SAPPP Assertion 10: What Every Parish Council Must Do About Digital Compliance
12 March 2026
The 2025 SAPPP Practitioners' Guide added Assertion 10 — Digital and Data Compliance — to the Annual Governance and Accountability Return. Starting from the 2025–26 financial year, your internal auditor will assess your council's digital compliance as part of the annual audit. This is not optional, and many councils are unprepared. If you need a full overview of what auditors check across all assertions, start with our internal audit checklist.
Assertion 10 covers three areas: your council's domain and email system, website accessibility, and IT policy. This guide breaks down exactly what you need to do in each area.
What Assertion 10 requires
Assertion 10 was previously scattered across Assertion 3 (compliance with laws and regulations) and general best practice guidance. The 2025 Practitioners' Guide pulls these requirements into a standalone assertion, making them explicitly auditable for the first time.
The three pillars:
- Council-owned domain and official email — council business must be conducted via email addresses on a council-owned domain
- Website accessibility — the council website must meet WCAG 2.2 AA standards and have a current accessibility statement
- IT policy — a formally adopted policy covering how the council uses technology
Each pillar has specific evidence your internal auditor will expect to see.
Pillar 1: Council-owned domain and official email
Your council must operate from a domain it controls. The email address used for council business must be on that domain — not a free provider.
Compliant examples:
Non-compliant examples:
The domain must be registered to the council (or its proper officer on behalf of the council), not to an individual. When the clerk role changes, the council retains control of the domain and email accounts.
Why this matters: If the domain is registered to the clerk personally, the council risks losing access to its website, email archives, and online presence when the clerk leaves. This has happened — councils have lost years of correspondence because email accounts were tied to a departing clerk's personal credentials.
What to do if you are non-compliant:
- Register a council domain (
.gov.ukdomains offer elevated security and official status, but.org.ukis acceptable). For.gov.ukdomains, apply through the GOV.UK domain registration process - Set up email hosting on the council domain (Microsoft 365 or Google Workspace both offer public sector pricing)
- Configure a generic mailbox (clerk@, info@, admin@) plus any role-specific addresses
- Migrate existing correspondence if possible
- Update your contact details on the council website, principal authority listings, and any external directories
Allow 4–8 weeks for domain registration and email migration, longer for .gov.uk domains.
Pillar 2: Website accessibility (WCAG 2.2 AA)
Parish councils are public sector bodies. The Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 require your website to meet accessibility standards. This has been a legal requirement since September 2020 — Assertion 10 makes it auditable.
The current standard is WCAG 2.2 AA (upgraded from WCAG 2.1 AA in October 2024). Key requirements include:
Content accessibility:
- All images must have descriptive alt text
- Documents (PDFs, Word files) must be accessible or have accessible HTML alternatives
- Videos must have captions or transcripts
- Text must be readable at 200% zoom without horizontal scrolling
- Colour contrast must meet minimum ratios (4.5:1 for normal text, 3:1 for large text)
Navigation:
- The website must be fully navigable by keyboard alone
- Focus indicators must be visible
- Skip navigation links should be available
- Consistent navigation structure across pages
Forms and interactive elements:
- All form fields must have visible labels
- Error messages must identify the field and describe the error
- Input purpose must be identifiable (e.g., email fields should support autofill)
Accessibility statement: Every council website must publish an accessibility statement. This is not a template you fill in once — it must accurately describe your website's current compliance status, list any known non-compliant content, and explain how users can report accessibility problems.
Enforcement is by the Equality and Human Rights Commission (EHRC), which has the power to investigate and take legal action against non-compliant public sector bodies.
What to do:
- Run a basic accessibility audit (tools like WAVE or Lighthouse can catch many issues)
- Fix the most common problems: missing alt text, inaccessible PDFs, low contrast text
- Ensure your website hosting provider claims WCAG 2.2 AA compliance — if they do not, consider switching
- Write or update your accessibility statement with the current date and an accurate description of compliance status
- Set a calendar reminder to review the statement annually
Pillar 3: IT policy
Every parish and town council (excluding parish meetings) must have a formally adopted IT policy. This is a governance document — it must be approved by resolution at a council meeting, not just drafted by the clerk.
What the IT policy must cover:
- Email use — official email for all council business, no use of personal accounts for council correspondence
- Data protection — how personal data is handled, stored, and deleted in line with UK GDPR and the Data Protection Act 2018
- Website and accessibility — who maintains the website, how accessibility is monitored
- Device use — rules for council-owned devices and for councillors/staff using personal devices for council business
- Cybersecurity — password requirements, software updates, recognising phishing attempts
- Social media — guidelines for any council social media accounts
- Data handover — procedures for transferring all council data, email access, and system credentials when the clerk role changes
- Training and review — how often the policy is reviewed (at least annually) and training provided to councillors and staff
What to do:
- Draft the policy using our free IT Policy Generator or the NALC template available through your county association
- Agenda the policy for adoption at a full council meeting
- Record the adoption in the minutes
- Distribute to all councillors and staff
- Schedule annual review
Evidence your internal auditor will expect
| Requirement | Evidence |
|---|---|
| Council-owned domain | Domain registration record showing the council (not an individual) as registrant |
| Official email | Screenshots or documentation of the email system on the council domain |
| Website accessibility | Accessibility statement published on the website, evidence of WCAG compliance testing |
| IT policy | Approved policy document, minutes showing council adoption, distribution records |
| Data handover | Documented procedure for transferring data and credentials |
| GDPR compliance | Privacy notice on website, data processing records, FOI/SAR response tracking |
Timeline for compliance
If your council is starting from scratch on any of these requirements, here is a realistic timeline:
| Action | Estimated time |
|---|---|
| Register a council domain | 2–8 weeks (longer for .gov.uk) |
| Set up and migrate email | 2–4 weeks |
| Accessibility audit and basic fixes | 2–4 weeks |
| Draft and adopt IT policy | 4–6 weeks (including council meeting cycle) |
| Write accessibility statement | 1–2 days |
| Document data handover procedures | 1–2 days |
Start now if you have not already — audit season runs April to June, and your internal auditor will assess Assertion 10 as part of the 2025–26 AGAR cycle.
Try our free compliance checklist tool to self-assess your council's readiness against Assertion 10 and all other AGAR requirements. If your council needs an IT policy, the free IT Policy Generator creates a customised draft in minutes.
Sources
- Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018
- GOV.UK — Get a .gov.uk domain name
- Equality and Human Rights Commission
The definitive source for Assertion 10 requirements is the SAPPP Practitioners' Guide 2025, published by JPAG through NALC and SLCC. This article is for general guidance only and does not constitute legal advice.