It is not just presidential candidates who need to be aware of the dangers of using a personal email account for business matters. Should your Scout Group, Explorer Scout Unit, District or the County receive a data subject access request, and you use your personal email address or mobile number (for messaging) for scouting business, you may be required to disclose information held on personal email accounts or mobile phones.
If you use your personal email accounts to conduct 'charity business', because setting up and operating separate email accounts for dealing with such business can be burdensome this may be inconsistent with good record keeping and data security and can pose particular problems for you if your scout group receives a data subject access request (SAR) for disclosure of personal data held by the organisation about an individual.
Take, for example, a SAR is received by your scout group by a former leader. The SAR is likely to catch information held by or on behalf of the group. If your group secretary has been using their private email account to send emails in their official capacity, then your scout group remains the data controller for any personal data that is sent, received or stored on their account(s).
The fact that the group does not have ready access to those private accounts does not mean that the data falls outside the scope of the Subject Access Rrequest (SAR). Your group could find itself on the receiving end of an investigation by the Information Commissioner’s Office if a claim that any personal data held on their accounts falls within the scope of the request. This may extend, for example, to text messages on personal mobile phones where they were used to carry out group business.
With this in mind it really is best practice to set up separate email accounts for your group as required and the use of personal accounts should not be used and this should be made clear in your welcome to new adults and your policies and procedures.
In short, the leaders in your group and the members of your group Executive Committee should be aware of the implications of using their personal email accounts for ‘charity business’. At the very least they should be made aware that they may be compelled to hand over data from private email accounts or personal mobile phones, where it falls within the scope of a third-party request.