Despite the availability of many other forms of electronic communication, email usage has never been higher, and it remains a key way of conducting business for charities. There are a number of risks and pitfalls to be aware of though when it comes to using email in your trustee duties for your church or charitable organisation.

1. Subject Access Requests

A data subject access request (SAR) can be made of your church or charity by an individual you hold data on. (Find out more about SARs and how to deal with them). A request could extend to the organisation’s emails. This includes emails which are sent from a personal email address (such as gmail or hotmail) if you use that address during the course of your trustee duties. You would therefore need to provide access to your personal email account, as such emails may contain personal data that the charity or church needs to provide in response to the SAR. Would you be prepared for this if an SAR was made?

2. Record retention and deletion

Emails often contain important information either in the body of the email or their attachments but what do you do with these emails? Having them sit in your inbox means they remain at risk from being forwarded on by mistake, and may also be subject to a SAR should you receive one. Best practice is to save important information from an email – ideally in a centralised information base (such as iCloud or SharePoint) if your organisation has one – and then delete the email once it is no longer needed. Please note that a SAR can cover items sitting in your deleted folder, but would not normally cover items that have been permanently deleted.

3. Record searchability

How many of us have spent hours trying to find an email containing some bit of information we need? Not only is storing important information in your inbox risky, but also impractical and time consuming when it comes to needing it. Storing it in a central information base is much less risky and more efficient, as (assuming you have a good system!) you will know exactly where to find the information you need.

4. Data breaches

Data breaches are breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Whilst they can happen even if you have a designated email domain for your organisation, the risk is greater and the control you have lower if using an external email provider. If that external provider experiences a data breach, the sensitive data contained in your trustee-related emails could be leaked. It may therefore be more secure to use the email address provided by your church or charity, if there is one.

5. Cyber attacks

Remote working and hastily drawn risk assessments have made the threat of cybercrime all the more apparent during the coronavirus pandemic. Charity trustees are increasingly being targeted as ‘big fish’ by cyber criminals, both as targets themselves, and as means of targeting others.

As personal email addresses are used for all kinds of online interactions and often connected to social media accounts, they generally suffer greater exposure to cybercriminals, and generally have less security attached to them than an organisation’s email. As a result, using a personal email address for your trustee duties could increase the risk of receiving and therefore falling for cyber scams. Using a recognised organisational email address can also provide greater protection and peace of mind for those coming into contact with your organisation – if you receive an email from us there is greater confidence that we are who we say we are; if it comes from a @gmail or @hotmail address for example, there is a greater danger that this could be a fake address, or a hacked personal account.

If your church or organisation has a website and you are worried about email addresses being visible, there are ways of protecting these which your website manager (if you have one) may be able to advise on, or you may want to use a contact form rather than present an email address.

See the NCSC Cyber Security Toolkit for Boards for further guidance to protect against cybercrime.

6. Operations

A final thing to be mindful of (and not just for trustees, but for members of staff or non-trustee church leaders) is having certain functions such as websites, social media accounts or licenses/subscriptions linked to a personal email address. If that person moves on, transferring access to another person is a lot more difficult. Does your church or organisation have a plan for when the person operating that function steps down and someone else needs to take over?

Support from Edward Connor Solicitors

We have a high level of expertise in data protection and want to help churches and Christian organisations navigate these tricky waters, that their gospel ministries might flourish.

Our GDPR Pack contains comprehensive guidance notes, template policies (including information security, record retention and data breach procedure), an extensive FAQs document and much more.

Please give us a call if you want to talk through your requirements and find out how we might be able to help you.

call us email us

This information has been provided by solicitors working for Edward Connor Solicitors. It is designed for the purpose of knowledge sharing only and does not constitute legal advice.