Hello everyone! I'm Mark Tomkins, Creative Director and founder at Aubergine who are leaders in providing accessible and compliant websites and .gov.uk services to parish, town and community councils, and author of the Web Accessibility and Publishing guidebook. I recently had the pleasure of speaking at a Scribe Academy webinar about the significant updates to SAPPP (The Smaller Authorities' Proper Practices Panel) 2025, formerly JPAG, particularly around digital and data compliance requirements that every parish and town council needs to understand.

As someone who's been a parish councillor for nearly 15 years in my private life, I know these technical requirements can feel overwhelming. But here's the thing – they're actually quite straightforward once you understand what's needed and why. Let's get stuck in.

What's Changed in SAPPP (The Smaller Authorities' Proper Practices Panel) 2025?

The 2025 edition introduces Assertion 10 – Digital and Data Compliance – which clarifies requirements that were previously covered under Assertion 3. While this won't appear on the AGAR (Annual Governance and Accountability Return) until 2025-26, councils need to start preparing now.

The key requirements are:

1. Council-owned domain names for websites and email
2. Website accessibility compliance with WCAG 2.2 AA
3. IT policies for all smaller authorities
4. Proper data protection practices

Email and Domain Requirements: Why It Matters

Here's the important thing to understand: if you're using something like parishclerk@gmail.com or councilname@outlook.com, you don't own that platform. Google does. Microsoft does. And if you don't own the platform, you don't own the data or rights over the domain.

What we have heard happening is councils coming to us saying the previous clerk left without handing over login details. If you don't know the username and password, and you don't own the domain, good luck getting access to years of correspondence. You've got absolutely no rights over that data or access and there’s no support for these free services.

The Solution: Council-Owned Domains

You must have a council-owned domain name for both your website and official email. This could be:

• .gov.uk (my professional recommendation)
• .org.uk (acceptable alternative)
• .co.uk (less suitable but compliant if council-owned)

For .gov.uk domains, there are strict naming protocols. You can't just have whatever-you-want.gov.uk. The options are:

For Parishes:

• locationparishcouncil.gov.uk
• location-pc.gov.uk
• locationparish.gov.uk

For Towns:

• locationtowncouncil.gov.uk
• location-tc.gov.uk

For Community Councils:

• locationcommunitycouncil.gov.uk
• location-cc.gov.uk

For very long placenames, acronyms will be considered.

Those are your options. It's important to know this before you go to council with the proposal, because councillors need to understand the art of the possible.

Website Accessibility: The 2.2 AA Requirement

Your website must meet WCAG 2.2 AA compliance – this changed from 2.1 AA in October 2024. It won't happen automatically, so if your website was built to meet 2.1AA, you'll need to check it's been elevated to 2.2AA.

You also need an up-to-date accessibility statement. Think of this as your "website confessional" – where you explain your understanding of what the requirements are, what you're doing to meet compliance, acknowledge any content that isn't compliant (perhaps from third parties or predating 2018), the frequency of your testing and how to contact you if they need additional support.

Some Quick Accessibility Tips:

• Use the WAVE browser checking tool – it's free and takes 30 seconds to check any page
• Avoid click here links – use descriptive text like "April 2025 Finance Committee Minutes"
• Don't dump URLs on pages – assistive technology reads them out letter by letter
• Use sequential headings - this adds page structure for ease of navigation
• Add alt text to images and avoid embedding lots of text in pictures
• Make forms actual web forms, not downloadable documents that create barriers

IT Policies: No Longer Optional

All smaller authorities now need an IT policy. You need rules defined for how council staff and members use software and hardware securely and professionally.

Without an IT policy, when things go wrong you've got nothing to fall back on or use to support a process. Whether it's a councillor behaving badly online, a data breach, or someone clicking a phishing link, you need proper procedures in place.

The policy should cover:

• Email usage and management
• Website responsibilities
• Social media guidelines
• Data storage and backup procedures
• Adherence to GDPR and data processing
• Cybersecurity protocols
• BYOD (Bring Your Own Device) rules

Your local council association and the SLCC have excellent model documents to get you started, but remember – every council operates slightly differently, so you'll need to tailor it to your specific circumstances - don’t just copy and paste! And remember - it’s a policy so Council need to review and adopt it.

The Risks of Non-Compliance

Some of these things are going to cost money – can't avoid that. That's the march of progress. But consider the risks of not complying:

• Audit failures
• Legal challenges from vexatious members of the public
• GDPR exposure when handling FOI or Subject Access Requests
• Loss of .gov.uk domain if you're misusing it

Getting Started: Practical Next Steps

1. Start budgeting now – precept planning beings around October/November - add to the agenda items list!
2. Ensure your domain is registered to the council, not an individual
3. Commission an accessibility audit of your website – you don't know what you don't know
4. Draft an IT policy using model documents as a starting point
5. Consider moving to .gov.uk for the enhanced security and authenticity

For full transparency, I should mention that Aubergine is currently offering free .gov.uk domains for the first year (worth £100) with compliant websites starting from £499 + VAT reducing to £299 + VAT per year onwards. But whether you work with us or another provider, the key thing is getting compliant.

Common Questions Answered

Q: Do all councillors need authority-owned email accounts? A: The clerk needs a generic council-owned email address. Councillors shouldn't use personal email addresses for council business - preferably they use email on the same domain as the clerk.

Q: Can we keep our existing .co.uk domain? A: Yes, as long as it's owned by the council and all official email comes from that domain. While .gov.uk is best practice, .co.uk is compliant if properly managed.

Q: How often should we test website accessibility? A: Test as you go using tools like WAVE, and do a thorough review every 3-6 months both using software and also a manual check through.

Q: What about temporary email addresses for projects? A: Don't use Gmail or other free services for any council business, even temporarily. Set up project-specific addresses within your council domain instead.

Watch the Full Session and Download the Slides

Downloadable resources

• You can watch the complete webinar (44mins) recording here.
• You can download the slides (687kb) here.

‍

The digital compliance landscape is evolving rapidly, and councils need to stay ahead of these requirements. Yes, it involves some investment and planning, but it's essential for protecting your council's data, improving transparency, having a robust process to follow and maintaining public trust.

If you have specific questions about your council's compliance needs, feel free to get in touch. As someone who sits on both sides – as a parish councillor and as someone helping councils navigate these requirements – I understand the challenges you're facing.

The most important thing? Start planning now. Don't wait until 2025-26 when it appears on the AGAR (Annual Governance and Accountability Return). Get ahead of this, budget appropriately, and ensure your council is properly positioned for the digital future of local government.

Mark Tomkins is Creative Director and founder at Aubergine, author of the Now Web Accessibility and Publishing guidebook, and a parish councillor of nearly 15 years. Aubergine specialises in helping parish and town councils meet their digital compliance requirements through .gov.uk domains, accessible websites, and comprehensive support services.

‍