Acceptable Use Policy
An acceptable use policy establishes the rules governing how staff, contractors, and other authorised users interact with organisational IT resources. The policy creates clear boundaries between permitted and prohibited activities, defines the extent of personal use allowed, and sets expectations regarding monitoring and privacy. Organisations adapt this policy framework to their specific context, risk tolerance, and operational requirements.
- IT resources
- All technology assets owned, leased, or managed by the organisation, including hardware, software, networks, data, cloud services, and communication systems.
- Authorised user
- Any individual granted access to organisational IT resources, including employees, contractors, volunteers, interns, consultants, and partner organisation staff with approved access.
- Personal use
- Non-work-related activities conducted using organisational IT resources during or outside working hours.
- Prohibited use
- Activities explicitly forbidden regardless of intent, time, or circumstance.
Policy scope
The acceptable use policy applies to all authorised users from the point of access provisioning until access termination. Coverage extends to all IT resources regardless of physical location, ownership model, or access method. A staff member accessing organisational email from a personal phone in a hotel connects to resources covered by this policy. A contractor using an organisation-owned laptop at their home office operates under identical obligations.
The policy binds users whenever they interact with organisational systems, data, or networks. This includes direct use of organisation-owned equipment, access to organisational services from personal devices, use of organisational accounts and credentials, and any activity that could reasonably be attributed to the organisation. Geographic location does not alter policy applicability; field staff in remote locations hold identical obligations to headquarters personnel.
Certain user categories warrant specific provisions. Volunteers and interns receive the same policy briefing as employees but may have restricted access reflecting their role scope. Partner organisation staff with cross-organisational access operate under both their own organisation’s policies and relevant provisions of this policy. Temporary surge staff during emergency responses receive expedited briefings covering essential provisions with full orientation completed within 14 days.
Permitted use
Organisational IT resources exist primarily to support the organisation’s mission and operations. All work-related activities that advance organisational objectives constitute permitted use without requiring specific authorisation. This includes accessing information systems to perform job functions, communicating with colleagues and external parties, creating and storing work documents, and participating in approved collaboration platforms.
Users exercise reasonable judgement in determining whether an activity supports organisational purposes. A programme officer researching beneficiary needs, a finance staff member processing payments, and a communications officer managing social media all engage in clearly permitted activities. Edge cases exist where activities serve both personal and professional purposes; a staff member maintaining professional development through online learning uses resources permissibly when that development relates to their role.
Personal use provisions
Limited personal use of IT resources is permitted where it does not interfere with work responsibilities, consume excessive resources, or violate any prohibited use provisions. The organisation recognises that strict prohibition of all personal use proves impractical and counterproductive; reasonable allowances support staff wellbeing and reduce workaround behaviours that create security risks.
Personal use operates within defined boundaries. Brief personal communications, limited web browsing during breaks, and occasional personal administrative tasks fall within acceptable limits. The test for acceptable personal use combines three factors: duration remains brief, frequency stays occasional, and the activity creates no risk to organisational resources or reputation.
| Resource type | Personal use allowance | Restrictions |
|---|---|---|
| Occasional personal messages | No bulk sending; no commercial activity; no forwarding of organisational data | |
| Internet access | Brief browsing during breaks | No streaming during work hours; no bandwidth-intensive downloads; no prohibited content |
| Storage | Minimal personal files | Maximum 1 GB; no media libraries; organisation retains deletion rights |
| Printing | Occasional personal documents | Maximum 20 pages per month; no bulk printing |
| Communication tools | Brief personal calls/messages | No extended personal calls during work hours; no premium-rate services |
| Mobile devices | Reasonable personal use | No personal app installations without approval on managed devices |
Personal use that crosses these boundaries requires explicit approval from the user’s manager. Requests for exceptions should specify the nature, duration, and resource requirements of the proposed use.
