Data protection legislation gives a ‘data subject’ (a person who can be identified by reference to personal data held by an organisation) a right to access a variety of data held by that organisation concerning them, such as why the data is being held, who it has been disclosed to and how long the data will be stored for. These requests are known as subject access requests (SARs)
Data protection has become an ever-increasing administrative burden on charities, with handling SARs now a routine part of a charity’s administration. Charities should be aware that sufficient procedures need to be followed in respect of emails sent by and to trustees to ensure a charity can demonstrate that personal data:
- Has been processed lawfully and fairly;
- Is kept for a specified legitimate purpose;
- Is not excessive;
- Is accurate and up to date;
- Is kept for no longer than necessary; and
- Is kept secure.
By avoiding some of the most common mistakes with trustees’ email management processes, dealing with SARs can be made less painful (though please note that SARs can apply to much more than just emails).
Email has become the main method of communication across all sectors. The amount of email traffic that comes through our inboxes on a daily basis can be extremely high. When we are working fast to get emails off our virtual desk, it is not uncommon to send an email to the wrong person. Even in the intimidating new world of cyber-attacks, the Information Commissioner’s Office still report that one of the most common causes of personal data breaches is a misdirected email.
There are some useful tips you can follow to avoid this:
- Turn off “autocomplete”: although this feature was built with the best intentions (to avoid typos in email addresses), it can have the unintended consequence of autocompleting the email address you are typing to someone you did not intent to send the email to, particularly if they have the same first name.
- Put a delay on emails you send: more often than not, you will realise that you have sent an email to the wrong recipient within the first few seconds of hitting the send button. A delay on your emails can give you enough time to recall that message before it leaves your outbox.
Perhaps the most common mistake trustees make is to use their own personal email addresses to send and receive emails in their capacity as charity trustees. Whilst there are no laws prohibiting a trustee from using their personal email address, allowing this practice can expose a charity to undue risk as the charity will have no control over that personal email account. Trustees should use a dedicated email address under the charity’s domain name, for the following reasons:
- Security: the email provider of a personal email account may experience a data breach, meaning that sensitive information of the charity (such as personal data) could be leaked.
- SARs: dealing with a SAR becomes much more difficult. If a trustee has been using an external email provider, a charity will be reliant on that trustee allowing them access to their personal email account. This raises questions about who is in control of the personal data in those emails and becomes difficult to manage when a trustee is no longer in office.
You might wonder why retaining emails is a problem – after all, it can be useful to refer back to emails as a record of a charity’s activities.
However, the more emails a charity retains, the greater the charity’s risk exposure. Furthermore, a charity has a duty to ensure that personal data which is no longer needed for a given purpose is erased, so retention of historic emails containing personal data could cause problems with the charity’s data protection compliance.
Charity trustees should carry out regular clear-outs of their emails. Automatic email deletion software can also be used to delete emails in trustees’ inboxes after a certain period of time, a pragmatic solution to the issue.
We are all guilty of occasionally being colloquial in our email tone, depending on the recipient of the email: perhaps you have added a line at the end of your email to a colleague about the weekend’s football scores; or have commented on your irritation towards a particular volunteer in an email about them.
Whilst you might normally send such an email without a second thought, it is vital to remember that the email may, in the future, need to be disclosed to a data subject following a SAR. Your comment about your irritation towards the volunteer then becomes much less amusing, especially to them.
Trustees should stay professional in tone in any emails which they are sending in their capacity as trustees to avoid any embarrassing moments in the future.