https://parishproof.co.uk Compliance guidance for parish and town council clerks in England. en-gb https://parishproof.co.uk/blog/parish-council-clerk-responsibilities-compliance/ https://parishproof.co.uk/blog/parish-council-clerk-responsibilities-compliance/ Thu, 09 Apr 2026 00:00:00 GMT Every compliance obligation a parish council clerk is responsible for — governance, finance, data protection, digital compliance, and publication duties. Section 112 of the Local Government Act 1972 gives parish councils the power to appoint officers. As clerk, you are the council's sole employee in most cases, serving as Proper Officer (the person the law requires to carry out specific functions) and usually also the Responsible Financial Officer (RFO). The Society of Local Council Clerks (SLCC) represents clerks to over 5,000 councils in England and Wales. If you are not already a member, the advisory service and training resources are worth the membership fee — particularly when navigating new requirements like Assertion 10. ## The compliance areas you own ### 1. Financial compliance You are the RFO. Every financial transaction, budget decision, and audit return flows through you. **What this means in practice:** - Prepare the annual budget and calculate the precept demand for the billing authority - Maintain the cash book, reconcile bank statements monthly, and ensure all payments are properly authorised in council minutes - Prepare the AGAR (Sections 1, 2, and 3) — see our [AGAR preparation guide](/blog/agar-parish-council-guide/) for the full process - Submit the Certificate of Exemption (if turnover ≤ £25,000) or the completed AGAR to the external auditor by 30 June - Reclaim VAT on eligible expenditure (Section 33 VAT Act 1994 for parish councils) - Maintain the fixed asset register and update it for additions and disposals ### 2. Governance compliance You are the person who ensures the council follows its own rules — and the law. **What this means in practice:** - Ensure the council has adopted up-to-date standing orders and financial regulations (review annually at the annual meeting in May) - Maintain the [code of conduct](/blog/parish-council-code-of-conduct-guide/) process — distribute to new councillors, record declarations of interest in minutes, direct complaints to the monitoring officer - Prepare agendas with proper notice (3 clear days for parish councils under Schedule 12 of the Local Government Act 1972) - Record accurate minutes and ensure they are approved and signed at the next meeting - Maintain the risk assessment and ensure it is reviewed annually - Ensure adequate insurance cover — check against current assets and activities ### 3. Digital compliance (Assertion 10) New for the 2025–26 AGAR cycle. Your internal auditor will now assess the council's digital compliance as a standalone assertion. **What this means in practice:** - Council operates from a council-owned domain with official email addresses — not personal Gmail or Outlook - Council website meets WCAG 2.2 AA accessibility standards with a current accessibility statement - Council has a formally adopted IT policy covering email, devices, data, cybersecurity, and handover procedures - All of the above are evidenced and available for the internal auditor For the full requirements, see our [Assertion 10 compliance guide](/blog/sappp-assertion-10-parish-council-digital-compliance/). Use the free [IT Policy Generator](/tools/it-policy-generator/) if your council does not yet have an IT policy. ### 4. Data protection The council is a data controller. You are the person who ensures it acts like one. **What this means in practice:** - Maintain a privacy notice on the council website (review annually) - Respond to subject access requests within one calendar month and FOI requests within 20 working days - Ensure the council's ICO registration and annual data protection fee are current - Maintain an information asset register — what personal data the council holds, where, and for how long - Ensure councillors are not processing council data via personal email accounts See our [GDPR compliance guide](/blog/parish-council-gdpr-compliance/) for the three failures the ICO keeps finding in parish councils. ### 5. Publication and transparency You publish what the law requires — and clerks are frequently the only person who knows what that list includes. **What this means in practice:** - Publish all items required under the [Transparency Code](/blog/parish-council-transparency-code-requirements/) (for councils with turnover ≤ £25,000: expenditure, end-of-year accounts, governance statement, internal audit report, councillor list, asset register) - Maintain and publish the council's publication scheme (required under the Freedom of Information Act 2000) - Publish public rights period notice (30 working days, starting in July) on the website and noticeboard - Keep the council website up to date with meeting dates, agendas, minutes, and contact information ## Annual compliance calendar | Month | Key obligations | |-------|----------------| | January | Begin year-end preparation: review standing orders, financial regulations, risk assessment | | February | Prepare draft budget, calculate precept demand for billing authority | | March | Financial year ends 31 March. Close accounts, complete bank reconciliation, update asset register | | April | Arrange internal audit. Submit VAT reclaim if applicable | | May | Annual meeting of the council (1–30 May). Review standing orders, financial regs, code of conduct, risk assessment, insurance. Adopt/review IT policy | | June | Complete AGAR. Section 1 approved before Section 2. Submit to external auditor or Certificate of Exemption by 30 June | | July | Publish AGAR and Transparency Code information. Begin public rights period (30 working days, must include first 10 working days of July) | | August | Public rights period continues. Respond to any inspection requests | | September | Review accessibility statement (annual). Check ICO registration and data protection fee | | October | External auditor report published (if applicable, by 1 October). Publish on website | | November | Review data retention — delete records past their retention date. Remind councillors to update register of interests | | December | Review insurance cover for the coming year. Check NALC/SLCC bulletins for regulatory changes | Use the free [audit deadline calculator](/tools/audit-deadline-calculator/) to see exact dates for your council's AGAR cycle, and the [compliance checklist](/tools/compliance-checklist/) to self-assess against every governance assertion. ## When things go wrong Most compliance failures in parish councils are not malicious — they are the result of one person juggling too many obligations with too little time. But the consequences are real: - **Missed AGAR deadline:** The external auditor reports the council as non-compliant. The government may intervene under the Local Audit and Accountability Act 2014 - **Missing privacy notice or data breach:** ICO investigation. Potential fine (rare for parish councils, but reputational damage is significant in a small community) - **Failure to register interests:** Criminal offence under section 34 of the Localism Act 2011. An unlimited fine (level 5 on the standard scale) and disqualification from office for up to five years (this falls on the councillor, but the clerk is expected to chase registrations) - **Non-compliant website accessibility:** Equality and Human Rights Commission enforcement. Public sector bodies can be investigated and required to remediate - **Assertion 10 failures:** Qualified audit opinion. Depending on severity, may affect the council's ability to assert compliance in the Annual Governance Statement The common thread: most of these issues are preventable with a reliable tracking system. A spreadsheet works. A dedicated compliance dashboard works better — that is what ParishProof is building. ## Sources - Local Government Act 1972, Section 112 — Appointment of staff - Society of Local Council Clerks (SLCC) *This article is for general guidance only and does not constitute legal advice. For specific questions about your responsibilities as clerk, contact SLCC or your county association of local councils.