Who is allowed access/use of the Clerk's official email account?

Question

Is there something written down somewhere that only the Clerk should have access to their official email, i.e. no-one else should be able to send emails from that address etc? I  thinking in regard to GDPR regulations as well as issuing emails purporting to come from the Clerk.

Answer 1

Your council ‘should’ have dotgov email accounts usually as part of a service provision contract.
Your council ‘should’ also have an email / IT / communications strategy which sets out the conditions of use for corporate email.
That will ‘usually’ include conditions of use which state how, who, what official email should be used for and it ‘should’ explain that the user (whether that be staff or Cllrs) are provided the email facility under corporate conditions of use.
This is such old hat and long established procedure that it is frustrating to still hear of people NOT understand such basic operating procedures.
Your clerk is an employee - employees do what the employer requires.

Comments

Thank you for your reply. Our parish council is very small (precept less than £10,000) so we do not have the budget for official dotgov website and email accounts.  Instead the Clerk and Councillors all have dedicated gmail (or similar) accounts. There is no written email/IT/communications strategy which sets out the conditions of use for corporate email. I just wanted to know if it was illegal for a councillor to have access/send emails from the Clerk's corporate email address. I understand that the Clerk is an employee, and as such should do as the employer requires, but how can GDPR work if people who are not the Clerk are able to read all emails sent to the Clerk. Also, how can councillors and the general public be certain of who they are receiving emails from if people other than the Clerk are using the Clerk's corporate email address to send emails? Surely, this practice is illegal.

---

OK, understand a bit more now.
So, in the absence of dotgov emails, and as you describe, each individual has their own gmail account that is the source of many problems to come.

There is no corporate control over personal email accounts by virtue of them being set up and operated by the individual (I presume.)

On that basis, if 1 individual wants too give their login password to another individual (whether employee Cllr or Cllr Cllr or employee employee) there is nothing anyone can do about it.

There are restrictions about what a Cllr and an employee may do or pass off as being on behalf of the council but that is a bit of a tangent.

If you are operating on individual gmail accounts "issues" such as that which you describe are pretty much inevitable and pretty much unfathomable.

Its no use trying to solve the symptom without identifying the cause.

The symptom is potentially improper or irregular email use - the cause of the problem is the absence of an endorsed policy and proper corporate Email accounts.

It's really shouldn't be too expensive to set up a PC email account - how many Cllrs & staff are there?

---

At present I'm not worried so much about the council setting up a better email system. I just need to have some clarification about whether or not the Clerk allowing the Chair (or any other person) to have access to their official email account is a contravention of GDPR regulations irrespective of whether or not the council has put a policy in place. What is the point of setting up any secure email system if the person who gets the most sensitive mail allows somebody to not only access their account, but to send emails which because they come from the Clerk's address could be mistaken as having come from the Clerk?

---

Financial Regulations - if using the model from NALC states at 6.12:
No employee or Councillor shall disclose any Pin or Password relevant to the working of the council.... Seems strange to suggest that the e-mail would be used by anyone but the office holder (ie Clerk / RFO etc). In corporate world rather than Local Council its a breach (I work both Public and Private).

---

For ClerkingEssex - 6.12 whilst generally adopting the simple principles of IT security, in the context you are quoting, refers to access to bank accounts and automated payments.

You have 'cross applied' a reference from an entirely unrelated set of regs to apply to a coincidental set of circumstances.

The 'principle' is correct but the use of that reference in this circumstance is not really appropriate.

IT security and communication policy (if such a document exists in this council) is where the procedures for use of council email should be defined.

---

Thank you for your help. As RoundAgainCoxn says 6.12 is in the section relating to bank accounts and automated payments, but I still think it should count as a standalone statement relating to anything relating to council business that requires a Pin or Password, otherwise why have an email password at all. As far as I'm concerned, the reason an email has a password is to give security and accountability, which go out the window if you give the password to other people.

---

Thank you for your input, from which I hope the council will learn and set-up an IT security and communication policy.