The Practitioners Guide and Data Protection: Updates for Parish and Town Councils
- emily2857
- Apr 8
- 3 min read
A new version of The Practitioners’ Guide is out, and for those of us working in the world of local councils and information compliance, there’s a crucial key update that’s really worth paying attention to:
Assertion 10: Digital and Data Compliance.
For parish and town councils, this new assertion is a clear sign that good data protection compliance isn’t just a ‘nice to have’, it’s essential. And that’s something we at Breakthrough Communications are right here to help with.
So, what is Assertion 10?
From the 2025/26 financial year onwards, councils will need to formally confirm in their Annual Governance and Accountability Return (AGAR) that they meet key standards around digital and data compliance. Until now, these requirements sat under other governance rules. Now, they’ve got their own dedicated section, and that means they’ll get more scrutiny too.
In short, you’ll need to show that your council is managing personal data properly, securely and legally. Whilst councils should already be doing this, the legal and public expectations are about to get a whole lot clearer.
What will councils need to do?
Here’s what councils are expected to do under Assertion 10, and how we can support you to achieve compliance:
1. Who's taking the lead on compliance?
While parish councils and meetings are legally exempt from having to appoint a Data Protection Officer (a 'DPO'), the council itself is legally responsible for ensuring its obligations under the Data Protection Act, the UK GDPR as well as other information compliance legislation. Ideally the council will have an officer who will take the lead for information compliance oversight, even if they are not an appointed DPO.
At Breakthrough Communications, we support clerks and council officers responsible for information compliance, helping them with GDPR and FOI requests and providing advice and support on compliance matters.
2. Run appropriate data protection audits
Understanding what personal data your council processes, what purposes it's used for, where it’s stored, how it’s used and who it’s shared with is at the heart of data protection compliance. It's also important to appropriately risk assess each of these areas, to ensure the council has the right risk mitigation measures in place, which can include specific ways of working as well as specific council policies.
A mechanism to achieve this is our Information Compliance Shield service. We will work with you to map out the personal data your council processes, which we'll then thoroughly risk assess with our tried and tested framework. We'll then refresh your policies and provide appropriate bespoke training to officers and members.
3. Have appropriate Data Protection policies in place
Not just documents collecting dust on a shelf, but a collection of policies that genuinely reflect the current ways in which your council operates, the services you provide and how all of this relates to data protection, whilst ensuring this is something staff and councillors understand and follow. We help councils write or refresh these so they’re legally sound and genuinely useful.
4. Keep everyone trained and up to date
Training isn’t just for the Clerk. Everyone involved in council operations, staff and councillors, need to know the basics of information compliance. At Breakthrough Communications we deliver engaging, council-specific data protection training that cuts through the jargon.
5. Put the right technical and organisational measures in place
This is about making sure personal data doesn’t end up in the wrong hands, whether through accidental email slips or more serious breaches. We help councils review their systems and processes to ensure they’re robust and practical.
Why this matters (and not just for your AGAR)
Assertion 10 isn’t bringing in new legislation. After all, councils are already expected to be compliant with UK GDPR and the Data Protection Act. But by making this a standalone part of the AGAR, it becomes something councils must explicitly confirm and be ready to evidence.
And that’s where many councils sometimes accidentally make mistakes, not because they don’t care, but because day-to-day pressures get in the way. That’s where we come in.
At Breakthrough Communications, we’ve helped hundreds of councils across the country strengthen their data protection and information compliance. We turn complex requirements into clear, achievable actions, tailored to the unique ways in which parish and town councils operate.
