The 2025 Practitioners’ Guide introduced a crucial update:  Assertion 10 – Digital and Data Compliance. This new requirement places a clear and strengthened focus on how smaller authorities manage their digital presence, data protection, and IT systems. 

SALC acknowledges the impact of these changes and is developing guidance to support councils. To assist members, SALC hosted a free webinar on September 8th titled "Clarity on SAPPP 2025 Practitioners Guide Assertion 10."

The session was led by Mark Tomkins, a leading expert in council website compliance and the Founding Director of Aubergine. Mark provided a clear breakdown of the key updates in the 2025 edition of the Smaller Authorities Practitioners’ Guide (SAPPP), with a particular focus on Assertion 10 of the Annual Governance Statement.

Key topics covered:

Overview of SAPPP 2025 updates - Key changes and additions that impact digital governance.

Deep Dive: What Assertion 10 Really Means - Understanding the assertion around trust and how it now extends to councils' IT governance and data integrity

Domain Name Ownership & Security - Why councils must own and control their .gov.uk or .org.uk domains. Risks of third party-managed domains.

Official Email Use for Councillors & Officers - The importance of using council-issued email addresses (not personal or generic ones). Benefits for FOI/SAR, GDPR, and accountability.

Website Compliance Expectations - Accessibility, transparency, and the need for up-to-date, compliant council websites. What to check and how to stay compliant.IT & Data Policies for Councils - Minimum IT policies now expected under Assertion 10. What to include and best practices.

IT & Data Policies for Councils - Minimum IT policies now expected under Assertion 10. What to include and best practices.

A Q&A session followed the presentation. While most questions were addressed live, time constraints meant a few had to be left unanswered. However, Mark kindly agreed to respond to these offline. His answers are provided below:

• What if a Councillor uses their work laptop as the only way they access emails and they are not allowed to use another email account on that device?

This is just the sort of thing that needs writing into the IT policy. The policy needs to ensure that both safeguards and restrictions are in place. In this example, the councillor will need to also tell their work company that they are using the laptop for council communication. I would always emphasise the aspects of data separation – remember that all the ‘work’ emails and information would be mixed with all the council data so it is a risk using the same device if proper separation between the email accounts and folders of data aren’t observed.

Using personal devices in principle is fine – the council’s IT policy just needs to reflect this and the procedures and how the individual uses that device and data – both in terms of the council and their work computer provider.

• Should council business not be discussed on WhatsApp by staff?

This question is not relevant to SAPPP or Assertion 10, – I would argue it’s anything to do with an IT policy, either! This is more of social media policy element or a formal communications policy with the councillors. Fundamentally, decisions cannot be made using Whatsapp so it should be viewed as an unofficial communication channel and treated as such in terms of content and how things are discussed.

Watch the recording of the session HERE.