How to Create a Parish Council IT Policy That Meets Assertion 10

Your internal auditor will check whether your council has a formally adopted IT policy as part of the 2025–26 AGAR cycle. This is an Assertion 10 requirement — not a suggestion. If your council does not have one, or has a draft that was never formally adopted at a meeting, the auditor will flag it.

This guide walks you through creating an IT policy from a template, customising it for your council, and getting it adopted properly.

What the IT policy must cover

The SAPPP Practitioners' Guide requires your IT policy to address how the council uses technology. At minimum, it needs to cover:

• Email — all council business conducted via council-domain email, not personal accounts
• Data protection — how personal data is handled under UK GDPR and the Data Protection Act 2018
• Website and accessibility — who maintains the website, how WCAG 2.2 AA compliance is monitored
• Devices — rules for council-owned equipment and personal devices used for council work
• Cybersecurity — passwords, software updates, phishing awareness
• Data handover — how council data, credentials, and access transfer when the clerk changes
• Review cycle — how often the policy is reviewed (at least annually)

For the full context on why these areas are now auditable, see our Assertion 10 compliance guide.

Start with a template

You do not need to write a policy from scratch. NALC published an official IT policy template in November 2025, designed specifically for parish and town councils to meet Assertion 10. It is available to NALC members — ask your county association of local councils if you cannot access it directly.

If you want a quicker starting point, our free IT Policy Generator creates a customised draft based on your council's details — council name, domain, email provider, device situation, and backup method. You can generate a template in a few minutes and adapt it from there.

Either way, a template is a starting point. You must customise it to reflect how your council actually operates.

Five decisions to make before you customise

Every parish council's IT setup is different. Before editing the template, your council needs to decide on these five points — because the policy wording depends on the answers:

1. Personal devices. Do councillors and staff use personal laptops or phones for council business? Most small councils allow this because they do not own devices. If personal devices are used, the policy must set rules: council data accessed only via cloud systems, screen lock required, data removed when the person leaves their role.

2. Backup method. Where is council data stored? Cloud storage (Google Drive, OneDrive) is simplest for most councils — but the policy should specify that data centres are UK or EU based. If using local backups (external drives), the policy needs a weekly backup requirement and off-site storage.

3. Social media. Does the council have Facebook, X, or other social media accounts? If so, the policy needs a section covering who can post, what is appropriate, and how formal correspondence received via social media (including FOI requests) is redirected to official channels.

4. Email migration. If the council still uses personal email (Gmail, Outlook.com) for council correspondence, the policy should include a migration timeline. Moving to council-domain email is an Assertion 10 requirement, not just a best practice — set a realistic deadline (typically 4–8 weeks for domain registration and email setup).

5. Training. How will councillors and staff learn the new policy? A brief walkthrough at the council meeting where the policy is adopted is the minimum. For councils switching from personal email to a council domain, a practical demonstration session saves weeks of support requests.

The adoption process

An IT policy only satisfies Assertion 10 if it has been formally adopted by council resolution. A policy sitting in a folder, even a well-written one, does not count. Your internal auditor will check the minutes.

Step 1 — Draft the policy. Use the NALC template, our IT Policy Generator, or your county association's version. Customise it using the five decisions above.

Step 2 — Circulate for review. Send the draft to all councillors at least two weeks before the meeting. This gives them time to read it and raises the quality of discussion at the meeting.

Step 3 — Agenda it properly. The policy must appear as a substantive agenda item at a full council meeting — not under AOB. The agenda item should name the policy explicitly.

Step 4 — Resolve to adopt. The council passes a resolution to adopt the IT policy. The minutes must record the resolution, the policy title, and the date of adoption. A typical resolution: "Resolved: that the council adopts the IT Policy dated [date], to be reviewed within 12 months."

Step 5 — Distribute and confirm. Send the adopted policy to all councillors, staff, and volunteers who access council IT systems. Keep a record of who received it. Some councils ask recipients to sign an acknowledgement — not mandatory, but useful evidence for the auditor.

Step 6 — Set the review date. Schedule the annual review for the annual meeting of the council (May) alongside standing orders and financial regulations. Add it to your compliance calendar so it does not slip.

What your auditor will look for

When your internal auditor assesses Assertion 10 compliance, they will want to see:

• The adopted IT policy document itself
• Council meeting minutes recording the adoption resolution
• Evidence the policy was distributed (email records, signed acknowledgements)
• The scheduled review date
• That the policy covers the core areas (email, devices, data, handover, cybersecurity)

If any of these are missing, the auditor will record a qualified opinion on Assertion 10. For the full list of evidence across all Assertion 10 requirements (not just IT policy), see our internal audit checklist guide.

Use the free compliance checklist to self-assess your council against every AGAR assertion before audit season, and the audit deadline calculator to confirm your key dates.

Sources

• NALC — IT Policy Template for Parish and Town Councils (November 2025)
• Data Protection Act 2018
• Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018

The definitive source for Assertion 10 requirements is the SAPPP Practitioners' Guide, published annually by JPAG through NALC and SLCC. This article is for general guidance only and does not constitute legal advice.