Prohibited use
Certain activities are prohibited absolutely, regardless of intent, authorisation level, or perceived benefit. These prohibitions exist because the activities create unacceptable risk to the organisation, its beneficiaries, its staff, or third parties. No manager or executive can authorise prohibited activities; the prohibitions represent non-negotiable boundaries.
Illegal activities
Users must not employ IT resources for any activity that violates applicable laws in any jurisdiction where the organisation operates. This encompasses obvious criminal acts and extends to regulatory violations, intellectual property infringement, and activities legal in some jurisdictions but illegal in others. When legal ambiguity exists, users must consult with their manager or the IT function before proceeding.
Security violations
Activities that compromise or could compromise the security of IT resources are prohibited. This includes attempting to circumvent access controls, sharing credentials with others, installing unauthorised software, connecting unauthorised devices to organisational networks, and deliberately introducing malicious code. Users who discover security vulnerabilities must report them through established channels rather than attempting to exploit or investigate them further.
Credential sharing warrants particular emphasis. Each user account represents an individual identity; sharing passwords or access tokens defeats accountability mechanisms and violates this policy regardless of the relationship between the individuals involved. A manager cannot share their credentials with their assistant; a departing staff member cannot transfer their account to their replacement.
Harmful content
Users must not use IT resources to access, store, transmit, or create content that is obscene, sexually explicit, discriminatory, harassing, threatening, defamatory, or otherwise harmful. This prohibition applies regardless of whether the user is the content’s creator or merely its conduit. Automated systems may filter certain content categories, but the absence of technical blocks does not indicate permission.
Legitimate work requirements occasionally necessitate exposure to harmful content. Safeguarding staff reviewing reports, researchers analysing extremist communications, or IT staff investigating security incidents may encounter prohibited content in the course of their duties. Such exposure must occur only when directly required by job function, with appropriate safeguards, and with supervisory awareness. The prohibition targets discretionary access, not unavoidable exposure during legitimate work.
Resource misuse
Users must not consume IT resources in ways that degrade service for others or impose unreasonable costs on the organisation. Cryptocurrency mining, unauthorised bulk data processing, and hosting services for third parties exemplify prohibited resource consumption. Personal media libraries, extensive game installations, and peer-to-peer file sharing similarly exceed acceptable bounds.
Network resources require particular protection. Activities generating excessive traffic, maintaining persistent high-bandwidth connections for non-work purposes, or interfering with network operations for others violate this policy. During periods of network constraint, common in field locations with limited connectivity, users must prioritise work activities and cease personal use that consumes bandwidth needed by others.
Commercial and political activities
IT resources must not support personal commercial ventures, external employment, or political campaign activities. A staff member cannot use organisational email to conduct freelance business, operate an e-commerce store from their work laptop, or send political solicitations through organisational systems. This prohibition extends to passive commercial use; hosting a personal business website on organisational infrastructure violates the policy even if it generates no traffic during work hours.
The distinction between prohibited political activity and permitted advocacy requires care. Many mission-driven organisations engage in policy advocacy as part of their mission; such activities constitute legitimate work use. Personal political activities undertaken as a private citizen fall outside work purposes and must not use organisational resources. When ambiguity exists, users should consult their manager before proceeding.
Prohibited use summary
| Category | Prohibited activities | Exceptions |
|---|---|---|
| Illegal activity | Any violation of applicable law | None |
| Security circumvention | Bypassing controls, sharing credentials, unauthorised access attempts | Authorised security testing only |
| Malicious code | Introducing, storing, or transmitting viruses, malware, or exploit code | Authorised security research in isolated environments |
| Harmful content | Obscene, discriminatory, harassing, threatening, or defamatory material | Legitimate work exposure with safeguards |
| Excessive resource use | Mining, bulk processing, media hoarding, bandwidth abuse | None |
| Impersonation | Misrepresenting identity or authority | None |
| Commercial activity | Personal business, freelance work, external employment | None |
| Political campaigns | Electoral campaign activity, political fundraising | Mission-related policy advocacy |
| Intellectual property violation | Unlicensed software, pirated content, copyright infringement | None |
| Gambling | Online gambling, betting platforms | None |
Monitoring and privacy
The organisation monitors IT resource usage to protect security, ensure policy compliance, and maintain system performance. Users hold no expectation of privacy in their use of organisational IT resources. All activities conducted through organisational systems may be logged, recorded, and reviewed.
