Assertion 10 Frequently Asked Questions

Town and parish councils have spent the last few months getting to grips with Assertion 10. Many councils have been working hard to understand what the requirement means in practice.

We have supported councils across the country and have noticed the same questions have come up repeatedly. From data protection duties to email management and record keeping, councils want clarity so they can feel confident they are meeting the standard.

To make things clearer, our Head of Council Information Compliance has gathered the most common queries and provided straightforward answers to help you grasp the fundamentals.

General  Questions

Q: If some areas of Assertion 10 are still a work-in-progress at 31st March (e.g. website compliance which might need time/money to resolve), would this be marked as "no" on the AGAR?

A: Yes, the council would need to tick ‘NO’ and provide an explanation on why they had done so and what action they were going to take to address the weakness identified.

Data Protection

Q: Do we need to get all councillors to attend Data Protection training or can we produce a suitable document, updated as required, and get them to sign this to say they have received and read it.

A: The council must risk assess what ever they plan to do and make sure they can justify that they are implementing appropriate technical and organisational measures to comply with the data protection principles.

Q: How do we ensure data compliance when a councillor refuses to use the council laptop they were issued with?

A: Assuming that the use of council email / cloud platform and equipment is required in the Data Security / IT policy then stick to it and do not send data to them via any other means.  This is not an option for them to choose, its the councils rules.

Q: My home address is used for all Parish Council correspondence and is published on public documents. How do I get round this when the Parish Council doesn't have an office? Transparency requirements mean that my salary is also in the public domain. Is this not a breach of data protection?

A: No, its required to be processed under other laws.

Q: Under GDPR, can the council hold my personal bank account details in writing?

A: Assuming they have a need to hold it yes.  But need is key here, why do they need it?

Q: When emails come in via the Clerk from members of the public raising questions/concerns which need to be forwarded on to councillors, should the sender’s details be redacted prior to forwarding on?

A: It depends if the senders details are needed by the councillors or others, if there is a need then its ok to send if there is no need then redact.  This is the essence of the third data protection principle.  Data should be minimised to what is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Q: If we have a data breach, who can help and should this be reported to the ICO within 72 hours?

A: Depends what the facts of the breach are, NALC can always help you get the right advice at the time, the key thing to do in advance is ensure you have a lead person identified at your end who will take charge of any breach.

Emails

Q: When sending emails to all councillors should they be blind copied in? The addresses are all .gov.uk and in the public domain.

A: This is entirely up to the council, there is no compliance requirement to do this. However, blind copying prevents long email chains and duplicating emails by ‘replying to all’ which can take up valuable time when responding to a FOI or SAR request.

Q: Can councillors forward their council emails to their personal email accounts rather than logging into Council emails separately?

A: This is not compliant, gov.uk domain rules prevent this.

A: Its also potentially a data breach as council data will have been moved out of the council controlled system to another system outside of council control.

Q: Councillors access their .gov.UK emails on personal devices. Is this ok?

A: This depends on the councils Bring Your Own Device policy.  The council should risk asses if this is acceptable to them or if they should also be providing council equipment.

Q: Can the .gov.uk email addresses have personal names at the start for both Cllrs and Staff?

A: You can choose your own naming convention. To comply with Assertion 10 of the Annual Governance Statement, there must be a generic email address for the council (e.g. clerk@; townclerk@; office@)

Q: I have a councillor who refuses to use their .gov.uk email address, would it be good practice to send emails to their gov.uk address and copy in their personal email address? Will this impact the annual audit?

A: We generally suggest that the use of council-provided email address is covered the council’s IT policy. If the council is sending data to a personal email address, they are sending that data outside of their data control, they should risk asses if this is acceptable to them.  It would be a hard justification that it was thought to be ok to send data outside of the councils data control when at the same time it was thought important to keep the councils data in a suitable controlled system so gov.uk was implemented.

Assertion 10 only requires the council to have a generic email address on an authority owned domain for example clerk@abc-pc.gov.uk.

Q: We don’t have council owned email accounts for our councillors. If councillors agree to have a separate council email address, for example using a free service, would the clerk set these up and keep the passwords or would this be left for the councillor to do?

A: The council must make its own risk based choice on this. You must be comfortable that you have a suitable system in place to at the very minimum, a) keep a proper record of council business, b) search adequately to respond to FOI and SAR, c) maintain security, and d) have the required contract with the free email provider as a processor of council data.

If you have any more questions or queries, please email hello@breakthroughcomms.co.uk or call 01903 299000, and we'll be happy to answer them.