Date: February 2019
Public officials’ use of personal e-mail accounts for public business has unfortunately given rise to allegations that they must be trying to hide something from public scrutiny. Questions have also been raised as to whether by using a personal account or server, the government official had properly secured private or sensitive government data.
In Minnesota, many elected local officials have a choice between using a government entity-provided or a personal e-mail account for conducting government business. Whether officials should use government-entity or personal e-mail accounts for official business is ultimately a policy decision for the governing body and the elected official.
When making this decision, there are a few issues to keep in mind. (These considerations also apply to employees using personal e-mail accounts for government business.)
Data Retention and Retrieval
The Minnesota Government Data Practices Act (MGDPA), as well as the government entity’s records retention schedule, generally apply to e-mails involving government business regardless of whether the e-mails are in a government-entity or a personal e-mail account.
Under the MGDPA, government data is defined as all data collected, created, received, maintained or disseminated by government entities. The MGDPA does not define government data based upon where that data is stored or its format (paper or electronic). Rather the definition of government data relies on whether it involves the operations of the government entity.
When a valid request for government data is made, the government entity has an obligation to provide access to that data, regardless of whether it is stored on the entity’s computer system or its official’s personal e-mail account. Failure to provide access to government data when legally required could be a violation of the Data Practices Act.
Likewise, any litigation holds1 or litigation discovery requests2 would apply to e-mails involving a certain matter regardless if it is stored on a personal computer/e-mail or government computer/system.
Under the Official Records Act (Minn. Stat. § 15.17) and the Records Management Act (Minn. Stat. § 138.17), government entities and officials must make and preserve all records necessary to a full and accurate knowledge of their official activities. A government entity can only destroy official records pursuant to the timelines found in the entity’s approved records retention schedule.
Under these Acts, a board member using a private e-mail account has an obligation to retain and transfer any e-mail messages and attachments that are official records to the government entity for storage and retention. Board members should work with the county’s responsible authority to understand the types of e-mails that may be considered an official record. Similarly board members should work with the responsible authority and IT department on a process to transfer e-mails that are official records for storage and retention.
Data retention and retrieval can be more challenging when government and personal data is commingled in one e-mail account. This can make it more difficult for the government entity to respond to a Data Practices Act or discovery request, or to secure data for records retention or a litigation hold. It can also be more inconvenient and cumbersome for the owner(s) of the account.
Board members using personal e-mail accounts should be aware that they may need to give government entity staff, its attorneys and/or the courts access to the official data in that account, and possibly the account itself under certain circumstances, such as a litigation hold or discovery request. This can be particularly challenging if the personal e-mail account is used for more than just official government business.
Data Privacy and Security
Board members using personal e-mail addresses should be aware and take affirmative action to ensure the privacy and security of the government data, particularly if receiving private data (such as personnel data) or attorney-client privileged communications. This may include confirming that the e-mail service provider has appropriate safeguards in place to avert security breaches.
Board members should also ensure no one has access to their e-mail accounts. Sharing an e-mail account with a spouse or another individual may raise questions about whether that individual can access data that he or she has no legal right to view or whether attorney-client privilege has been waived.
As a best practice, all accounts should have strong passwords and follow the government entity’s policies and practices for data security.
Outside Employer’s E-mail
Using an outside employer’s e-mail account for government business may be similarly problematic.3 Many businesses have policies or work under the presumption that all data housed in their accounts or servers can be viewed or accessed by management. There could be a violation of the MGDPA if the outside employer views private government data, even if it is on the employer’s e-mail server.
If a personal or outside employer’s e-mail account is hacked or otherwise viewed by someone who should not have access to the government data, the board member or official should immediately notify the government entity’s administrative staff, legal counsel and information technology department. The government entity may need to investigate and take appropriate measures if a violation of the Data Practices Act or a data breach has occurred.
Board members who use their outside employer’s e-mail address for government business should be prepared to instruct their employer to suspend routine business operations, such as automatic e-mail deletion, or to provide access to the employer’s e-mail account if there is a government entity litigation hold or records request. If an outside employer would be unwilling to do this, the board member should strongly consider using a government entity or personal e-mail account for government business.
It’s a Policy Decision
The decision of whether to use government entity, personal or outside employer e-mail accounts for official government business is ultimately a policy decision for the governing body. MCIT recommends discussing the topic thoroughly with legal counsel. Ultimately, some board members may prefer to have a government entity e-mail address because it is easier and more secure to keep official government business separate from personal correspondence in the event that there is a data practices request or litigation.
More information about the use of personally owned technology for government business can be found in the MCIT Resource Employee-owned Technology in the Workplace.