With thanks to Bubbenhall Parish Council for permission to reprint
Date: 1 February 2024
Prepared by Tracie Ball, Clerk and RFO
Introduction:
The consideration of adopting GOV.UK email addresses for both the Clerk and Councillors may seem like an unnecessary administrative expense, especially for a small parish council. However, this report outlines reasons for making this transition and aligns with recommendations from the Information Commissioner’s Office (ICO) and the Joint Panel on Accountability and Governance, Practitioners’ Guide 2023 (JPAG).
ICO highlights the risks of using personal emails:
- Confidentiality and Integrity Risks:
- Personal email accounts and devices pose risks to the confidentiality, integrity, and availability of personal data held by councils.
- Unintended Data Processing:
- Use of personal devices increases the risk of personal data being processed for purposes different from the original collection, violating data protection principles.
- Data Accuracy and Retention Challenges:
- Storing data on various devices raises the risk of outdated or inaccurate information, making it difficult to manage data retention appropriately.
- Security Concerns:
- Processing data through personal email accounts or on privately-owned devices poses security challenges, necessitating robust technical and organisational measures.
- Accountability and GDPR Compliance Complexity:
- The use of personal email accounts and devices complicates the demonstration of GDPR compliance, requiring effective organisational policies and processes.
JPAG Recommendations:
- Provide Official Email Accounts:
- To comply with GDPR, councils should provide official email accounts for councillors, the clerk, and other officers.
- User Management for Compliance:
- Ensuring the proper officer can manage member and staff email accounts is crucial for effective user management. Commercial ‘dashboard’ email and web systems are recommended for compliance with GDPR requests.
Conclusion:
It is important to recognise that the transition to GOV.UK email addresses aligns with the guidance of both the ICO and JPAG, ensuring data security, compliance with data protection regulations, and effective user management. Over time, the recommendation of having a GOV.UK email is expected to become a mandatory requirement.
Additional reading:
JPAG Guide (1.26 & 5.205 – 5.208) and ICO Fact sheet for councils: the use of personal email addresses and devices