* ]]> https://parishproof.co.uk/blog/parish-council-gdpr-compliance/ https://parishproof.co.uk/blog/parish-council-gdpr-compliance/ Thu, 02 Apr 2026 00:00:00 GMT The ICO flagged three recurring GDPR problems in parish councils — personal email, data hoarding, and sharing confusion. Here is how to fix each one. fact sheet for parish councils on personal device use — worth reading alongside your IT policy. ## Failure 2: Keeping data "just in case" Councils accumulate data over years — planning correspondence, complaint records, old electoral roll copies, employment records for clerks who left a decade ago. The instinct is to keep everything in case it is needed later. The ICO's finding: this is not a valid legal basis for retention. Under the Data Protection Act 2018, personal data must be kept only for as long as necessary for the purpose it was collected. "Necessary" means there is a genuine, current reason — not a speculative future use. **What to do:** 1. Create a data retention schedule. For each category of data (planning, finance, HR, complaints, minutes), set a retention period based on the legal requirement or practical need 2. Minutes and formal records: keep permanently — these are public documents 3. Financial records: 6 years plus the current year (HMRC requirement) 4. Employment records: 6 years after the person leaves 5. Planning consultation responses: retain for the life of the planning application plus 3 years 6. Complaint correspondence: 3 years from resolution (or longer if there is an ongoing legal issue) 7. Review annually and delete what has passed its retention period. When clerks change, this is the moment data accumulates — the new clerk inherits everything and deletes nothing ## Failure 3: Data sharing confusion Parish councils share data with other organisations regularly — billing authorities, principal authorities, leisure centre operators, allotment associations, burial ground contractors. The ICO found that councils are often unsure whether they have a legal basis to share, and default to either sharing too much or refusing to share at all. The most common confusion: **publishing names in council minutes.** Councils are unsure whether naming residents who spoke at public meetings, submitted planning objections, or raised complaints is permitted. The general principle: if a person has engaged with the council in a public capacity (speaking at a public meeting, submitting a planning objection that is a public document), recording their name in the minutes is normally lawful under the public task basis. But if a person has contacted the council privately (a complaint, a personal request), their name should not appear in public minutes without consent. **What to do:** 1. Before sharing data with any third party, identify your legal basis (public task, legal obligation, legitimate interest, or consent) 2. For minutes: record the name of anyone who spoke at a public meeting or submitted a public representation. Redact names from private correspondence discussed in council 3. For contracts with external service providers (ground maintenance, leisure centres, website hosts), include a data processing agreement specifying what data they access and how they handle it 4. If unsure, the ICO's guidance for small organisations covers data sharing principles in plain language ## Your GDPR compliance basics Beyond the three failures above, here is what every parish council needs as a minimum: - **Privacy notice on the council website** — explaining what personal data the council collects, why, the legal basis, retention periods, and how to exercise data rights (access, erasure, objection). Review it annually. A privacy notice from 2018 that has never been updated is not compliant. - **Information asset register** — a simple spreadsheet listing what personal data the council holds, where it is stored, who has access, and the retention period. This is the document you will need if the ICO asks questions. - **Subject access request process** — know how to respond when someone asks for a copy of the personal data you hold about them. You have one calendar month. If you cannot locate the data because it is scattered across personal email accounts and laptops, you will miss the deadline. - **Breach response** — if personal data is accidentally disclosed, lost, or accessed without authorisation, assess the risk. If there is a risk to individuals, report to the ICO within 72 hours. If you discover that a departing councillor has retained personal data on a personal device, that may constitute a breach. - **ICO fee** — most parish councils must pay the annual data protection fee (currently £40 for tier 1 organisations). Check the ICO website for the current fee structure. Use the free [compliance checklist](/tools/compliance-checklist/) to self-assess your council's data protection compliance alongside every other AGAR requirement. ## Sources - Local Government Lawyer — ICO identifies three key GDPR compliance challenges for town and parish councils - Data Protection Act 2018 - ICO — Advice for small organisations *This article is for general guidance only and does not constitute legal advice. For specific data protection questions, consult the ICO or a data protection practitioner.* ]]> https://parishproof.co.uk/blog/parish-council-it-policy-assertion-10/ https://parishproof.co.uk/blog/parish-council-it-policy-assertion-10/ Thu, 26 Mar 2026 00:00:00 GMT Step-by-step guide to creating, customising, and formally adopting a parish council IT policy that satisfies SAPPP Assertion 10 audit requirements. Data Protection Act 2018 - **Website and accessibility** — who maintains the website, how WCAG 2.2 AA compliance is monitored - **Devices** — rules for council-owned equipment and personal devices used for council work - **Cybersecurity** — passwords, software updates, phishing awareness - **Data handover** — how council data, credentials, and access transfer when the clerk changes - **Review cycle** — how often the policy is reviewed (at least annually) For the full context on why these areas are now auditable, see our [Assertion 10 compliance guide](/blog/sappp-assertion-10-parish-council-digital-compliance/). ## Start with a template You do not need to write a policy from scratch. NALC published an official IT policy template in November 2025, designed specifically for parish and town councils to meet Assertion 10. It is available to NALC members — ask your county association of local councils if you cannot access it directly. If you want a quicker starting point, our free [IT Policy Generator](/tools/it-policy-generator/) creates a customised draft based on your council's details — council name, domain, email provider, device situation, and backup method. You can generate a template in a few minutes and adapt it from there. Either way, a template is a starting point. You must customise it to reflect how your council actually operates. ## Five decisions to make before you customise Every parish council's IT setup is different. Before editing the template, your council needs to decide on these five points — because the policy wording depends on the answers: **1. Personal devices.