How do councils demonstrate data protection compliance?

Parish and town councils are currently focusing a great deal of attention on Assertion 10 of the Annual Governance Statement.

This new assertion requires councils to confirm that they have proper arrangements in place in relation to several distinct areas of council digital and data governance. The Practitioners’ Guide explains that this includes data protection, web accessibility, the use of a compliant domain and appropriate IT controls and policies.

In relation to data protection requirements,, the Practitioners’ Guide highlights three key expectations in paragraphs 1.51 to 1.53. Specifically, there are three specific things that councils must do, in order to warrant a positive assertion:

• Follow the UK GDPR and the Data Protection Act 2018

• Ensure that personal data is processed with care and in line with the data protection principles

• Understand their responsibilities as a data controller and as a data processor

At first glance, this may appear to introduce new requirements.

In reality, it does not.

These obligations have always existed. Parish and town councils are already data controllers, and therefore already have clear legal obligations. They are already required to comply with the seven, legally-prescribed Data Protection Principles and to uphold the eight Data Subject Rights enshrined in data protection legislation.

So whilst Assertion 10 does not create new data protection obligations, what it does is require councils to confirm that compliance is happening in practice.

That raises an important question.

What does data protection compliance actually look like in practice?

Data protection compliance can be demonstrated and evidenced through documentation, policies and risk management practices in place. With councils that we support, we would expect to see:

• Records of processing activities (we call this a 'data map')

• Appropriate risk assessments where needed

• Data protection-related policies in place, that describe operational practices and ways of working within the council;

• Procedures for dealing with data breaches within the council;

• A data retention schedule (this is isn't the same as your FOI publication scheme);

• A council-wide published Privacy Notice;

These documents help councils evidence that they have considered their legal obligations, put arrangements in place to manage risk and properly informed people about who they process their data.

However, there is an important point that is often overlooked. Those documents must accurately reflect what the council actually does with personal data.

Every council needs a Privacy Notice (that reflects what the council actually does)

One of the most visible parts of compliance is the Privacy Notice. Every council needs one.

This requirement does not arise from AGAR alone. It flows directly from Article 13 of the UK GDPR, which establishes the right to be informed, and from the first data protection principle, which requires processing to be fair, lawful and transparent.

Whenever a council collects personal data, it must provide individuals with certain information. This includes:

• The council’s identity and contact details

• The purpose of each processing activity

• The lawful basis relied upon

• Details of recipients such as processors or other data controllers

• Information about international transfers

• Retention periods

• An explanation of individuals’ rights, including the right to complain to the ICO

A Privacy Notice is the primary mechanism for providing this information.

Without it, transparency is very difficult to demonstrate. Without transparency, lawful processing is undermined and compliance becomes exceptionally hard to demonstrate.

Policies and Privacy Notices are the outputs, not the starting point

When councils review compliance, the instinct is often to begin by rewriting policies or expanding the Privacy Notice. That is not the right place to start.

Your published Privacy Notice must describe the council's own, specific processing activities. It must explain genuine purposes, lawful bases, data sharing arrangements and retention practices.

If you do not first understand what data the council actually processes, it becomes very difficult to describe it accurately. A more reliable approach is to begin with the data itself.

First, map out and document the personal data within your council. Identify what personal data the council processes across its activities, where it comes from, where it is stored, who it is shared with and how long it needs to be kept.

Second, define the purpose of each processing activity. Why does the council hold that data and what is it used for?

Third, identify the lawful basis for each purpose before processing continues.

Fourth, assess risk. Consider whether the use of data matches what individuals were told when the data was collected. Review security arrangements, access, data sharing agreements, retention, special category data and whether any international data transfers apply (as they often do with 'cloud'-based software tools that councils use).

Only after those steps should documentation be finalised.

Policies should reflect actual practice. Retention schedules should match operational need. And the Privacy Notice should accurately describe how the council uses personal data.

When councils start with the data map, their documentation becomes a clear and accurate summary of compliance. When they start with the documents, they risk producing generic policies that do not stand up to scrutiny.

Assertion 10 may be the focus right now, but the underlying obligations sit firmly within the UK GDPR and the Data Protection Act 2018.

Learning how to put this into practice

Understanding how to work through this process can be challenging, particularly for smaller councils with limited time, resources and capacity.

To help councils develop practical, defensible compliance arrangements, we deliver multi-stage data protection training programmes in partnership with county associations across England.

You can learn more about those regularly-run training courses here: https://www.breakthroughcomms.co.uk/calc-training-events.

For clerks and officers who want deeper levels of support, we also provide ongoing advice, resources and unlimited training through our popular Data Protection Toolkit service.

While the requirements may appear complex at first, a clear and structured approach makes data protection far more manageable and helps councils demonstrate that they are handling personal information responsibly and transparently.