Do governors need school email addresses under GDPR?

There is no specific requirement in the UK General Data Protection Regulation (UK GDPR) that means governors must use school email addresses instead of their personal email accounts. (UK GDPR is just the new name for GDPR after Brexit.)

However, it is usually good practice for governors to use a school email address. One exception to this is when using a service like GovernorHub, which I discuss below.

Here is the advice from Warwickshire local authority, who strongly recommend giving school email accounts to all governors and clerks.

GDPR does not specifically require governors to use a school email account when communicating on governing board matters.

“However, the GDPR does mean governors/clerks should be doing everything in their power to prevent a breach of personal data. This means the use of secure school email accounts by all governors/clerks is strongly advised.”

Warwickshire LA

The demands of GDPR apply to both maintained schools and academies, so this advice also applies to academy trustees and local governors. The law firm Browne Jacobson agree that it is sensible for governors to use school emails because they discuss sensitive topics that could include personal data.

“That would be good practice, yes.  From a data protection viewpoint, it is only the security of personal information that would be of interest to the Information Commissioner’s Office (ICO), but given the sensitive nature of governor email conversations and minutes, it is sensible for all email traffic to come from school email addresses.”

Browne Jacobson

What are the advantages of school email accounts?

Firstly, if all governors use a school email address the school can control which email provider is used (eg: gmail, outlook etc) to ensure they choose a reputable, secure service.

Keeping personal and school emails separate also helps governors keep their address books and contacts separate, reducing the chances of accidentally emailing confidential information to someone from outside the school. It also ensures that governors do not use email accounts they may share with family members.

“As a governor, the personal data you send over email must be kept secure. Using a secure school email address will help you to meet the GDPR requirement to prevent a data breach and respond to subject access requests quickly.

Warwickshire LA

Dealing With Subject Access Requests

If a subject access request (SAR) or freedom of information request is received school email accounts can be searched easily, without asking governors to trawl though their private account.

“Responding to a SAR will involve carrying out extensive searches for the requester’s personal data and in many cases this will involve searching emails.

“If you know that staff and governors use email addresses which do not belong to the school for school work reasons, and you have good reason to believe that the requester’s personal data might be held on a non-school email account, then you are obliged to consider the contents of these email accounts when responding to the SAR.”

VWV Solicitors

Using school accounts also ensures the governing body has access to the emails if the governor resigns, is removed from the board or is unwell. SARs must be responded to within one calendar month.

Many schools set up permanent email addresses like chair@school.com that can be passed on to the new chair of governors. This avoids data being inadvertently sent to chairs or clerks who have left the school and saves time because the new chair does not have to register anew for services like The Key, the National Governance Association or the school intranet.

Do we need school email addresses if we use GovernorHub?

Probably not, no. GovernorHub is a paid service that lets governing bodies store all their agendas, minutes and documents online, as well as providing a noticeboard to allow governors to communicate.

GovernorHub say that because their system eliminates the need for governors to send email attachments and all data is stored securely in their encypted database, it doesn’t matter whether governors use personal email addresses or not.

“There is no mandate which says governors must have school email addresses – although many schools do provide one for governors.

“As GovernorHub is a secure system, governors and schools can use any email address to login. All of your documents are kept securely in the encrypted GovernorHub database and the email notifications only contain links to the documents, which will only work for authorised users on the board.

“Therefore as long as you refrain from putting personal data in the body text of the noticeboard posts, then it doesn’t matter what email addresses the governors and headteacher are using, because they are not receiving emails which contain personal data.

If a board is using GovernorHub then the GDPR benefits of using school-specific email addresses are minimal. GovernorHub security remains strong no matter where the email notifications end up.”

GovernorHub

In fact, if all governing body documents are stored inside GovernorHub then the governor’s email address is only being used as a username to login to the website.

They are not storing any documents inside their own email account or on the servers of their email provider and they are not sending documents in attachments. The only emails they receive contain links to their password-protected storage on GovernorHub.

Governors and clerks should still use a strong password to login to GovernorHub of course, but whether they use a personal or school email address to log in really makes no difference.

Does GDPR still apply after Brexit?

Yes. The original regulations came from EU law. However, the UK implemented GDPR through the Data Protection Act 2018 and this Act is still in force. Our version of GDPR is now known as “UK GDPR”.

Both maintained schools and academies must follow the UK GDPR because they are public authorities that process personal data.

There are minor changes to the rules since Brexit, but these changes are unlikely to apply to schools.

“The EU GDPR is an EU Regulation and it no longer applies to the UK. The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.

In practice, there is little change to the core data protection principles, rights and obligations.

Overview – Data Protection and the EU (Information Commissioner’s Office)

You can see the amended text of UK GDPR in a document called the GDPR Keeling Schedule. A Keeling Schedule is an unofficial record of the amendments made to a law. Unfortunately there is no official copy of UK GDPR to be found yet on legislation.gov.uk.

A Quick Guide to UK GDPR

The purpose of UK GDPR is to protect personal data. This means any information which could directly or indirectly identify a living person, including information that could identify you online.

What Is Personal Data?

Personal data could include:

  • your name
  • an ID number, eg: a national insurance or NHS number
  • your address or location
  • genetic data (eg: a fingerprint)
  • ways to identify you online such as an IP address or cookies
  • data from a special category which is more sensitive, eg: medical records, data on ethnic background, sexual orientation or religion.

The regulations cover all personal data collected by schools, so that includes data on staff, volunteers, pupils, parents and governors.

Seven Key Principles Of GDPR

  1. Personal data must be processed in a way that is lawful, fair and transparent.
  2. The purposes of processing must be specified, explicit and legitimate.
  3. Data must be adequate, relevant and not excessive.
  4. Data must be accurate and kept up to date.
  5. Data must be kept for no longer than is necessary.
  6. Data must be processed in a secure manner.
  7. Accountability. (Data controllers and processors are responsible for the data they hold.)

Six Lawful Reasons To Process Data

  1. A person has given consent for the processing of their personal data for one or more specific purposes.
  2. Processing is necessary under a contract involving that person.
  3. Processing is necessary to comply with the law.
  4. Processing is necessary in order to protect the vital interests of that person or someone else.
  5. Processing is necessary in the public interest or in the exercise of official authority.
  6. Processing is necessary for the purposes of the legitimate interests of the controller or a third party.