When Good Intentions Meet Hidden Risk

More and more organisations are encouraging their people to contribute beyond their day jobs including joining charity boards, helping professional associations, or volunteering in community roles. It’s a positive trend that builds capability, networks, and a sense of purpose. But there’s a quiet privacy risk that often goes unnoticed: when employees use their work email address for those external roles, the line between organisations can blur in ways that create real data-governance consequences.

Imagine a staff member who sits on the board of a local charity and uses their company email to receive board papers, donor lists, or membership contact information. Those emails, and all the personal information attached, don’t just exist in the charity’s systems they also exist in the company’s infrastructure too. Suddenly, the company is holding personal information that belongs to another organisation, possibly without knowing it, and certainly without intending to.

The company didn’t set out to gather information about the charity’s donors or members, but by virtue of how its email systems operate, it’s effectively doing just that. Things now get murky as the company may be holding the personal information as an agent of the charity (likely unknowingly) or they may be using it for their own purposes and are therefore deemed to be holding it in their own right. Suddenly things like secure storage, restricted access, correction and deletion rights, and breach notification responsibilities get complicated whichever model is used.

The risks aren’t just technical. They’re legal, reputational, and relational. A company that inadvertently holds charity data might one day face questions if a breach occurs. If the model is one where the company is deemed to hold the personal information in their own right this also brings in new obligations next year about indirect collection as the personal information is collected from the charity.

There’s also the human side. Employees may find themselves caught in an awkward position if their volunteer inbox is suddenly subject to a privacy request or internal review, audit.

Fortunately, the fix isn’t to stop people from helping in their communities. It’s to be intentional. Simple changes like encouraging staff to use the charity’s own email domain; create clear policies about when corporate infrastructure can be used for external roles; and include data-sharing clauses in any agreement where an employee represents the company externally. Equally, charities can remind their board members and volunteers to use systems they control, ensuring their data stays within their own boundaries.