.png)
Welcome back to my 3-part series on Assertion 10 Compliance.
I'm Mark Tomkins, Creative Director and Founder at Aubergine - leaders in providing accessible and compliant websites and .gov.uk services to parish, town and community councils.
In Part 1 of this Assertion 10 Compliance series, we discussed council domains and emails and in Part 2 we delivered into website accessibility compliance.
We are now moving on to Part 3 of this series - the IT Policy.
📄 IT Policy Requirement
All smaller authorities now need an IT policy.
Think of the IT Policy as the "wrapper" for everything we have discussed so far. It takes your domain name usage, your email protocols, and your GDPR responsibilities, and packages them into a single set of instructions.
It is your council’s position on how people (staff, councillors, and volunteers) should use the council’s software and hardware securely and professionally.
Without an IT policy, when things go wrong you've got nothing to fall back on or use to support a process. Whether it's a councillor behaving badly online, a data breach, or someone clicking a phishing link, you need proper procedures in place.
👇 Some Quick IT Policy Tips
NALC, SLCC and your local council association have excellent model documents to get you started. You can also access a model IT Policy template from the SAPPP Practitioners Guide. However, these templates are starting points and you must adapt them to your council.
Personal Device Usage (BYOD)
At my own council, Eaton Bray, I have my parish council email on my personal phone. That is convenient, and our policy permits it. However, the policy also dictates the exit strategy. It states that if I cease to be a councillor, I must remove that account, and the Clerk has the authority to change the password immediately. Without this written rule, you have no leverage to ensure data is removed from personal devices.
The "Teeth" for Enforcement
The IT Policy gives you the "teeth" to manage resistant councillors. We all know the councillor who insists on using bigbob68@yahoo.co.uk because "that's what I've always used." If you have a ratified policy stating: "All councillors will use council-provided email addresses only," you have a vehicle to enforce change. You can say, "Councillor, you agreed to this policy three months ago; we need to move you over to ensure we aren't losing communications."
Data Retention and "Data Time Bombs"
You might already have a data retention policy, but it needs to link here. You do not need to keep an email from 11 years ago about a dog bin falling off its hinges. That email contains personal data. If you hold it indefinitely without reason, it is a GDPR risk. Your policy should define when to purge unneeded data.
Social Media Boundaries
If you are a smaller council, wrap this in. You need rules of engagement for social media. Without them, eventually, a councillor will go "off the rails" in the comments section, or accidentally post as the Council rather than themselves. Once that Pandora's box is opened, it is very hard to close.
✅ Key Takeaways
- Policy: If you don’t have one, use a template as a starting point and customise it to your council. Formally adopt the policy at a council meeting and record the decision.
- Training: Don't just ratify the policy; train your team. Ensure all members understand their roles and responsibilities.
- Review: Annually review the policy - has anything changed (process or equipment) since the last review?
Conclusion
The IT Policy is more than a paperwork exercise; it is the backbone of your digital governance. It protects the council, but it also protects individual councillors by giving them clear boundaries. By adopting a robust policy, you ensure that Assertion 10 is not just a box ticked, but a standard upheld.
📖 Have you read Assertion 10 for Town & Parish Councils (Part 1 of 3): Council Domain & Emails and Assertion 10 for Town & Parish Councils (Part 2 of 3): Website Accessibility?
Resources
Mark Tomkins, Aubergine
Aubergine are the UK’s leading experts in purpose-built, WCAG 2.2 AA compliant, accessible websites for Town & Parish Councils, including .gov.uk domain registration, email hosting, and website compliance. If you have specific questions about your council's compliance needs, feel free to get in touch.
Visit: https://www.aubergine262.com/
Contact: thestudio@aubergine262.com
