Digital & Data Compliance

The NALC Practitioners’ Guide 2025 incorporates a requirement in the Annual Governance Statement (AGS) assertions, known as “AGS Assertion 10”, covering digital and data compliance. Note that an Addendum to AGS Assertion 10 states that Parish Councils are exempt from the requirement to appoint a Data Protection Officer. Nevertheless, Lindal & Marton Parish Council has appointed the Parish Council Clerk to this role.

AGS Assertion 10 – Digital and data compliance

In summary, AGS Assertion 10 states the following. For the full text, refer to the NALC Practitioners Guide 2025 – Section 1 AGS Assertion 10, and the Section 5 best practice guidance notes (pages 14 & 46).

• Every authority must have a generic email account hosted on an authority owned domain, for example clerk@abcparishcouncil.gov.uk or clerk@abcparishcouncil.org.uk rather than abcparishclerk@gmail.com or abcparishclerk@outlook.com for example.
• All smaller authorities (excluding parish meetings) must meet legal requirements for all existing websites regardless of what domain is being used.
• All websites must meet the Web Content Accessibility Guidelines 2.2 AA and the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (where applicable).
• All websites must include published documentation as specified in the Freedom of Information Act 2000 and the Transparency code for smaller authorities (where applicable).
• All smaller authorities, including parish meetings, must follow both the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act (DPA) 2018.
• All smaller authorities, including parish meetings, must process personal data with care and in line with the principles of data protection.
• The DPA 2018 supplements the GDPR and classifies an authority as both a Data Controller and a Data Processor.
• All smaller authorities (excluding parish meetings) must also have an IT policy. This explains how everyone – clerks, members and other staff – should conduct authority business in a secure and legal way when using IT equipment and software. This relates to the use of authority-owned and personal equipment.

Addendum to AGS Assertion 10

Data Protection – To ensure compliance with data protection regulations, smaller authorities should:

• Appoint a Data Protection officer to oversee data protection and ensure compliance with GDPR (Under Section 7 of the DPA 2018, Parish Councils and Parish Meetings are exempt from this requirement).
• Conduct regular data audits to identify what personal data is held, how it is used and make sure it is processed lawfully.
• Implement a Data Protection policy on data handling, storage and sharing.
• Provide regular training to ensure all staff and members are trained on data protection principles and practices.
• Secure data using appropriate technical and organisational measures to protect personal data from breaches.