Kent Councillor Faces GDPR Questions Over Use of Private Email for Casework

A Kent County Councillor’s unconventional approach to correspondence is drawing scrutiny over data protection compliance. Tim Prater (pictured) – newly elected in May 2025 as the Liberal Democrat County Councillor for Cheriton, Sandgate and Hythe East – publicly encourages residents to contact him via his private email address, tim@prater dot uk, for personal matters and casework. On his website, Prater prominently invites constituents: “Contact Tim by email to tim@prater.uk”. This direct appeal to use a personal email account – instead of the official @kent.gov.uk, folkestone-hythe.gov.uk, folkestone-tc.gov.uk addresses provided by KCC, FHDC and FTC – has sparked concern, particularly in relation to his role as Ward Councillor, where he conducts casework on behalf of residents.

Prater, who also serves on district and town councils, lists the private email alongside his phone number and postal address as primary contact information. The practice is intended to make him accessible. However, it means that sensitive personal information from constituents – covering anything from social care cases to school placements, planning etc – could be funnelled outside each council’s official IT systems. With UK data protection laws placing strict duties on how personal data is handled, Prater’s approach although commendable, prompts a key question: Does using a private email for ward casework comply with the UK GDPR and Data Protection Act 2018?

Data Protection Laws and Official Communications

Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), anyone handling personal data must do so lawfully, securely, and transparently. Councils, as public authorities, are expected to ensure the confidentiality, integrity and availability of all personal data they hold, regardless of which email system or device is used. The law does not outright forbid using personal email accounts for official business, but it places responsibility on the data controller to safeguard the information. In this context, Kent County Council (KCC) would remain accountable for personal data related to council business even if it is processed through a private email account or device.

Crucially, when a councillor handles constituent correspondence in their capacity as a Ward Councillor, they themselves become the data controller for that correspondence. Solihull Council’s privacy notice for councillors explains that in ward casework – for instance “dealing with complaints” – the councillor is the data controller, and must handle personal information fairly and lawfully. Mirroring this, KCC’s own guidance states that councillors are responsible for personal data they collect and process in their official roles. Therefore, Prater carries personal legal responsibility for protecting any personal data sent to his private inbox — ensuring it is secure, used only for its proper purpose, and retained no longer than necessary. Any mishandling – such as an email sent to the wrong person or a hacking incident – could breach GDPR’s security requirements.

Risks of Using a Private Email for Casework

Data protection and records management experts warn that using private channels for official business carries inherent risks. Elizabeth Denham, the UK’s former Information Commissioner during the post-GDPR period, observed that while private email use “isn’t automatically illegal”, it raises transparency issues. She highlighted that important information in private accounts may be “forgotten, overlooked, autodeleted or otherwise not available when a freedom of information request is later made”. This risks important correspondence being omitted from official council records, undermining public accountability.

Legal advisors note a similar concern at the local government level. Personal email services may lack enterprise-grade security and oversight. Councillor Mark Goodge, in commentary on councillor GDPR practice, advises, “Ideally, council email should be separate to your personal email. If your council provides councillors with email addresses (eg, in the form of your.name@council) then make sure you use that exclusively for council work,” reflecting a best practice of segregating official communications for secure and compliant processing.

One experienced parish councillor added: “Using your own personal email address could make compliance with the UK GDPR & DPA 2018 difficult… If you get emails from parishioners, then you are handling personal data… With a separate council email, that obligation would fall mainly on the council’s data controller. When using your personal email you then assume a data controller role”. This emphasizes how private email use shifts compliance burdens onto individuals – complicating oversight and potentially increasing risk.

Council Policies and Best Practice

Kent County Council’s policy is clear: every member is supplied with an official @kent.gov.uk email, designed to ensure secure, accountable handling of constituent casework. KCC’s General Counsel Benjamin Watts (pictured), who is also the council’s Data Protection Officer, warned in 2018 that councillors failing to follow governance policies – including ICT use – “presents an unacceptable risk to the council” and its data security frameworks.

Nationally, best practice is consistent: the ICO guidance Fact sheet for councils: the use of personal email addresses and devices bluntly states: “Councils must ensure the confidentiality, integrity and availability of all personal data they hold, even if the data is being processed through personal email accounts or is stored on a privately-owned device.”  – underscoring the security, auditability, and legal defencibility of official email systems.

This distinction is further clarified. When acting as Ward Councillors, elected members “use personal casework material in their own right” and are therefore the data controller for any personal information they process. This places the legal responsibility for handling constituent data squarely on the councillor themselves. However, the notice also emphasises the importance of fairness, transparency, and secure handling of all casework. The implication is clear: while councillors may use personal systems, they must apply data protection standards equivalent to those of official council platforms. In practice, this reinforces the principle that casework is best handled through official channels, unless private alternatives are demonstrably secure, auditable, and compliant.