Our roles under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, your council is the Data Controller — you decide what data is collected and why. Paper Monkey Limited, the company behind CouncilPapers, acts as your Data Processor — we process data only on your instructions, to provide the services you've subscribed to.
This means we never use your council's data for our own purposes, we never sell it, and we act only within the boundaries you set.
What we commit to
A summary of our key obligations as your data processor.
🇬🇧 Hosted in the UK
All personal data processed through CouncilPapers is stored on servers located within the United Kingdom. We do not transfer your data outside the UK without your prior written consent.
🔒 Security measures
We implement appropriate technical and organisational security measures, including encryption in transit and at rest, role-based access controls, regular backups, and staff training. Full details are in Schedule 1 of the DPA.
👥 Sub-processors
We use a small number of carefully selected sub-processors — for hosting and transactional email — who are contractually bound to the same data protection standards. A full list is provided in Schedule 2 of the DPA. We will give you advance notice of any changes.
📅 Data retention
We hold your data for the duration of your subscription. When your subscription ends, we will return or securely delete all personal data within 30 days at your election. You can also request deletion of specific records at any time during the subscription.
📌 Breach notification
In the event of a personal data breach, we will notify your council within 48 hours with full details of what happened, what data was affected, and the steps taken to address it — giving you everything you need to meet your ICO reporting obligations.
👤 Data subject rights
If a member of the public or a councillor exercises their rights under UK GDPR — such as a request for access or erasure — we will promptly notify you and provide the technical assistance you need to respond within statutory timeframes.
What personal data we process
We only process data that you provide through the CouncilPapers platform in the course of your normal meeting administration. This typically includes:
| Category | Examples |
|---|---|
| Councillor and staff details | Names, email addresses, roles, committee memberships |
| Members of the public | Names or addresses referenced in agenda or minute items |
| Agenda and minute content | Any personal data contained within documents uploaded or created in the platform |
| Planning and correspondence | Names of applicants or objectors included in planning agenda items |
As Data Controller, your council is responsible for ensuring that any personal data entered into CouncilPapers has a lawful basis for processing under UK GDPR.
Launching Spring 2026!
Council Papers
Stop drowning in paperwork
Your meeting preparation shouldn't consume your week. Automate the tedious bits so you can focus on what matters.
Meeting records that stand up to scrutiny
Version-controlled, searchable, audit-proof—your agendas and minutes become a trusted record, not a liability.
Transparent, accessible council papers
Publish professional agendas and minutes to the web instantly. Show your community that decisions are made openly and carefully.