** Do councillors and staff use personal laptops or phones for council business? Most small councils allow this because they do not own devices. If personal devices are used, the policy must set rules: council data accessed only via cloud systems, screen lock required, data removed when the person leaves their role. **2. Backup method.** Where is council data stored? Cloud storage (Google Drive, OneDrive) is simplest for most councils — but the policy should specify that data centres are UK or EU based. If using local backups (external drives), the policy needs a weekly backup requirement and off-site storage. **3. Social media.** Does the council have Facebook, X, or other social media accounts? If so, the policy needs a section covering who can post, what is appropriate, and how formal correspondence received via social media (including FOI requests) is redirected to official channels. **4. Email migration.** If the council still uses personal email (Gmail, Outlook.com) for council correspondence, the policy should include a migration timeline. Moving to council-domain email is an Assertion 10 requirement, not just a best practice — set a realistic deadline (typically 4–8 weeks for domain registration and email setup). **5. Training.** How will councillors and staff learn the new policy? A brief walkthrough at the council meeting where the policy is adopted is the minimum. For councils switching from personal email to a council domain, a practical demonstration session saves weeks of support requests. ## The adoption process An IT policy only satisfies Assertion 10 if it has been formally adopted by council resolution. A policy sitting in a folder, even a well-written one, does not count. Your internal auditor will check the minutes. **Step 1 — Draft the policy.** Use the NALC template, our [IT Policy Generator](/tools/it-policy-generator/), or your county association's version. Customise it using the five decisions above. **Step 2 — Circulate for review.** Send the draft to all councillors at least two weeks before the meeting. This gives them time to read it and raises the quality of discussion at the meeting. **Step 3 — Agenda it properly.** The policy must appear as a substantive agenda item at a full council meeting — not under AOB. The agenda item should name the policy explicitly. **Step 4 — Resolve to adopt.** The council passes a resolution to adopt the IT policy. The minutes must record the resolution, the policy title, and the date of adoption. A typical resolution: "Resolved: that the council adopts the IT Policy dated [date], to be reviewed within 12 months." **Step 5 — Distribute and confirm.** Send the adopted policy to all councillors, staff, and volunteers who access council IT systems. Keep a record of who received it. Some councils ask recipients to sign an acknowledgement — not mandatory, but useful evidence for the auditor. **Step 6 — Set the review date.** Schedule the annual review for the annual meeting of the council (May) alongside standing orders and financial regulations. Add it to your compliance calendar so it does not slip. ## What your auditor will look for When your internal auditor assesses Assertion 10 compliance, they will want to see: - The adopted IT policy document itself - Council meeting minutes recording the adoption resolution - Evidence the policy was distributed (email records, signed acknowledgements) - The scheduled review date - That the policy covers the core areas (email, devices, data, handover, cybersecurity) If any of these are missing, the auditor will record a qualified opinion on Assertion 10. For the full list of evidence across all Assertion 10 requirements (not just IT policy), see our [internal audit checklist guide](/blog/parish-council-internal-audit-checklist/). Use the free [compliance checklist](/tools/compliance-checklist/) to self-assess your council against every AGAR assertion before audit season, and the [audit deadline calculator](/tools/audit-deadline-calculator/) to confirm your key dates. ## Sources - NALC — IT Policy Template for Parish and Town Councils (November 2025) - Data Protection Act 2018 - Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 *The definitive source for Assertion 10 requirements is the SAPPP Practitioners' Guide, published annually by JPAG through NALC and SLCC. This article is for general guidance only and does not constitute legal advice.* ]]> https://parishproof.co.uk/blog/agar-parish-council-guide/ https://parishproof.co.uk/blog/agar-parish-council-guide/ Thu, 19 Mar 2026 00:00:00 GMT Everything parish council clerks need to know about AGAR — deadlines, what each section requires, how to prepare, and what changed with Assertion 10. Local Audit and Accountability Act 2014. The AGAR has three main sections that must be completed in a specific order: 1. **Section 1 — Annual Governance Statement:** A set of governance assertions the council must answer "yes", "no", or "not applicable" to 2. **Section 2 — Accounting Statements:** The financial figures for the year 3. **Section 3 — Internal Audit Report:** Completed by the council's independent internal auditor Section 1 must be approved by the council **before** Section 2. This is a common error — if you approve them in the wrong order, your external auditor will raise it. ## Which form does your council use? Your form depends on your annual turnover (the higher of gross income or gross expenditure): - **Turnover ≤ £25,000:** Use AGAR Form 2 and submit a Certificate of Exemption (no external audit required unless requested) - **Turnover £25,000–£6.5 million:** Use AGAR Form 3 (limited assurance review by the external auditor) - **Turnover > £6.5 million:** Full external audit — different process entirely Most parish councils fall into the first two categories. The AGAR forms are available from your external auditor — currently PKF Littlejohn for most smaller authorities, appointed by Smaller Authorities' Audit Appointments (SAAA). ## Section 1: Annual Governance Statement The governance statement is a series of assertions about how the council has operated during the year. For each assertion, the council answers "yes" (we complied), "no" (we did not comply), or "not applicable". The assertions cover: - **Financial management** — effective arrangements for managing money and preparing accounts - **Budgets and precept** — budget supports the precept and spending is monitored - **Standing orders and financial regulations** — adopted and followed - **Risk management** — risks assessed and managed, including adequate insurance - **Internal controls** — adequate controls exist (segregation of duties, regular reconciliations) - **Compliance with laws and proper practices** — statutory obligations met - **Exercise of public rights** — inspection period properly advertised and facilitated - **Trust funds** — separate accounts where required (if applicable) - **Assertion 9** — additional requirements for larger councils (Section 2 accounting) - **Assertion 10 (new 2025)** — digital and data compliance (council domain, email, website accessibility, IT policy) If you answer "no" to any assertion, you must explain the reason and what the council is doing to address it. The explanation must be included with the AGAR submission. For detailed guidance on Assertion 10, read our [Assertion 10 compliance guide](/blog/sappp-assertion-10-parish-council-digital-compliance/). ## Section 2: Accounting Statements The accounting figures for the financial year. You need: - **Box 1** — Balances brought forward (must match last year's carried-forward figure) - **Box 2** — Precept received (the amount demanded from the billing authority) - **Box 3** — Total other receipts (all income except the precept) - **Box 4** — Staff costs (salaries, employer NI, employer pension) - **Box 5** — Loan interest/capital repayments - **Box 6** — All other payments (everything not in boxes 4 or 5) - **Box 7** — Balances carried forward (box 1 + 2 + 3 - 4 - 5 - 6) - **Box 8** — Total cash and short-term investments at year-end - **Box 9** — Total fixed assets at asset cost or valuation - **Box 10** — Total borrowings **Box 7 must equal Box 8 minus any debtors plus any creditors.