The Smaller Authorities’ Proper Practices Panel (SAPPP) unveiled its 2025 Practitioners’ Guide, bringing with it crucial revisions aimed at strengthening how local councils and small authorities manage their digital operations and financial governance.
Among the most important changes is the introduction of a compulsory IT policy — a formal requirement for every smaller authority, designed to help safeguard public data and support good digital practice in an increasingly online world.
IT Policies: A New Requirement from April 2025
Beginning in April 2025, all smaller authorities with an annual turnover below £25,000 with the exception of Parish Meetings must have an officially adopted IT policy. This falls under a newly introduced requirement — Assertion 10: Digital and Data Compliance — in the Annual Governance Statement, underscoring the growing importance of responsible digital management.
Why an IT Policy is no longer optional
With so many council activities now taking place online — from emailing documents and publishing minutes to managing websites and handling public enquiries — having a clear framework for how digital systems are used isn’t just helpful, it’s essential.
Without an IT Policy, councils risk:
- Losing vital records when councillors or clerks use personal email addresses that become inaccessible when someone leaves.
- Falling foul of regulations, including data protection laws, website accessibility standards, and FOI legislation.
- Information breaches due to poorly secured devices, emails, or cloud storage.
- Cyber attacks targeting unprotected systems or inexperienced users.
An IT policy serves as a simple but powerful tool, offering clear, practical rules for how council technology and data should be handled.
What a Council IT Policy Should Include
To be effective, an IT policy needs to cover key areas of risk and responsibility. Here’s what every council should consider when drafting one:
1️⃣ Who the Policy Covers
Spell out who needs to follow the policy — typically councillors, clerks, contractors, and volunteers involved in council business.
2️⃣ Email and Communication Rules
Require the use of official, council-managed email accounts for all council correspondence, rather than personal emails.
Why it matters: If someone leaves and their personal inbox holds council business, important records could be lost or data protection laws breached.
Make sure your policy:
Prohibits forwarding council emails to personal accounts
Outlines strong password practices
Establishes shared council email addresses for key roles
3️⃣ Handling Personal and Sensitive Data
Councils are legally responsible for the personal information they collect. Your IT policy should reinforce this and explain how digital data must be managed.
Example:
“Personal data must not be saved on personal devices or unapproved cloud services without written consent from the council.”
Link to your main Data Protection Policy, and provide instructions for dealing with FOI requests and subject access requests.
4️⃣ Website Oversight and Legal Duties
Local council websites must meet legal accessibility standards (WCAG 2.2 AA) and display specific information, such as councillor details and financial reports.
Without regular checks, councils risk breaching the Transparency Code.
Set a schedule for reviewing content and checking accessibility compliance, usually every 12 months.
5️⃣ Use of Council Equipment
If councillors or staff use council-owned laptops, tablets, or phones, your IT policy should set clear rules about how these are to be used, maintained, and returned when roles end.
Example:
“No software may be installed on council-owned devices without prior approval.”
6️⃣ Cybersecurity Expectations
Lay out basic security standards for all users to follow, including:
Keeping devices updated and running antivirus software
Using two-factor authentication where available
Avoiding password reuse between personal and council accounts
Also include a brief guide to spotting phishing emails and other online scams.
7️⃣ Managing Public Communication
Appoint someone to manage the website and to add content, ensuring that they understand WCAG2.2
If your council uses social media, the policy should make clear who is allowed to post or respond, and what type of content is appropriate. include in your policy the tone of voice that should be used in communication, i.e formal, friendly, and how complaints or disputes should be handled online.
8️⃣ Training and Regular Reviews
Digital risks evolve quickly. Commit to providing periodic training to councillors and staff, and to reviewing the IT policy at least once a year to keep it up to date.
Mistakes to Avoid When Writing Your Council IT Policy
When developing your policy:
- Avoid complicated, technical language that’s difficult for non-experts to understand.
- Don’t copy out your Data Protection Policy in full; instead, reference it or link to your existing policy.
- Make sure your rules are practical — avoid demanding actions the council doesn’t have resources to carry out.
- Never allow the routine use of personal email accounts for council work.
- How Councils Should Prepare
If you don’t already have an IT policy in place then start by requesting a model policy from your County Association, SLCC, or NALC. Adapt it to reflect your council’s size, staffing, and digital systems. Adopt the final version formally at a council meeting, and make sure every councillor and employee is made aware of it.
In Summary
This new requirement isn’t just a box to tick on a return. It’s about protecting public information, meeting legal obligations, and making sure councils can operate safely and effectively in a digital world. With Assertion 10 now part of the Practitioners’ Guide, having a robust IT policy is no longer optional.
If you’re unsure where to start, speak to your internal auditor or reach out to your county association for advice. It’s far easier to put a policy in place now than to tackle problems later during your AGAR return or an information breach.
We’ve created a sample IT policy, a briefing for your members and also a sample agenda resolution that our Council clients can download, adapt and adopt, please download using the links below.
