Risks of Using Personal Email for Government Business

In the past, public officials’ use of personal email accounts for public business has unfortunately given rise to allegations that they must be trying to hide something from public scrutiny. Questions have also been raised as to whether by using a personal account or server, the government official had properly secured private or sensitive government data.

Whether officials should use government-entity or personal e-mail accounts for official business is ultimately a policy decision for the governing body and the elected official. When making this decision, there are a few issues to keep in mind. (These considerations also apply to employees using personal e-mail accounts for government business.)

Data Retention and Retrieval

The Minnesota Government Data Practices Act (MGDPA), as well as the government entity’s records retention schedule, generally apply to e-mails involving government business regardless of whether the e-mails are in a government-entity or a personal e-mail account.

Under the MGDPA, government data is defined as all data collected, created, received, maintained or disseminated by government entities. The MGDPA does not define government data based upon where that data is stored or its format (paper or electronic). Rather the definition of government data relies on whether it involves the operations of the government entity.

When a valid request for government data is made, the government entity has an obligation to provide access to that data, regardless of whether it is stored on the entity’s computer system or its official’s personal e-mail account. Failure to provide access to government data when legally required could be a violation of the Data Practices Act.

Likewise, any litigation holds¹ or litigation discovery requests² would apply to e-mails involving a certain matter regardless if it is stored on a personal computer/e-mail or government computer/system.

Under the Official Records Act (Minn. Stat. § 15.17) and the Records Management Act (Minn. Stat. § 138.17), government entities and officials must make and preserve all records necessary to a full and accurate knowledge of their official activities. A government entity can only destroy official records pursuant to the timelines found in the entity’s approved records retention schedule.

Under these Acts, a board member using a private e-mail account has an obligation to retain and transfer any e-mail messages and attachments that are official records to the government entity for storage and retention. Board members should work with the entity’s responsible authority to understand the types of e-mails that may be considered an official record. Similarly board members should work with the responsible authority and I.T. department on a process to transfer e-mails that are official records for storage and retention.

Data retention and retrieval can be more challenging when government and personal data is commingled in one e-mail account. This can make it more difficult for the government entity to respond to a Data Practices Act or litigation-related discovery request, or to secure data for records retention or a litigation hold. It can also be more inconvenient and cumbersome for the owner(s) of the account.

Board members using personal e-mail accounts should be aware that they may need to give government entity staff, its attorneys and/or the courts access to the official data in that account, and possibly the account itself under certain circumstances, such as a litigation hold or discovery request. This can be particularly challenging if the personal e-mail account is used for more than just official government business.

Data Privacy and Security

Board members using personal e-mail addresses should be aware and take affirmative action to ensure the privacy and security of the government data, particularly if receiving private data (such as personnel data) or attorney-client privileged communications. This may include confirming that the e-mail service provider has appropriate safeguards in place to avert security breaches.

Board members should also ensure no one has access to their e-mail accounts. Sharing an e-mail account with a spouse or another individual may raise questions about whether that individual can access data that he or she has no legal right to view or whether attorney-client privilege has been waived.

As a best practice, all accounts should have strong passwords and follow the government entity’s policies and practices for data security.

Outside Employer’s E-mail

Using an outside employer’s e-mail account for government business may be similarly problematic.³ Many employers have policies or work under the presumption that all data housed in their accounts or servers can be viewed or accessed by management. There could be a violation of the MGDPA if the outside employer views private government data, even if it is on the employer’s e-mail server.

Board members who use their outside employer’s e-mail address for government business should be prepared to instruct their employer to suspend routine business operations, such as automatic e-mail deletion, or to provide access to the employer’s e-mail account if there is a government entity litigation hold or records request. If an outside employer would be unwilling to do this, the board member should strongly consider using a government entity e-mail account for government business.

If a personal or outside employer’s e-mail account is hacked or otherwise viewed by someone who should not have access to the government data, the board member or official should immediately notify the government entity’s administrative staff, legal counsel and information technology department. The government entity may need to investigate and take appropriate measures if a violation of the Data Practices Act or a data breach has occurred.

It’s a Policy Decision

The decision of whether to use government entity, personal or outside employer e-mail accounts for official government business is ultimately a policy decision for the governing body. MCIT recommends discussing the topic thoroughly with legal counsel. Ultimately, board members may prefer to have a government entity e-mail address because it is easier and more secure to keep official government business separate from personal correspondence in the event that there is a data practices request or litigation.

¹ A litigation hold is a written notice to employees, officials and other individuals instructing them to retain and not destroy any documents, data and other information related to an issue that is or may be subject to litigation.

² A discovery request permits a party in a lawsuit to demand that another party produce or permit inspection of documents or tangible items in its possession, custody and control. This could include a personal computer or e-mail account.

³“Outside employer” refers to another organization with which the public official is employed.

The information contained in this document is intended for general information purposes only and does not constitute legal or coverage advice on any specific matter.