** If it does not balance, check your bank reconciliation. **Variance explanations:** If any box differs from the prior year by more than 10–15%, the external auditor will expect an explanation. Prepare these before submitting. ## Section 3: Internal Audit Report Completed by your independent internal auditor — not by the clerk or a councillor. The auditor answers yes/no/not covered to a series of questions about the council's internal controls. For what the internal auditor checks and how to prepare, see our [internal audit checklist guide](/blog/parish-council-internal-audit-checklist/). ## Key deadlines for the 2025–26 cycle | Deadline | What | Notes | |----------|------|-------| | 31 March 2026 | Financial year ends | Close accounts, reconcile bank | | April–May 2026 | Arrange and complete internal audit | Internal auditor must be independent of the council | | May 2026 | Annual meeting of the council | Review standing orders, financial regs, code of conduct. Between 1–30 May | | By 30 June 2026 | Submit Certificate of Exemption (if turnover ≤ £25k) | Only if your council qualifies for audit exemption | | By 30 June 2026 | Council approves AGAR at full council meeting | Section 1 approved BEFORE Section 2. Signed by chairman and clerk | | 1 July 2026 | Publish AGAR + Transparency Code information | Accounts, governance statement, audit report, expenditure, councillor list, asset register | | 1 July 2026 onwards | Public rights period begins (30 working days) | Must include the first 10 working days of July. Advertise on website and noticeboard | | By 1 October 2026 | External auditor report published (if applicable) | For councils undergoing limited assurance review | **Start early.** Most problems arise from leaving preparation to the last minute. Begin your year-end work in January by reviewing standing orders, financial regulations, and risk assessments. ## Common AGAR errors These are the issues that external auditors flag most often: 1. **Section 1 approved after Section 2** — the governance statement must be approved first 2. **Brought-forward balance doesn't match prior year** — Box 1 this year must equal Box 7 last year 3. **Unexplained variances** — significant differences between years without explanation 4. **Missing signatures** — both the chairman and clerk/RFO must sign 5. **Public rights period not properly advertised** — notice must appear on the website, not just the noticeboard 6. **Internal auditor not independent** — the auditor cannot be a councillor, employee, or close relation 7. **Exemption certificate submitted late** — must be received before 30 June ## Preparation checklist Use this to track your AGAR preparation progress: - Financial year-end bank reconciliation completed and balances agree - All payments for the year authorised and recorded in minutes - Budget vs. actual comparison prepared with variance explanations - VAT reclaims submitted - Fixed asset register updated (additions, disposals, current values) - Standing orders and financial regulations reviewed - Risk assessment reviewed and approved - Insurance cover checked against current assets - Internal auditor appointed and audit date arranged - Section 1 governance statement prepared (all assertions reviewed) - Section 2 accounting statements prepared and balanced - Assertion 10 evidence assembled (domain, email, IT policy, accessibility) - Council meeting scheduled to approve AGAR - Public rights period notice prepared - Transparency Code publication materials ready Use our free [audit deadline calculator](/tools/audit-deadline-calculator/) to see all key dates for your council's AGAR cycle, and the [compliance checklist](/tools/compliance-checklist/) to self-assess against every governance assertion. ## Sources - Smaller Authorities' Audit Appointments — AGAR process - Local Audit and Accountability Act 2014 - PKF Littlejohn — External auditor for smaller authorities *The definitive source for AGAR requirements is the SAPPP Practitioners' Guide, published annually by JPAG through NALC and SLCC. This article is for general guidance only.* ]]> https://parishproof.co.uk/blog/sappp-assertion-10-parish-council-digital-compliance/ https://parishproof.co.uk/blog/sappp-assertion-10-parish-council-digital-compliance/ Thu, 12 Mar 2026 00:00:00 GMT Assertion 10 adds digital and data compliance to your parish council audit — domain, email, IT policy, accessibility, and GDPR. Here is what to do. GOV.UK domain registration process 2. Set up email hosting on the council domain (Microsoft 365 or Google Workspace both offer public sector pricing) 3. Configure a generic mailbox (clerk@, info@, admin@) plus any role-specific addresses 4. Migrate existing correspondence if possible 5. Update your contact details on the council website, principal authority listings, and any external directories Allow 4–8 weeks for domain registration and email migration, longer for `.gov.uk` domains. ## Pillar 2: Website accessibility (WCAG 2.2 AA) Parish councils are public sector bodies. The Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 require your website to meet accessibility standards. This has been a legal requirement since September 2020 — Assertion 10 makes it auditable. The current standard is **WCAG 2.2 AA** (upgraded from WCAG 2.1 AA in October 2024). Key requirements include: **Content accessibility:** - All images must have descriptive alt text - Documents (PDFs, Word files) must be accessible or have accessible HTML alternatives - Videos must have captions or transcripts - Text must be readable at 200% zoom without horizontal scrolling - Colour contrast must meet minimum ratios (4.5:1 for normal text, 3:1 for large text) **Navigation:** - The website must be fully navigable by keyboard alone - Focus indicators must be visible - Skip navigation links should be available - Consistent navigation structure across pages **Forms and interactive elements:** - All form fields must have visible labels - Error messages must identify the field and describe the error - Input purpose must be identifiable (e.g., email fields should support autofill) **Accessibility statement:** Every council website must publish an accessibility statement. This is not a template you fill in once — it must accurately describe your website's current compliance status, list any known non-compliant content, and explain how users can report accessibility problems. Enforcement is by the Equality and Human Rights Commission (EHRC), which has the power to investigate and take legal action against non-compliant public sector bodies. **What to do:** 1. Run a basic accessibility audit (tools like WAVE or Lighthouse can catch many issues) 2. Fix the most common problems: missing alt text, inaccessible PDFs, low contrast text 3. Ensure your website hosting provider claims WCAG 2.2 AA compliance — if they do not, consider switching 4. Write or update your accessibility statement with the current date and an accurate description of compliance status 5. Set a calendar reminder to review the statement annually ## Pillar 3: IT policy Every parish and town council (excluding parish meetings) must have a formally adopted IT policy. This is a governance document — it must be approved by resolution at a council meeting, not just drafted