It is recommended, though it’s not an absolute requirement, that councillors should use a dedicated parish council email address for council business rather than their personal email addresses.
There are two main issues surrounding the use by individual councillors of private email addresses. The first is not so much to do with any legal requirements but rather the potential need to comply with a Freedom of Information request that requires the publication of email correspondence.
In 2017 the Information Commissioner’s Office published a guidance document on the implications of the Freedom of Information Act (FOIA) on official information held in private email accounts (copy attached). The document makes clear that “information is held by a public authority if— (a) it is held by the authority, otherwise than on behalf of another person, or (b) it is held by another person on behalf of the authority.” The document goes on to confirm that where information is held by another person on behalf of the public authority, the information is considered to be held by the authority for the purposes of FOIA, and that this applies to official business recorded in personal email accounts.
Where records are to be recovered from private email addresses it can be difficult to confirm that all records have been searched for relevant data and demonstrating compliance when data is held in personal email accounts could be difficult. Furthermore, deleting or concealing information with the intention of preventing its disclosure following receipt of a FOI request is a criminal offence under section 77 of FOIA.
However, it is also important to recognise that in relation to GDPR, the issue of ‘data sovereignty’ assumes significance and the Data Protection Act 2018, embodying GDPR, requires that all data stored on UK citizens must be stored in the EU where it is subject to European privacy laws, or within a jurisdiction that offers similar levels of protection; the USA, for example, is not deemed to have sufficient safeguards. If individual councillors amongst them have a multitude of different email accounts, and assuming that on occasions personal data may be the subject of email correspondence covering council business, it would perhaps be difficult to guarantee compliance.
It is largely for the above reasons that it is deemed preferable that councillors should dissociate council business from their personal email accounts and use an address set up by the council.
Should your council feel that changes to current arrangements are necessary, we would suggest an initial discussion with the council’s principal email provider to explore whether further email addresses can be added. It may also be possible to purchase additional email accounts from your domain provider.
We would further recommend that where emails are being viewed on personal devices (especially where these are shared with other family members) that the adoption of a “Bring your Own Device Policy” is considered, in line with recommendations from the Information Commissioner; see:- Bring your own device – what should we consider?