud account.

Data Subject Rights

Under both the DPA and the GDPR, individuals have rights in their personal data. The most commonly exercised of these rights is the right of subject access. If an individual makes a subject access request (SAR), your school is obliged to provide them with a copy of their personal data subject to various exemptions.

Responding to a SAR will involve carrying out extensive searches for the requester's personal data and in many cases this will involve searching emails. If you know that staff and governors use email addresses which do not belong to the school for school work reasons, and you have good reason to believe that the requester's personal data might be held on a non-school email account, then you are obliged to consider the contents of these email accounts when responding to the SAR.

This raises a number of issues. If a governor uses an email account which belongs to their employer, that employer is unlikely to provide your school with access to the email account to carry out searches. Secondly, if a staff member or governor is away for the holidays you may need to carry out urgent searches of their emails in their absence and this will not be possible on a non-school email account. This becomes problematic as there is a strict timeframe for complying with a SAR. Under the GDPR the timeframe is one month in most cases.

Steps to Take

There are four key measures to take:

  1. Provide all of your governors with school email addresses.

  2. Include a prohibition on using personal email addresses for school work in a staff policy (such as an information security policy) and make it clear to staff that they face disciplinary action if they breach this policy

  3. Train your staff and governors on the importance of keeping information secure which includes only using their school email account.

  4. Provide the technology to enable staff and governors to access their school email address securely when using personal devices (e.g. mobile device management).

If you would like to discuss how we can assist with your school's information security measures and preparations for the GDPR, please contact Andrew Gallie, in our Data Protection team, on 0117 314 5623 or Claire Hall on 0117 314 5279. 

Leave a comment

You are commenting as guest.