by the clerk. **What the IT policy must cover:** - **Email use** — official email for all council business, no use of personal accounts for council correspondence - **Data protection** — how personal data is handled, stored, and deleted in line with UK GDPR and the Data Protection Act 2018 - **Website and accessibility** — who maintains the website, how accessibility is monitored - **Device use** — rules for council-owned devices and for councillors/staff using personal devices for council business - **Cybersecurity** — password requirements, software updates, recognising phishing attempts - **Social media** — guidelines for any council social media accounts - **Data handover** — procedures for transferring all council data, email access, and system credentials when the clerk role changes - **Training and review** — how often the policy is reviewed (at least annually) and training provided to councillors and staff **What to do:** 1. Draft the policy using our free [IT Policy Generator](/tools/it-policy-generator/) or the NALC template available through your county association 2. Agenda the policy for adoption at a full council meeting 3. Record the adoption in the minutes 4. Distribute to all councillors and staff 5. Schedule annual review ## Evidence your internal auditor will expect | Requirement | Evidence | |-------------|----------| | Council-owned domain | Domain registration record showing the council (not an individual) as registrant | | Official email | Screenshots or documentation of the email system on the council domain | | Website accessibility | Accessibility statement published on the website, evidence of WCAG compliance testing | | IT policy | Approved policy document, minutes showing council adoption, distribution records | | Data handover | Documented procedure for transferring data and credentials | | GDPR compliance | Privacy notice on website, data processing records, FOI/SAR response tracking | ## Timeline for compliance If your council is starting from scratch on any of these requirements, here is a realistic timeline: | Action | Estimated time | |--------|---------------| | Register a council domain | 2–8 weeks (longer for .gov.uk) | | Set up and migrate email | 2–4 weeks | | Accessibility audit and basic fixes | 2–4 weeks | | Draft and adopt IT policy | 4–6 weeks (including council meeting cycle) | | Write accessibility statement | 1–2 days | | Document data handover procedures | 1–2 days | Start now if you have not already — audit season runs April to June, and your internal auditor will assess Assertion 10 as part of the 2025–26 AGAR cycle. Try our free [compliance checklist tool](/tools/compliance-checklist/) to self-assess your council's readiness against Assertion 10 and all other AGAR requirements. If your council needs an IT policy, the free [IT Policy Generator](/tools/it-policy-generator/) creates a customised draft in minutes. ## Sources - Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 - GOV.UK — Get a .gov.uk domain name - Equality and Human Rights Commission *The definitive source for Assertion 10 requirements is the SAPPP Practitioners' Guide 2025, published by JPAG through NALC and SLCC. This article is for general guidance only and does not constitute legal advice.* ]]> https://parishproof.co.uk/blog/parish-council-internal-audit-checklist/ https://parishproof.co.uk/blog/parish-council-internal-audit-checklist/ Thu, 05 Mar 2026 00:00:00 GMT What parish council internal auditors check against each AGAR assertion — evidence to prepare, common failures, and the new Assertion 10 digital requirements. Annual Governance and Accountability Return (AGAR). If the auditor answers "no" to any question, you need an explanation — and your external auditor will want to see it. This guide covers what internal auditors actually check, what evidence to prepare, and what has changed for the 2025–26 audit cycle. ## What the internal auditor reviews The internal auditor works through a structured report covering the effectiveness of your council's internal controls. Their job is to test whether your systems work in practice — not just whether policies exist on paper. The areas covered align with the governance assertions in AGAR Section 1 (the Annual Governance Statement). For the definitive list of assertions, download the current SAPPP Practitioners' Guide from NALC or SLCC. Here is what each area involves in practice. ## Financial management and accounting The auditor checks whether your council has effective financial management arrangements and whether the accounting statements are properly prepared. **Evidence to have ready:** - Bank statements for the full financial year (April to March) - Bank reconciliation at year-end — the cashbook balance must match the bank statement - Payment records showing authorisation (two signatories for cheques/BACS, council approval on minutes) - Income records and receipts - Budget vs. actual comparison with explanations for significant variances (10–15% or more) - VAT reclaim records and Section 137 expenditure tracking **Common failures:** Year-end bank reconciliation doesn't balance. Payment authorisation records are incomplete — especially for direct debits and standing orders, which still need council approval. VAT reclaim not submitted or poorly tracked. ## Budgets and precept The auditor checks whether your budget supports the precept requirement and whether spending is monitored against it. **Evidence to have ready:** - Approved budget for the current and previous year - Precept demand submitted to the billing authority - Quarterly or monthly budget monitoring reports (if produced) - Minutes showing budget approval and precept setting **Common failures:** Budget set without council resolution. No in-year monitoring — the budget was approved in January and never looked at again. ## Standing orders and financial regulations The auditor checks whether you have adopted standing orders and financial regulations, and whether the council follows them. **Evidence to have ready:** - Current standing orders (ideally based on the latest NALC model, reviewed within the last year) - Current financial regulations (same) - Minutes showing adoption/review dates - Evidence that procurement thresholds are being followed **Common failures:** Standing orders adopted years ago and never reviewed. Financial regulations reference superseded legislation. The council has a £500 procurement threshold but no evidence of quotes for purchases above it. ## Risk management The auditor checks whether the council has assessed and managed its risks. **Evidence to have ready:** - Risk assessment reviewed and approved within the current financial year - Insurance schedule covering public liability, employer's liability (if applicable), fidelity guarantee, and property - Insurance renewal date and evidence of cover - Any risk mitigation actions taken during the year **Common failures:** Risk assessment not reviewed annually. Insurance schedule doesn't match actual assets (new equipment not covered, disposed assets still listed). ## Internal controls The auditor checks whether adequate internal controls exist and are followed. **Evidence to have ready:** - Segregation of duties — who authorises payments, who makes them, who reconciles - Regular bank reconciliations (ideally monthly) - Petty cash procedures and reconciliation - Fixed asset register matching the AGAR asset statement **Common failures:** Same person authorises and makes payments with no independent check. Bank reconciliations done only at year-end. Fixed asset register not updated when items are purchased or disposed of. ## Compliance with laws, regulations, and proper practices The auditor checks whether the council