This policy sets out the acceptable use of [Organisation] information systems, including networks, devices, applications, cloud services, email, and data. Its purpose is to protect [Organisation], its staff, its customers, and its partners from harm arising from misuse, whether deliberate or inadvertent, and to ensure use that is lawful, ethical, and consistent with business objectives.

This policy applies to all workers, employees, contractors, temporary staff, interns, and third parties who access [Organisation] systems or data, on any device, whether on-premises or remote. It covers organisation-owned assets and personal devices used for work. Where a more specific policy exists for a given system, that policy applies in addition to this one.

Access to [Organisation] systems is a privilege granted for legitimate business purposes and may be modified or withdrawn at any time. Users are accountable for activity performed under their credentials and must use systems with the same care and good judgement expected in all professional conduct. Limited, reasonable personal use may be permitted at management discretion provided it does not interfere with duties, consume undue resources, or breach this policy.

All data created, stored, sent, or received on [Organisation] systems remains the property of [Organisation], subject to applicable law. Users should have no expectation of privacy in material stored on organisation systems beyond the limited protections described in the Monitoring and Privacy section and required by law.

Users may use [Organisation] systems to perform their assigned duties, communicate with colleagues, customers, and partners, and access information and services required for their role. Users are expected to follow security requirements such as locking unattended devices, using approved software, storing data in approved locations, and reporting anything that looks suspicious.

Acceptable use means lawful, professional, and proportionate use that respects the rights of others and the security of [Organisation]. When in doubt about whether an action is permitted, users should ask their manager or the [Security Team] before proceeding.

The following activities are prohibited without exception unless explicitly authorised in writing for a legitimate business reason (for example, authorised security testing). This list is illustrative, not exhaustive; any use that is unlawful, harmful, or contrary to the spirit of this policy is prohibited even if not listed below.

Users who become aware of any prohibited activity, including their own inadvertent breach, must report it promptly under the Incident Reporting section rather than attempting to conceal or quietly correct it.

Access to [Organisation] networks and systems is granted on a least-privilege, need-to-know basis and tied to the user's role. Users must authenticate with their own unique credentials, protect those credentials, and use multi-factor authentication wherever it is offered. Connections to internal networks, including remote access, must use approved methods such as the [Organisation] VPN and approved, managed endpoints.

Users must not extend, bridge, or alter the network, for example by attaching unauthorised wireless access points, routers, or rogue DHCP services, and must not connect untrusted or unmanaged devices to protected network segments without authorisation.

Users must handle information according to its classification under the [Data Classification Policy] and protect the confidentiality, integrity, and availability of [Organisation] and customer data. Confidential and regulated data (for example personal data, financial records, or health information) must be stored only in approved systems, encrypted in transit and at rest where required, and shared only with authorised recipients through approved channels.

Users must not transfer confidential data to personal email, personal cloud storage, removable media, or other unapproved locations. When data is no longer needed it must be retained and disposed of in line with the [Records Retention Policy] and applicable law.

Where [Organisation] permits the use of personal devices (Bring Your Own Device) to access organisation data, that use is conditional on enrolment in approved management (for example mobile device management or a managed work profile) and compliance with minimum security standards. Personal devices used for work must be kept patched, protected by a passcode or biometric lock, and capable of remote wipe of organisation data.

Users consent that [Organisation] may enforce security controls on, and selectively wipe its data from, enrolled personal devices, and that loss or theft of any device holding organisation data must be reported immediately. Personal devices that cannot meet these standards must not be used to access [Organisation] data.

Users may use only cloud and software-as-a-service applications that have been approved and, where required, contracted and security-reviewed by [Organisation]. Procuring or signing up for new cloud services with organisation data, or paying with personal or corporate funds outside the approved process, constitutes shadow IT and is prohibited because it bypasses security, privacy, and contractual safeguards.

Before requesting a new service, users should check the approved-applications catalogue and route new needs through [IT or Procurement] for review. Organisation data must not be uploaded to unapproved cloud services, AI tools, or file-sharing platforms.

Email and messaging systems must be used professionally and securely. Users must remain alert to phishing and social-engineering attempts, verify unexpected requests through a second channel, and report suspicious messages using the [report-phishing] mechanism rather than clicking, replying, or forwarding them. Users must not use organisation email to send confidential data to unauthorised recipients or to register for unrelated personal services.

When using social media, whether on personal or organisation accounts, users must not disclose [Organisation] confidential information, speak on behalf of [Organisation] without authorisation, or post content that could reasonably harm the organisation, its staff, customers, or partners. Personal opinions must be clearly identified as personal.

To protect its systems and data, [Organisation] may log, monitor, and review use of its networks, devices, and accounts to the extent permitted by applicable law, including security logging, email and web-traffic inspection, and review of activity where there is a legitimate need such as investigating a security or policy incident. Monitoring is proportionate, conducted for defined purposes such as security, compliance, and system management, and is not intended for routine surveillance of individuals.

Where local law, employment regulation, or works-council agreement imposes additional notice, consent, or limitation requirements, those requirements take precedence and must be reflected here. Personal data processed through monitoring is handled in line with the [Privacy Policy] and applicable data-protection law.

Users must promptly report any actual or suspected security incident, policy breach, lost or stolen device, suspected malware, phishing, or data exposure, through the [Security Team / service desk] using the [defined reporting channel]. Early reporting limits harm; users who report promptly and in good faith, including reporting their own honest mistakes, will be supported rather than penalised for the act of reporting.

Users must not attempt to investigate, contain, or conceal an incident on their own beyond immediate safe steps (such as disconnecting a clearly compromised device when instructed), and must preserve evidence and follow the instructions of the [Incident Response] team.

Compliance with this policy is mandatory. Suspected violations will be investigated fairly and consistently, and confirmed violations may result in disciplinary action up to and including termination of employment or contract, in line with [Organisation] disciplinary procedures and applicable law. Where activity is unlawful, [Organisation] may refer the matter to law enforcement and pursue civil or criminal remedies.

Enforcement is proportionate to the nature and severity of the violation and considers intent, harm, and whether the user reported in good faith. Managers and the [Security Team] are responsible for applying this policy consistently and without arbitrary or discriminatory treatment.

All individuals covered by this policy must read it and confirm their understanding and agreement before being granted or retaining access to [Organisation] systems, and again whenever the policy is materially updated or on a periodic basis (for example annually). Acknowledgement may be captured by signature or through an approved electronic system, and records must be retained as evidence of compliance.

By acknowledging, the user confirms that they have read and understood this policy, agree to abide by it, and understand that breach may lead to disciplinary or legal consequences. Questions about the policy should be directed to [the policy owner or Security Team] before acceptance.