GDPR/FOI
< Back to Article ListThe importance of secure email systems and GOV.UK
Last updated: 9 April 2024 at 15:09:11 UTC by Andrew Everard
The importance of secure email systems and GOV.UK
The
JPAG Practitioners’ Guide 2023-24 sets out the recommended ‘Proper Practices’ that
Responsible Financial Officers (RFO’s) should aim to comply with and sets out
measures to improve internal controls and reduce risk in local councils. It
also sets out what internal auditors should be auditing.
Under Assertion 3 of the Annual Governance Statement in the AGAR The Practitioner's Guide 2023-24 states
Assertion 3 — Compliance with laws, regulations and proper practices We took all reasonable steps to assure ourselves that there are no matters of actual or potential non-compliance with laws, regulations and proper practices that could have a significant financial effect on the ability of this smaller authority to conduct its business or on its finances. To warrant a positive response to this assertion, the following processes need to be in place and effective:
One of the positive tests that the council should satisfy from 2023-24 financial year is as follows
"1.26 Email management - every authority should have an email account that belongs to the
council and to which the council has access – this ideally would be a .gov.uk or .org.uk
address or could be an address linked to the council website."
The Practitioners Guide also states later in the guide...
"The importance of secure email systems and GOV.UK
5.205. All authorities except parish meetings must now have an official website. To comply with GDPR, councils should provide official email accounts for their councillors as well as for their clerk and other officers.
5.206. When choosing a domain name for the council's website and emails, many local council websites are appropriately making use of the official GOV.UK domain (for example, ourparishcouncil.gov.uk), with email addresses being linked to that domain.
5.207. Using a GOV.UK domain for your council website and email accounts demonstrates the council's official local government status. Members of the public are increasingly cyber security awareness, so a GOV.UK domain can also help to build trust, and credibility and visibly demonstrates authenticity. Many people will now reasonably expect a local council to have a GOV.UK domain name.
5.208. For the purposes of user management, councils should ensure that the proper officer
can add and remove member and staff email accounts. Commercial ‘dashboard’
email and web systems offer centralised searching of all data contained within the
system for effective compliance with GDPR Subject Access Requests and Freedom
of Information Requests."
The government has published guidance about using the .gov.uk domains and emails at https://www.gov.uk/guidance/benefits-of-getting-a-govuk-domain
LALC have gathered some indicative fees from various suppliers to help local councils budget for introducing a .GOV.UK secure email system.
Some advantages of using these secure email systems are as follows;
· Keeps private and council emails separate
· Stores data in a centralised secure server by a hosting provider
· Whenever a Clerk, staff member or councillor joins, is suspended, goes off sick or resigns their email account and data can be managed by the council and not left to the individual to decide (closed down, suspended, deleted, forwarded, auto-reply).
· Reduces the risk of the Information Commissioner’s Office, Police and other agencies having to trawl through personal, shared and other private business email accounts if they suspect a Data Protection Act breach has occurred.
In all cases
you would need to buy a domain name agreed with the service provider compliant
with government requirements and then you can purchase email accounts either on
a ‘per user’ basis or as part of a package. Some providers provide a bare-bones
package while others will offer other add-on services which councils would need
to decide if they needed.
During 2024-25 financial year the Cabinet Office has funding for up to 1000 parish and town councils to move over to .gov.uk domain and email systems. See our knowledgebase article here for more information about this scheme https://www.lalc.co.uk/wiki/page/157/
|
Provider / Contact |
Domain Name |
|
||
|
Initial Costs |
Ongoing |
Initial costs |
Ongoing |
|
|
SCIS Ltd, Lincs |
£70 annually £38.99 hosting package |
£70 annually £38.99 hosting package |
£3 a month per user |
£3 a month per user |
|
£110 for 2 years |
£110 every two years |
25 email boxes £49.99 per annum. |
25 email boxes £49.99 per annum. |
|
|
Cloudy IT, Bucks |
£129 for 2 years |
£89 renewal every 2 years |
£3 a month per user |
£3 a month per user |
|
Aubergine, Beds |
£90 a year |
£90 a year |
£5 a month per user |
£5 a month per user |
|
2Commune, Leics |
£200 for 2 years |
£150 for 2 years |
£35 a year per user |
£35 a year per user. |
Notes
- Indicative prices quoted are Ex VAT and are subject to change.
- Additional labour and other costs may be incurred for transfer of data, storage, DNS and software licences (for example, Microsoft 365) depending on the precise requirements of the council and the service provided which will be bespoke to each council.
- Training and Support is provided by each provider by phone and email.
Further information about the use of data and data concerns can be found at;
Examples of ICO FOI investigations.
i) https://ico.org.uk/media/action-weve-taken/decision-notices/2017/2014862/fs50654957.pdf
ii) https://www.iversparishcouncil.gov.uk/wp-content/uploads/sites/55/2022/03/Appendix-13.1-ICO-to-Ivers-Parish-Council-10.03.22.pdf
iii) https://ico.org.uk/media/action-weve-taken/decision-notices/2019/2615797/fs50831870-1.pdf