Monitoring scope
Monitoring encompasses network traffic analysis, email scanning, web filtering, system access logging, and endpoint activity recording. The organisation employs automated tools that continuously analyse traffic patterns, flag potential security threats, and block access to prohibited content categories. Security staff review alerts generated by these systems and may conduct detailed investigations when indicators suggest policy violations or security incidents.
Content monitoring occurs at multiple levels. Automated systems scan for malware, data loss indicators, and prohibited content patterns. Security personnel may review specific communications or files when investigating alerts or suspected violations. Management may request activity reports for users within their supervisory scope when performance or conduct concerns arise.
User awareness
Users acknowledge monitoring through the policy acceptance process completed during onboarding. Login banners on organisational systems reinforce monitoring disclosure. Users should assume that any activity conducted through organisational IT resources may be observed, logged, and reviewed by authorised personnel.
The organisation does not employ monitoring as a tool for general performance surveillance. Activity data informs security operations, compliance verification, and specific investigations rather than routine productivity tracking. This operational reality does not create a privacy expectation; users should understand that technical capability for comprehensive monitoring exists even when not routinely exercised.
Personal data in monitoring
Monitoring activities collect personal data about users as defined under data protection regulations. The organisation processes this data under legitimate interest provisions, balancing security requirements against user privacy. Retention periods for monitoring data vary by type: security logs persist for 12 months, access logs for 24 months, and investigation records for 7 years following case closure.
Users may request access to their own monitoring data through normal data subject access request procedures. Requests undergo security review to ensure disclosure does not compromise ongoing investigations or reveal security control details that could enable circumvention.
Email and communications
Email and messaging systems serve as official communication channels for organisational business. Users bear responsibility for content transmitted through these systems regardless of the sender identity displayed. The organisation may access, review, and disclose email content for legitimate business purposes, legal compliance, or investigation of policy violations.
Email usage standards
Professional standards govern all organisational email communications. Messages should be clear, accurate, and appropriate for potential review by third parties. Users should assume that any email might be disclosed in legal proceedings, shared with regulators, or published through freedom of information requests. The transient feel of electronic communication belies its persistence; emails deleted by users may persist in backups, archives, and recipient systems.
Auto-forwarding organisational email to external addresses is prohibited without explicit IT approval. This restriction prevents inadvertent data exposure and maintains visibility into organisational communications. Users requiring legitimate external access should use approved mobile or web access methods rather than forwarding.
Retention and deletion
Email retention follows the schedules established in the Data Retention and Records standard. Users must not delete emails that fall under legal holds or regulatory retention requirements. Conversely, users should regularly delete transient messages with no business value to manage storage consumption and reduce exposure surface.
The organisation may archive email for compliance, legal, or operational purposes. Archived content remains accessible for authorised review regardless of user-initiated deletion. Users should not rely on email deletion to prevent discovery of communications.
Internet and web access
Internet access through organisational networks serves work purposes primarily. The organisation filters web content to block prohibited categories and protect against malicious sites. Filtering operates transparently; users encountering blocked sites receive notification explaining the restriction. Security staff review filter logs to identify concerning patterns and potential policy violations.
Web filtering categories
Content filtering blocks access to categories presenting security, legal, or reputational risks. Blocked categories include malware distribution, phishing, adult content, gambling, weapons, illegal drugs, and hate speech. The organisation updates filter definitions continuously to address emerging threats and new site classifications.
Legitimate work requirements occasionally necessitate access to filtered categories. Researchers, safeguarding staff, and certain other roles may require access to content blocked by default. Requests for filter exceptions follow a documented approval process, with exceptions logged and reviewed quarterly. Approved exceptions apply to specific users and sites rather than broad category unblocking.
