Blog

Services
People
News and Events
Other
Blogs

Beware of using personal email accounts for business

View profile for Rachel Easton
  • Posted
  • Author

The Department for Health and Social Care (DHSC) has found out the hard way that using your private email account for work is risky business!  

What’s the background?

Following recent revelations that Mr Hancock had an affair with his aide, Gina Coladangelo, he - along with some other senior officials at the DHSC, now face accusations of using their private email accounts to conduct government affairs during the Covid-19 pandemic.  

While the use of a private email account does not in itself break data protection laws, Elizabeth Denham, the information commissioner, was concerned that information in private email accounts is being overlooked, auto deleted or otherwise not made available.  A formal investigation into the DHSC is now underway.

What has this got to do with my business?

While there are key elements to this that can be explored by looking at ministerial guidelines, there are important aspects to highlight from an employment / data protection viewpoint.  In this article I’ve considered the impact a private email account can have when you receive a Data Subject Access Request (DSAR) in the two following scenarios:

1.You receive a DSAR – you do not allow your employees to conduct business via private email accounts

The ICO does not expect employers to instruct employees to search their private email accounts in response to a DSAR, unless that employer has a good reason to believe they are holding relevant personal data.

2.You receive a DSAR – you allow your employees to conduct business via private email accounts

Depending of course on what personal information the individual has requested, in this context, the employees may be processing that data on your behalf, in which case it may then be within the scope of a DSAR you receive. 

Private email accounts can therefore fall within the scope of responding to a Data Subject Access Request - meaning that you may need to instruct your employees to search their private emails in order to comply with the request!

Next time … How do I minimise the risks?

We are seeing more and more clients asking for advice in this area, so to help you start thinking about how you might counter some DSAR dilemmas we’ll be putting together some best practice guidance in our next newsletter.


If you need further support with DSARs or data protection queries please get in touch for a friendly chat about your needs.