Assertion 10 made IT governance a standalone AGAR requirement from 2025/26. This guide covers everything you need in your IT policy, as well as some best practices.
If you’re a Parish or Town Council clerk working through your Assertion 10 obligations, the IT policy requirement is one area where many councils are still catching up. This guide explains exactly what you need, what it must cover, and how to get it right before your next AGAR submission.
To answer “yes” to Assertion 10, a council must demonstrate:
- A formally adopted IT policy covering all staff, councillors and devices.
- Council-owned email addresses on an authority-owned domain for all official business
- A website that meets the Public Sector Bodies Accessibility Regulations 2018 (WCAG 2.2 AA)
- Compliance with UK GDPR 2016 and the Data Protection Act 2018
- Publication of required documents in line with the Freedom of Information Act and Transparency Code
What the IT policy requirements actually say
Paragraph 1.54 of the 2025 Practitioners’ Guide is specific:
“All small authorities (excluding parish meetings) must also have an IT policy. This explains how everyone - clerks, members and other staff - should conduct authority business in a secure and legal way when using IT equipment and software. This relates to the use of authority-owned and personal equipment.”
Three things in that paragraph are worth paying close attention to.
First, it says everyone, not just the clerk. The policy must cover all councillors and any staff or volunteers who handle council data or communications on the council’s behalf.
Second, it explicitly includes personal devices; a councillor’s own phone or home laptop used for council business falls within this scope. Finally, the policy must be formally ratified by the full council, not simply written and filed away.
What your IT policy must cover
Below is a breakdown of each area your policy needs to address, with guidance on why each one matters.
Scope (who & what the policy covers)
Be explicit. The policy should state that it applies to all clerks, councillors, staff, and volunteers who use IT systems for council business, whether on council-owned or personal devices.
A phrase such as "This policy covers all personnel using IT systems for council business, regardless of whether they are using council-owned or personal devices" makes the scope clear and avoids ambiguity when the policy needs to be enforced.
Email and communications
State clearly that all council business must be conducted using council-owned email addresses. Personal accounts such as Gmail, Outlook, Yahoo or similar aren’t the best practice for official correspondence.
If communications are tied to personal email addresses, you risk losing access to records when staff change, creating a real risk of GDPR non-compliance. The policy should also make clear that email accounts are owned by the council, not the individual using them.
Council-owned vs personal devices (BYOD)
If councillors use their own devices (phones, laptops or tablets) for council business (known as Bring Your Own Device, or BYOD), your policy must address this specifically.
ICO guidance recommends that personal and council data are kept separate, that any loss or theft of a device is reported immediately to the clerk, and that devices allow for remote wipe or manual deletion of council data when required.
The policy should confirm that no monitoring of personal use will be carried out beyond the protection of council data.
Password management
Set minimum standards for passwords, including minimum length and frequency of change. Make clear that passwords must not be shared between individuals, and include a process for changing shared system passwords when someone leaves the council.
Software and security updates
Assign clear responsibilities for keeping devices updated, including operating system patches, antivirus software, and applications used for council business. Specify a timescale; security patches should typically be applied within a defined number of days of release.
Data storage and cloud services
Specify where council data may be stored and which cloud platforms are approved for use. Councillors should not store council documents in personal cloud accounts such as personal iCloud or Google Drive.
Backup procedures
Define how often backups are taken, where they are stored, and how they are tested. An untested backup is not reliable.
The policy should require periodic restoration tests and documentation of the results.
Cybersecurity expectations
Set out how staff and councillors should recognise and report potential threats, including phishing emails. Include a clear process for reporting a suspected security incident to the clerk or a designated lead.
Social media
If your council has official social media accounts, or if councillors post publicly in their capacity as councillors, the policy should define who is permitted to post on the council's behalf, what tone and content are appropriate, and how complaints or disputes raised online should be handled.
This protects the council from reputational risk and sets clear expectations.