Personal browsing
Limited personal web browsing during breaks falls within permitted personal use. Users should exercise judgement regarding site selection; a site being accessible does not indicate organisational endorsement or permission. Content that would be inappropriate to view in a shared office environment remains inappropriate regardless of where the user physically sits.
Streaming services, social media, and other bandwidth-intensive sites should be avoided during work hours except when required for work purposes. Field locations with constrained connectivity impose stricter limitations; local guidance may restrict personal browsing entirely during operational hours.
Social media
Social media presence intersects personal and professional identity in ways requiring careful navigation. Users maintain personal social media accounts as private individuals while simultaneously representing the organisation in various contexts. This policy addresses both organisational social media operations and personal use that could affect the organisation.
Organisational social media
Official organisational accounts operate under Communications function oversight with designated administrators holding posting authority. Content published through official channels undergoes review processes appropriate to the platform and content type. Administrators protect account credentials as sensitive and enable multi-factor authentication on all platforms supporting it.
Staff authorised to post on behalf of the organisation must clearly distinguish between organisational positions and personal opinions. When organisational accounts engage in advocacy, content must align with approved messaging and organisational policy positions. Responses to negative comments or criticism follow established guidelines emphasising professionalism and de-escalation.
Personal social media
Users maintain personal social media accounts independently of the organisation. Personal accounts should not claim to represent organisational positions unless explicitly authorised. Users who identify their organisational affiliation in personal profiles should clarify that views expressed are their own.
Personal social media activity can affect organisational reputation and relationships. Users should avoid posting content that could embarrass the organisation, compromise security, or damage stakeholder relationships. Particular care applies to posts about beneficiaries, partners, operational locations, and sensitive programme activities. Photographs from field visits require consideration of consent, security, and dignity.
The organisation does not routinely monitor employee personal social media. However, content that comes to organisational attention through any means may be addressed if it violates this policy or other organisational policies. Employees retain free expression rights as private citizens while accepting that expression touching on organisational matters carries professional implications.
Enforcement
Policy violations result in consequences proportionate to severity, intent, and impact. The organisation investigates potential violations thoroughly before determining appropriate response. Users facing allegations of policy violation receive notice of the allegation, opportunity to respond, and explanation of findings and consequences.
Violation severity
Violations range from minor infractions addressable through guidance to serious breaches warranting termination or legal action. Severity assessment considers the nature of the violation, whether harm resulted, whether the violation was intentional, whether the user had received prior guidance, and whether the violation involved concealment or deception.
| Severity | Examples | Typical response |
|---|---|---|
| Minor | Excessive personal use, minor policy misunderstanding | Verbal guidance, reminder of policy |
| Moderate | Repeated minor violations, negligent security practice, inappropriate content access | Written warning, mandatory training, access restrictions |
| Serious | Intentional security violation, harassment, significant resource misuse | Final warning, suspension, access revocation |
| Gross | Illegal activity, deliberate data breach, malicious damage | Termination, legal referral, criminal reporting |
Investigation process
Investigations begin when monitoring systems, user reports, or other sources indicate a potential violation. IT Security conducts technical investigation while Human Resources manages employment aspects. Users under investigation may have access suspended pending findings where continued access poses risk.
Investigation findings and evidence inform severity determination and response selection. Users receive written notification of outcomes including any imposed consequences. Appeals follow standard Human Resources grievance procedures.
Reporting violations
Users who observe or suspect policy violations should report them promptly. Reporting channels include direct managers, Human Resources, IT Security, and anonymous reporting mechanisms where available. The organisation prohibits retaliation against good-faith reporters regardless of whether reports ultimately prove substantiated.
Users uncertain whether an activity violates policy should seek guidance before proceeding. Enquiries about policy interpretation are encouraged and do not trigger investigation unless they reveal an actual violation.