Assertion 10 Important Changes!
Dear Councillors and Clerks
For this week I wanted to highlight the changes we need to mindful of relating to the new Assertion 10 that every councillor will be voting on next year. It may not have really have alerted you to the changes you need to be making now, you only have a few months left to possible make substantial changes before you can resolve that you have complied! To help I have captured the wise words from Darren Briddock, head of information compliance at Breakthrough Communications and reproduce them here in full.
“With the introduction of Assertion 10 in the 2025/26 Annual Governance and Accountability Return (AGAR), local (parish and town) councils are being asked to demonstrate, more transparently than ever, that they are managing digital, data and information governance responsibly.
This isn’t about adding another layer of bureaucracy. It’s about embedding good governance, building resilience, and protecting the growing amount of personal data held by councils. While the requirements may feel technical or unfamiliar at first, achieving compliance is absolutely within reach.
As NALC’s trusted partner for data protection services, Breakthrough Communications is here to help councils cut through the complexity and take confident steps toward compliance.
What is Assertion 10?
Assertion 10 is a new declaration that councils will need to make from the 2025/26 AGAR onwards, as detailed in the 2025 edition of the Practitioners’ Guide, published by the Smaller Authorities Proper Practices Panel (SAPPP), formerly JPAG.
Assertion 10 brings together a series of expectations around digital, data and information governance. For example, part of Assertion 10 focuses on the requirement for councils to have a generic email hosted on an authority-owned domain (not a personal or free service). Their website will need to meet WCAG 2.2 AA accessibility standards, and councils will need to have an IT policy that covers the secure and lawful use of digital devices within the council.
Crucially, Assertion 10 also requires councils to confirm that they are complying with data protection legislation and the data protection principles.
Data protection is an ongoing responsibility, not a tick box task
Data protection compliance is not new. Councils have long had a legal duty to protect the personal information they hold, with current legislative requirements set out in the UK GDPR and the Data Protection Act 2018. What has changed is the visibility of these responsibilities through the AGAR process.
Data protection also isn’t something that councils can complete and forget. Just as councils grow and evolve, data protection is also an ongoing process of managing risk and strengthening governance.
Whether it’s mapping the personal data a council processes, documenting the reasons for holding it, clarifying who has access, whether it is ever shared, ensuring secure storage and handling, keeping policies and records up to date, or making sure staff and councillors are trained and aware of their responsibilities, data protection has never been a tick‑box exercise.
What does Assertion 10 and data protection compliance mean in practice
Assertion 10 makes it clear that councils must be able to show they manage personal data lawfully, safely and securely, and in line with their legal responsibilities. This means more than having policies on file.
Parish and town councils need to understand, for example, how personal data moves through their organisation, who has access to it, how it is protected, how it is securely disposed of when no longer needed, and how requests from individuals to exercise their data rights are handled.
Getting to that point will look different for each council. For some, it may involve council-wide data audits and risk assessments, as well as clarifying how data is stored and accessed. For others, it might highlight the need for refreshed documentation or policies that reflect a council’s specific ways of working, clearer procedures or a refresh of staff and councillor training.
Ultimately, the aim is to move from assumptions to assurance, where compliance can be explained and evidenced with confidence.
Why it pays to act now
Assertion 10 applies to the current financial year. That means parish and town councils should take steps now to ensure they can demonstrate compliance when the time comes. Acting now will also give councils time to identify and fill gaps, build confidence, and avoid last-minute pressure.
Getting this right isn’t just about regulatory compliance. It’s about protecting personal information, demonstrating strong governance and maintaining the confidence of your community. It’s also an opportunity to embed lasting good practice that supports better decision-making and builds resilience across the council.”
There are many organisations that are able to assist you to move to .gov.uk domains and to help set up gov.uk email addresses. Cost is really not a barrier as one fully accredited organisation is offering to do this for free. So, if you need further details please get in touch.
I love the statistics that you can access from NALC regarding the national precept rates and details of other authorities and councils, yes winter just flies by in my house! This year’s summary is attached and the most remarkable thing about our area is, that we are wholly unremarkable! Just two double digit percentage increases on Band D properties, from our patch. Pass this around your finance committees and councillors as you start your budget discussions and determine your precepts for next year. I’ve some more statistics to share on the results of the May 2025 elections but I’ll save those for another message. Too much excitement in one day is not good for you.
Kind regards
Mel Woof PSLCC