The long-awaited 2025 edition of the Practitioners’ Guide has now been published by the Smaller Authorities’ Proper Practices Panel (SAPPP), bringing with it a range of updates designed to help local councils and other smaller authorities meet their governance and financial responsibilities with greater clarity and confidence.
The 2025 edition of the Practitioners’ Guide has introduced a new digital responsibility that councils can’t afford to ignore: a written IT policy.
This is no longer just best practice, it’s a requirement. From April 2025, every smaller authority (excluding parish meetings) must have an IT policy in place to comply with the new Assertion 10: Digital and Data Compliance in the Annual Governance Statement.
Let’s explore what that means, why it matters, and what should (and shouldn’t) go into a well-crafted IT policy.
🧠 Why an IT Policy Is Now Essential
Local councils are doing more online than ever before...emailing agendas, publishing financial documents, managing data, and sometimes even using social media or council apps.
Without clear rules, this digital activity can lead to serious issues:
- Data breaches, if personal information is lost or shared via unsecured channels.
- Lost emails, especially when clerks or councillors change and everything was in a personal Gmail account.
- Missed legal requirements, like not meeting accessibility regulations on your website or mishandling FOI requests.
- Cyber attacks, with phishing emails or malware targeting council devices.
The IT policy is your line of defence: simple, written guide that sets clear rules for how technology is used, data is protected, and council business is conducted securely online.
📘 What the IT Policy Should Include – with Real-World Examples
Let’s break down the key sections and show how they relate to real issues councils face:
1. Purpose and Scope
✅ Example: "This policy applies to all councillors, employees, contractors, and volunteers who use IT systems to carry out council business, whether on council-owned or personal devices."
✔️ Be clear that it applies to everyone involved. Not just the clerk
✔️ Cover use of personal devices (e.g. a councillor using their home laptop to read emails)
2. Council Email Use
✅ Require all official communications to come from a council-owned email address (e.g. clerk@stokesparish.gov.uk).
🔒 Why? Because if the clerk leaves and everything is on sarah.parishclerk@gmail.com, you may lose access to critical information and breach GDPR.
✔️ Set up a generic, permanent email account
✔️ Ban forwarding to personal inboxes
✔️ Include instructions on password strength and email access
3. Data Protection and GDPR
✅ Example: "Personal data must not be stored unencrypted on USB sticks, personal laptops, or cloud services like Dropbox unless approved by the council."
✔️ Remind users the council is a Data Controller and Processor
✔️ Refer to your existing Data Protection Policy
✔️ Include guidance on handling FOI requests and subject access requests (SARs)
4. Website Management and Accessibility
✅ Your website must meet WCAG 2.2 AA standards and publish all required documents (minutes, AGAR, councillor details, etc.)
❗ Example failure: A council’s website doesn’t include a contact page, isn’t accessible to screen readers, and doesn’t publish financial info, this breaches the Transparency Code and could trigger a complaint.
✔️ Assign responsibility for updating the website
✔️ Include frequency checks for accessibility and broken links
5. Use of Council Equipment
✅ "Councillors borrowing a council laptop must not install additional software without permission."
✔️ Specify who owns the equipment and what happens when a role ends
✔️ Explain how to request IT support or raise security concerns
6. Cybersecurity and Online Safety
✅ Require antivirus software, two-factor authentication, and regular updates on council devices.
🛡️ Example threat: A councillor clicks on a phishing link in a fake HMRC email and unknowingly installs spyware.
✔️ Provide guidance on spotting suspicious emails
✔️ Ban reuse of passwords across personal and council accounts
7. Social Media and Communications
✅ Example: “Only the clerk or chair may post on the council’s Facebook page. Councillors should not comment as individuals on behalf of the council.”
✔️ Set expectations on tone and professionalism
✔️ State who can post, moderate, and respond
✔️ Include rules for WhatsApp, Facebook groups, or local forums
8. Training and Review
✅ Example: “All staff and members will receive annual refresher training on IT security and data protection.”
✔️ Include when the policy will be reviewed (annually is best)
✔️ Mention who is responsible for updates (e.g. clerk, staffing committee)
🚫 What Your IT Policy Should Not Do
❌ Be too technical. Avoid jargon, this should be accessible to all councillors.
❌ Duplicate your Data Protection Policy. Refer to it instead.
❌ Include unrealistic rules. For example, don’t require weekly backups if no one knows how to do them.
❌ Allow personal emails without restriction. Even small councils need digital discipline.
🛠️ Next Steps
If you don’t yet have an IT policy:
- Start drafting using templates from your County Association, SLCC, or NALC.
- Tailor it to your council’s needs, don’t just copy and paste.
- Adopt it formally at a council meeting and record it in your minutes.
- Train your team so everyone understands their responsibilities.
💬 Final Thought
A well-written IT policy isn’t just a tick-box exercise, it’s a practical tool for safeguarding your council’s digital operations and reputation. And now that it's part of the Practitioners’ Guide, it’s no longer optional.
If you're not sure where to begin, reach out to your internal auditor or support body. It’s better to get started now than wait until the AGAR deadline looms.
