All data in transit is encrypted. Any data at rest on a remote device is also encrypted.

The following security, encryption and key management protocols are in place:

The platform is designed and engineered to use ‘privacy by design and privacy by default’ principles, and latest standards and best practices will continue to be supported as the platform develops.

The following measures are in place to ensure the security of personal data that is stored and that may be transferred during planned and authorised workflow on the platform.


The My Council Services database is never exposed beyond an internal firewall. The internal firewall technology is constantly reviewed and upgraded to the latest standards.

Penetration testing

Penetration tests are performed at least every 20 days. Any issues identified are immediately evaluated and acted upon. We also support third party penetration testing by Councils if they request this. The cost of such independent penetration testing will be borne by the Council. We also request that the Council share the full results of any independent penetration testing that it commissions, in order that we can act upon any relevant findings.

Source code encryption

All source code that is deployed to the My Council Services app is binary encrypted, preventing reverse engineering by hackers.

For Android devices specifically, the My Council Services native application can only be installed and run on the device’s internal memory.

Private key encryption

My Council Services utilises private key encryption technology to encrypt data packets. Private key encryption serves two purposes.

The first is authentication where the approach verifies the user.

The second is encryption of data. This approach assures that data in transit is secure and that it can only be accessed by an authenticated user upon receipt.

Secure sockets layer (SSL)

My Council Services uses Secure Sockets Layer (SSL) technology for all communication and web services. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and secure.

Protecting against SQL injection

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). My Council Services has best practice measures in place to prevent SQL injection, and regular testing is conducted after every version upgrade to protect against it.

Role-based access control (RBAC)

The extensive data security measures described here are layered over with RBAC via data roles which secure personal data, access and visibility to it.

Encryption standards

My Council Services offers a high level of encryption of data on any local device. The platform also protects against the possibility that Android native applications, if not adequately encrypted, can be reversed engineered for malicious reasons. To ensure that this cannot happen, the binary files are compressed, optimised, and obfuscated.

My Council Services uses AES 256 encryption web services for all mobile device communication. The My Council Services web services API can only be accessed via public access token using a unique identifier and is encrypted using AES256 encryption algorithm.

All transmitted data packets are also encrypted by private public key and further encapsulated by industry standard SSL layer providing very high levels of data security.

My Council Services uses transport layer security (TLS) 1.2 protocol for all communications. This ensures privacy and data security between our applications and our users on the internet.