complied with its legal obligations during the year. **Evidence to have ready:** - Publication of transparency information by 1 July (see our [transparency code guide](/blog/parish-council-transparency-code-requirements/)) - Publication scheme maintained and accessible - GDPR compliance — privacy notice on website, data processing records, FOI/SAR response tracking - Minutes show all statutory requirements met (annual meeting held, accounts approved, precept set) - Employment contracts and pension enrolment (if you have employees) **Common failures:** Transparency information not published by the deadline. No privacy notice on the council website. Minutes don't record that the annual meeting was held within the required timeframe. ## Exercise of public rights The auditor checks whether the council properly advertised and facilitated the public's right to inspect the accounts. **Evidence to have ready:** - Notice of public rights period (30 working days including the first 10 working days of July) - Evidence the notice was published on your website and noticeboard - Records showing documents were made available for inspection if requested **Common failures:** Public rights period not advertised. Period doesn't start on the correct date. Notice published on the noticeboard but not the website. ## Assertion 10: digital and data compliance (new from 2025) The 2025 edition of the SAPPP Practitioners' Guide introduced Assertion 10, which covers digital and data compliance. This is the first new assertion added to the AGAR governance statement in years, and many councils are unprepared. For a detailed breakdown of each requirement, see our [Assertion 10 compliance guide](/blog/sappp-assertion-10-parish-council-digital-compliance/). Assertion 10 covers: - **Council-owned domain** — the council website must be on a domain the council controls (not a personal domain or one tied to a specific clerk) - **Official email system** — council business conducted via official council email addresses, not personal Gmail, Outlook, or Yahoo accounts - **IT policy** — a documented policy covering acceptable use, data backup, password requirements, and incident response - **Website accessibility** — the council website must meet WCAG 2.2 AA standards (a legal requirement for public sector bodies under the Public Sector Bodies Accessibility Regulations 2018) - **GDPR compliance** — privacy notice, data processing records, FOI/SAR procedures - **Data handover procedures** — documented procedures for transferring council data when the clerk role changes **Evidence to have ready:** - Domain registration showing the council (not an individual) as registrant - Screenshots or documentation of the official email system - Approved IT policy - Website accessibility statement and WCAG compliance evidence - Published privacy notice - Data handover procedure document **Common failures:** Website registered to the clerk personally. Council email uses a free provider (Gmail) rather than a council domain. No IT policy exists. Accessibility statement missing or template-only with no actual compliance evidence. Try our free [compliance checklist tool](/tools/compliance-checklist/) to self-assess your council against Assertion 10 requirements, and use the [audit deadline calculator](/tools/audit-deadline-calculator/) to confirm your key AGAR dates. ## Timeline for audit preparation | When | What | |------|------| | January–March | Review standing orders, financial regulations, risk assessment. Begin year-end preparation | | 31 March | Financial year ends | | April–May | Complete bank reconciliation, prepare AGAR, arrange internal audit | | May–June | Internal auditor conducts audit and completes their report | | Before 30 June | Council approves AGAR Section 1 (governance) then Section 2 (accounts) at a full council meeting. Section 1 must be approved before Section 2 | | 1 July | Publish AGAR, transparency information, and commence the public rights period | | Before 1 October (if applicable) | Limited assurance review completed and published | ## Who can be the internal auditor? The internal auditor must be independent of the council. They cannot be: - A councillor or employee of the council - Someone closely related to a councillor or employee - The council's bookkeeper or accountant Many councils appoint a local auditor through their county association of local councils. The auditor should have competence in accounting and internal controls — they do not need to be a qualified accountant, but they must understand parish council governance. The auditor reviews prime documents at source (bank statements, invoices, minutes), unlike the external auditor who works from the completed AGAR forms. ## Sources - Smaller Authorities' Audit Appointments — AGAR process - Local Audit and Accountability Act 2014 *This article is for general guidance only. The definitive source for AGAR requirements is the SAPPP Practitioners' Guide, published annually by the Joint Panel on Accountability and Governance (JPAG) through NALC and SLCC.* ]]> https://parishproof.co.uk/blog/parish-council-transparency-code-requirements/ https://parishproof.co.uk/blog/parish-council-transparency-code-requirements/ Thu, 26 Feb 2026 00:00:00 GMT Every item parish councils must publish under the Transparency Code for Smaller Authorities — what to publish, when, and in what format. Transparency Code for Smaller Authorities has been mandatory since 1 April 2015, and it replaced routine external audit with a publish-and-be-accountable approach. Here is exactly what you must publish, when, and in what format. ## The seven mandatory items The code requires you to publish seven categories of information. All seven have the same annual deadline: **no later than 1 July** following the end of the accounting year (which runs 1 April to 31 March for parish councils). ### 1. All items of expenditure above £100 List every individual transaction above £100. For each one, include: - Date the expenditure was incurred - Summary of the purpose - Amount - Non-recoverable VAT included If you publish a complete list of all expenditure (not just items above £100), that also satisfies this requirement. ### 2. End-of-year accounts The signed statement of accounts in the Annual Return format. This must include: - Bank reconciliation - Explanations for any significant variances (the code flags 10–15% as the threshold) - Clarification of any difference between the brought-forward balance and cash plus investments The accounts must be signed by both the Responsible Financial Officer and the meeting chairman. ### 3. Annual governance statement The signed governance statement, also in the Annual Return format. If you answer "no" to any of the governance assertions, you must publish a full explanation of how the council will address the weakness. Signed by the chairman and the clerk. ### 4. Internal audit report The signed internal audit report in the Annual Return format. Any negative responses or items marked "not covered" need explanations — including when the auditor expects to complete the work and plans for the next year. ### 5. List of councillor responsibilities This has three components: - **Names** of all councillors - **Committee roles** — which councillor sits on which committee, including who chairs each one - **External body nominations** — which councillors represent the council on outside organisations (village hall committees, local charities, etc.) ### 6. Public land and building assets For each asset the council owns or holds in trust: - Description (including size or acreage for land) - Location (address or grid reference) - Owner or custodian - Date of acquisition - Acquisition cost (or proxy value if cost is