Imagine this scenario; a manager is concerned about a highly IT savvy employee who knows their password, so is uncomfortable dealing with HR or gaining legal advice using their work email address. The manager gives out their home or personal email address to the relevant people and switches to using this for any communications about a particular individual. This could be around a potential redundancy situation or managing the persons sickness absence or any other day-to-day issue. Later on in the process relations with this individual have deteriorated or they’ve been offered a Settlement Agreement under a Protected Conversation. They then issue the employer with a Data Protection Subject Access Request under section 7 of the 1998 Act. As part of making that request they make it clear that they want any email correspondence that has been sent by their manager to HR in the last six weeks. They make it clear that they believe the manager might use their personal email address to conduct your organisation’s business. Does your organisation have a duty to attempt to access that private email address in order to make the Subject Access Request?
If the manager has been sending emails to other staff internally from that account then you may well already be in receipt of the data in any event. So in this example, HR may be in receipt of an email from the line manager from that personal email address which is on the company’s system and is going to be personal data that is potentially disclosable under section 7 unless one of the exemptions applies.
You’re not going to be expected to in the ordinary course of things look at anybody’s personal email accounts but in circumstances where somebody has been using an external account to conduct your business then the Information Commissioner makes it clear on their website that they would expect you to include in your search and presumably, reasonably instruct the line manager to cooperate in disclosing anything that has been sent from that personal email account.
The line manager who thinks they’ve done the right thing in moving their data to this mode of operating in order to create greater privacy is unlikely to realise the implications of what they have done. This is the sort of thing that tends to come out when we conduct Data Protection Act training. If you would like further information about the training packages we offer please contact firstname.lastname@example.org.