Leavers’ procedure
This is the area most commonly missing from council IT policies, and it matters significantly. The policy should specify that when a councillor or staff member leaves, their council email account is closed, any council data on personal devices is deleted, and all passwords to shared systems are changed.
Without a written procedure, you have very limited grounds to enforce this.
If a departing clerk has conducted council business through a personal Gmail account, that correspondence may be entirely inaccessible to the council. This is both an operational risk and a potential data protection issue, which is exactly why the IT policy requirement exists.
Data protection responsibilities
The policy should acknowledge the council’s role as a Data Controller under UK GDPR and make clear that all staff and councillors share responsibility for handling personal data lawfully.
Content management and website responsibilities
If your council manages its own website content, the policy should assign clear responsibility for keeping the site up to date and accessible.
This includes ensuring documents published on the site are in accessible formats, avoiding inaccessible practices such as embedding text in images, and maintaining an up-to-date accessibility statement.
.gov.uk domains & council email addresses
Paragraph 1.47 of the Practitioner’s Guide requires every council to have at least one generic email account hosted on an authority-owned domain. Free personal email services do not meet this standard, so Gmail, Outlook, Hotmail, and similar providers are not acceptable for council use.
Example:
Everyone needs their own account
Best practice, and a clear recommendation in the guidance, is that every person conducting council business should have their own email address on the council’s domain.
That means the clerk, every serving councillor, and any other staff or contractors who regularly handle council correspondence or data. A shared inbox is not sufficient.
Individual accounts create a clear audit trail, make Freedom of Information and Subject Access Requests far more straightforward, and mean that when someone leaves, their access can be removed immediately without disrupting any other user.
Is .gov.uk mandatory?
No, but it is strongly recommended as best practice. What is mandatory is the use of an authority-owned domain. An .org.uk domain registered and controlled by your council meets the requirement under Assertion 10.
However, the Practitioners' Guide is clear on the point: paragraph 5.123 states that it is best practice to use .gov.uk domains for smaller authorities' emails and websites.
As .gov.uk domains are reserved exclusively for public sector bodies and administered by Nominet under Government Digital Service rules. They come with mandatory security standards, including DMARC email authentication, which protects against impersonation and phishing.
They also signal to residents and partners that they are communicating with a legitimate public authority. If your council is already moving to a new email setup, this is the right moment to make the switch.
Your Assertion 10 IT compliance checklist
Use this checklist to see what your council still needs to put in place in order to ensure best practices are adhered to.
IT Policy
🔲 An IT policy has been drafted and formally ratified by the full council
🔲 Cover both council-owned and personal devices used for council business
🔲 Acceptable use of IT systems is clearly defined
🔲 Password management standards are set out, including rules on sharing
🔲 Responsibilities for software and security updates are assigned
🔲 Approved data storage locations and cloud services are specified
🔲 Backup procedures, including testing, are documented
🔲 A leaver’s procedure covering email accounts, passwords and devices
🔲 The policy has been shared with all councillors and staff
🔲 BYOD rules are included for those using personal devices
🔲 Set an annual review date
Email & Domain
🔲 The council owns and controls its email domain
🔲 No official council business is conducted on personal emails
🔲 The clerk’s email address is on the council’s own domain
🔲 Every councillor has their own unique email address
🔲 The council is using or has applied for a .gov.uk domain
Data Protection
🔲 The council is registered with the ICO as a data controller
🔲 A named person is responsible for data protection
🔲 A data audit has been carried out
🔲 Councillors and staff have received data protection training
Website transparency
🔲 The council website meets WCAG 2.2 AA accessibility standards
How can HugoFox help?
Fortunately, every Parish and Town council website built with HugoFox includes a .gov.uk domain, completely free of charge, forever. We also guarantee that our websites are WCAG 2.2 AA compliant as standard, which means that just by having a HugoFox website, you can tick two things off your list without even trying.
If you’re feeling overwhelmed or just need some advice, our support team are on hand 24 hours a day, 7 days a week to support you with all aspects of digital compliance.
Contact our team if you need help with your Parish Council IT policy.