IT & Digital Policy

Adopted: May 2026 | Review due: May 2027

This policy sets out Cliviger Parish Council’s approach to the use of information technology, digital communications and data security. It applies to all councillors and staff acting on behalf of the Council.

This policy supports compliance with the Annual Governance Return Assertion 10 (Digital and Data Compliance) and the requirements of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

1. Council Email Accounts

All official council business must be conducted using the Council’s designated email address: info@clivigerparishcouncil.gov.uk.

Councillors and the Clerk must not use personal email accounts (such as Gmail, Hotmail, Yahoo or Outlook.com) to conduct council business. This is to ensure that:

Council correspondence is retained and accessible for FOI and Subject Access Requests
Personal data is not processed outside of controlled, secure systems
A clear boundary is maintained between council and personal communications

The Council notes that its current email domain ends in .com rather than .gov.uk. The Council will investigate migration to a .gov.uk domain as a priority action and will adopt a gov.uk email address at the earliest practicable opportunity.

2. Data Security

All those acting on behalf of the Council must:

Use strong, unique passwords for all council systems and accounts
Enable two-factor authentication (2FA) where available
Ensure devices used for council business are protected with up-to-date antivirus software and operating system updates
Not store council data (including personal data) on personal cloud storage services
Lock or log out of devices when unattended
Report any actual or suspected data breach to the Clerk immediately

3. Data Breaches

In the event of a personal data breach, the Clerk must assess the risk and, where the breach is likely to result in a risk to individuals’ rights and freedoms, report it to the Information Commissioner’s Office (ICO) within 72 hours. The Council maintains a breach log for all incidents.

4. Website and Online Presence

The Council’s official website is clivigerparishcouncil.gov.uk. The website must at all times:

Display a valid Privacy Policy / Data Protection statement
Display an Accessibility Statement meeting the requirements of the Public Sector Bodies Accessibility Regulations 2018
Display a cookie consent mechanism compliant with UK GDPR and PECR
Publish a Freedom of Information Publication Scheme
Be served over HTTPS with a valid SSL certificate

5. Social Media and Online Communications

Any social media accounts operated on behalf of the Council must be approved by the Council and administered by the Clerk. Councillors must not post content that could be construed as official council policy without authorisation.

6. Acceptable Use

Council IT systems and accounts must only be used for lawful council business. The following are prohibited:

Accessing, storing or distributing illegal, offensive or inappropriate material
Using council systems for personal financial gain
Installing unauthorised software on council-managed devices
Attempting to gain unauthorised access to any computer system

7. Retention and Disposal

Council data must be retained and disposed of in accordance with the Council’s retention schedule. Physical documents containing personal data must be disposed of by secure shredding. Digital data must be permanently deleted using secure deletion methods.

8. Training and Awareness

The Clerk is responsible for ensuring that all councillors and staff are aware of this policy and their obligations under data protection law. New councillors will be briefed on this policy upon taking office.

9. Policy Review

This policy will be reviewed annually by the Council. It was adopted at the Council meeting of May 2026 and is due for review at the May 2027 Annual Meeting.

10. Compliance and Assertion 10

This policy forms part of the Council’s compliance framework for the Annual Governance Return (AGR) Assertion 10, which requires the Council to confirm that it has appropriate arrangements for digital and data compliance including use of appropriate email accounts, published privacy and accessibility policies, a published FOI Publication Scheme, and appropriate data security arrangements. Responsibility for monitoring compliance rests with the Clerk, who will report to the Council annually.