unknown) - Present use This covers playing fields, allotments, village greens, bus shelters, war memorials, parish halls — anything the council owns or is responsible for. ### 7. Minutes, agendas, and meeting papers This item has different timing from the other six: - **Agendas and papers:** at least 3 clear days before the meeting (excluding weekends and bank holidays) - **Draft minutes:** within one month after the meeting This applies to full council meetings, committee meetings, and sub-committee meetings. Minutes must be signed at the meeting where they are approved (usually the following meeting). ## Where to publish Everything must appear on a website that is publicly accessible and free of charge. This can be: - Your own council website - Your billing authority's website (the district or borough council) Posting information on a notice board alone does not satisfy the code. The information must be online. ## Larger councils: different rules If your council's turnover exceeds £25,000, you fall under the Local Government Transparency Code 2015 instead. This has additional requirements including quarterly expenditure data, procurement information, and social housing asset data. The turnover threshold is based on the higher of your gross income or gross expenditure. Check your most recent AGAR — if either figure exceeds £25,000, you fall under the more demanding code. ## Data protection and commercial confidentiality Two concerns clerks frequently raise: **"Can we name councillors and suppliers?"** Yes. The code explicitly states that the Data Protection Act does not restrict publishing the names of councillors, members, or senior officers, or naming suppliers under contract. Public accountability requires transparency about who is spending public money and on what. **"What about commercially confidential contracts?"** Commercial confidentiality is not an automatic exemption. The code recommends inserting clauses in new contracts that allow for disclosure of data in compliance with transparency requirements. For existing contracts, consider whether the public interest in transparency outweighs the commercial sensitivity. ## The inspection period Original documents — books, deeds, contracts, bills, vouchers, and receipts — do not need to be published online. However, they must remain available for inspection during the statutory inspection period (30 working days including the first 10 working days of July). Any local government elector for the council's area can inspect and make copies of these documents. ## Compliance checklist Use this to verify your council meets the Transparency Code requirements each year: - All expenditure items above £100 published individually with date, purpose, amount, and VAT - End-of-year accounts signed and published by 1 July - Annual governance statement signed and published with explanations for any negative assertions - Internal audit report signed and published with explanations for negative responses - Complete list of councillor names, committee roles, and external body nominations published - Land and building asset register published with all required fields - Agendas published 3 clear days before meetings - Draft minutes published within 1 month of each meeting - All information on a publicly accessible, free website Use the free [compliance checklist](/tools/compliance-checklist/) to self-assess your council against every Transparency Code requirement, and the [audit deadline calculator](/tools/audit-deadline-calculator/) to confirm your key AGAR dates. For what internal auditors check beyond transparency, see our [internal audit checklist guide](/blog/parish-council-internal-audit-checklist/). ## What happens if you don't comply The Local Audit and Accountability Act 2014 provides the statutory basis for the code. Non-compliance risks complaints to the principal authority and potential intervention. Beyond the legal obligation, councils that fail to publish information promptly face Freedom of Information requests for the same data — responding to individual FOI requests is more time-consuming than publishing proactively. ## Sources - Transparency Code for Smaller Authorities — GOV.UK - Local Government Transparency Code 2015 — GOV.UK - Local Audit and Accountability Act 2014 *This article is for general guidance only and does not constitute legal advice. Check the full Transparency Code text for your council's specific obligations.* ]]> https://parishproof.co.uk/blog/parish-council-code-of-conduct-guide/ https://parishproof.co.uk/blog/parish-council-code-of-conduct-guide/ Thu, 19 Feb 2026 00:00:00 GMT How parish council clerks adopt, implement, and manage the LGA Model Code of Conduct — step-by-step adoption, register of interests, and breach handling. Section 27 of the Localism Act 2011 places a duty on every relevant authority — including parish and town councils — to promote and maintain high standards of conduct by members. The Act specifically requires councils to adopt a code of conduct. Parish councils have a shortcut: they can adopt the code already adopted by their principal authority (the district, borough, or unitary council) rather than drafting their own. Most do exactly this, since the principal authority's code will already meet the statutory requirements. Section 28 sets out what the code must contain: - It must be consistent with the seven Nolan Principles: selflessness, integrity, objectivity, accountability, openness, honesty, and leadership - It must include provisions for registering and disclosing pecuniary interests (financial interests) and other interests - Breaches are handled through the principal authority's standards arrangements, not by the parish council itself The old Parish Councils (Model Code of Conduct) Order 2001 (SI 2001/3576) prescribed a mandatory model code. The Localism Act 2011 replaced that rigid approach — councils now choose which code to adopt, provided it meets the statutory requirements. ## The LGA Model Councillor Code of Conduct 2020 Most parish councils adopt the LGA Model Councillor Code of Conduct, published by the Local Government Association in 2020 and updated in January 2021. NALC (the National Association of Local Councils) has published guidance specifically for parish and town councils on adapting this model code. The LGA Model Code covers: 1. **General conduct obligations** — treating people with respect, not bullying or harassing, not bringing the council into disrepute, using council resources appropriately 2. **Interests** — registering disclosable pecuniary interests (DPIs) within 28 days of election, declaring interests at meetings, withdrawing from discussion and voting where you have a DPI in the matter 3. **Gifts and hospitality** — registering gifts or hospitality worth £50 or more 4. **Complaints and breaches** — how allegations of code breaches are investigated The code applies whenever a councillor is acting in their capacity as a councillor — at meetings, representing the council externally, or using council resources. It does not regulate councillors' private lives. ## How to adopt the code: step by step If your council hasn't adopted a code yet, or is updating from an older version, here is the process: **1. Obtain the code text.** Download the LGA Model Code from the LGA website, or request your principal authority's adopted version. Your county or district association of local councils (e.g., DALC, CALC, SALC) will often have a parish-specific version available. **2. Review at a council meeting.** The adoption of a code of conduct must be resolved at a properly convened council meeting — it cannot be delegated to a committee or decided by the clerk alone. Agenda the item as a substantive agenda item, not under AOB. **3. Resolve to adopt.** The council passes a resolution to adopt the code. The minutes should record the full title of the code adopted and the date of adoption. A typical resolution: "Resolved: that the council adopts the LGA Model Councillor Code of Conduct 2020 (as updated January 2021) with effect from [date]." **4. Notify the monitoring officer.** Under section 27(7) of the Localism Act, the parish council must notify its principal authority's monitoring officer when it adopts or revises a code of conduct. The monitoring officer maintains the register of interests and handles complaints — they need to know which code applies to your council. **5. Publish the code.** Place the adopted code on your council website, include it in your publication scheme, and make it available for inspection at reasonable hours. This is both a [Transparency Code](/blog/parish-council-transparency-code-requirements/) obligation and good practice. **6. Distribute to councillors.** Every sitting councillor should receive a copy. New councillors must receive the code as part of their induction and sign a declaration that they have read and understood it. Keep a record of who has received and acknowledged the code. ## Register of interests Within 28 days of being elected or co-opted, every councillor must complete a register of interests form and submit it to the monitoring officer. This register is published on the principal authority's website (and usually linked from the parish council website). Disclosable pecuniary interests (DPIs) include: - **Employment, office, trade, profession or vocation** — any paid role the councillor or their spouse/partner holds - **Sponsorship** — any payment or financial benefit toward election expenses or council duties - **Contracts** — any contract between the council and the councillor (or their spouse/partner) for goods, services, or works - **Land** — any land in the council's area that the councillor or their spouse/partner has an interest in - **Licences** — any licence to occupy land in the council's area - **Corporate tenancies** — tenancies where the council is landlord and the councillor (or connected company) is tenant - **Securities** — beneficial interests in securities of a body that has a place of business or land in the council's area The clerk's compliance task: maintain a list of which councillors have submitted their register forms and when. Chase up any that are outstanding — failure to register is a criminal offence under section 34 of the Localism Act, punishable by an unlimited fine (level 5 on the standard scale) and disqualification from office for up to five years. ## Declaring interests at meetings When a matter comes before the council in which a councillor has a registered DPI, they must: 1. Declare the interest at the start of the item (or as soon as they become aware) 2. Not participate in the discussion 3. Not vote on the matter 4. Leave the room during the discussion and vote (unless a dispensation has been granted) For non-DPI interests, the approach depends on the code your council has adopted. The LGA Model Code distinguishes between "other registrable interests" (which require declaration and withdrawal in some circumstances) and simple personal interests (which require declaration but allow continued participation). **Clerk's role at meetings:** When a councillor declares an interest, record the declaration in the minutes including the nature of the interest and whether they withdrew. If you know a councillor has a relevant interest but they have not declared it, you can draw their attention to their obligations — though the responsibility to declare lies with the councillor, not the clerk. ## Handling complaints about councillor conduct When someone believes a councillor has breached the code of conduct, the complaint goes to the principal authority's monitoring officer — not to the parish council. This is a common point of confusion. The process typically follows these steps: 1. **Complaint submitted** to the monitoring officer, usually in writing 2. **Initial assessment** — the monitoring officer decides whether to investigate, sometimes consulting an independent person 3. **Investigation** (if warranted) — the monitoring officer or their delegate investigates and produces a report 4. **Standards hearing** — if a breach is found, the principal authority's standards committee (or sub-committee) holds a hearing 5. **Sanctions** — if a breach is upheld, sanctions can include a formal censure, removal from committees, or a recommendation to apologise. Parish councillors cannot be suspended or removed from office for code breaches — there is currently no statutory power to do so **What the clerk should do when a complaint is received:** - If someone contacts the parish council directly with a complaint about a councillor, explain that complaints must be submitted to the principal authority's monitoring officer and provide the monitoring officer's contact details - Do not investigate the complaint yourself - Do not discuss the substance of the complaint with other councillors beyond what is necessary - Keep a record that the complaint was received and that the complainant was directed to the monitoring officer A detailed walkthrough of the complaints procedure is covered in a separate guide — check our [blog](/blog/) for the latest posts on parish council governance. ## Keeping the code current The code of conduct is not a one-time adoption. Clerks should schedule regular reviews: - **Annual review:** Check whether your principal authority has updated its code. If they have, consider whether your council should adopt the updated version. Agenda this as a routine item at the annual meeting of the council (the May meeting). - **After elections:** Following ordinary elections (every four years) or by-elections, ensure all newly elected councillors receive the code, sign the declaration, and complete their register of interests within 28 days. - **Legislative changes:** Parliament has debated strengthening councillor conduct rules (including a possible power to suspend councillors for code breaches). Monitor NALC and SLCC bulletins for changes. - **Councillor reminders:** At least annually, remind councillors to check whether their register of interests is up to date. Life circumstances change — new jobs, property purchases, and directorships all trigger registration obligations. ## Compliance tracking checklist Use this to check your council's code of conduct compliance: - Code of conduct formally adopted by resolution at a council meeting - Monitoring officer notified of adoption - Code published on council website and available for inspection - All councillors received a copy and signed a declaration - All councillors registered their interests within 28 days of election - Register of interests accessible via principal authority website - Gifts and hospitality register maintained (threshold: £50) - Declarations of interest recorded in meeting minutes - Annual review of code scheduled - Complaints procedure understood and monitoring officer contact details accessible Use the free [compliance checklist tool](/tools/compliance-checklist/) to self-assess your council's code of conduct compliance alongside every other AGAR governance assertion. ## Sources - Localism Act 2011, Section 27 — Duty to promote and maintain high standards of conduct - Localism Act 2011, Section 28 — Codes of conduct - LGA Model Councillor Code of Conduct 2020 *This article is for general guidance only and does not constitute legal advice. Parish councils should consult their principal authority's monitoring officer for specific questions about code of conduct obligations.* ]]>