Acceptable Use Policy (AUP)

A free UK-aligned template covering 4 essential clauses. Edit the highlighted fields, sign, and adopt.

1.Scope and Definitions

This policy sets out the conditions under which [Company] permits employees, contractors, agency workers and authorised third parties (collectively, "Users") to access and use [Company] information systems, networks, devices, applications and data (collectively, "Systems"). The objective is to maintain the confidentiality, integrity and availability of [Company] information assets, comply with applicable legal and regulatory obligations including the UK GDPR and the Data Protection Act 2018, and protect Users from unintentional harm caused by misuse.

This policy applies to:

• All [Company]-owned hardware: laptops, desktops, mobile devices, servers, network equipment;
• All personal devices used to access [Company] systems under the BYOD policy;
• All [Company]-managed cloud services: email, file storage, communication, productivity, line-of-business;
• All [Company] data regardless of where it is stored, processed or transmitted;
• All Users with logical or physical access to the above, from joining to departure.

1.1 Key definitions

Systems means the totality of [Company] IT assets defined above.

Personal Use means use of Systems for purposes unrelated to [Company] business.

Sensitive Data means personal data as defined in UK GDPR Article 4(1), commercial-in-confidence information, intellectual property, and data classified as Confidential or Restricted under [Company]'s Information Classification Policy.

Monitoring means automated or manual review of System activity for security, compliance or operational purposes.

2.Acceptable Use

Users shall use [Company] Systems primarily for [Company] business purposes. Limited Personal Use is permitted provided it does not interfere with work duties, expose [Company] to legal or reputational risk, or consume disproportionate System resources. Specifically, Users shall:

1. Authenticate with their own assigned credentials and protect those credentials from disclosure to any other person;
2. Apply multi-factor authentication where provisioned, and report any suspected credential compromise to [Company] IT within four working hours of discovery;
3. Store and process Sensitive Data only in [Company]-approved systems, never in personal cloud storage or unmanaged messaging apps;
4. Apply operating-system and managed-application security updates promptly, and use only operating system versions still in receipt of vendor security updates;
5. Lock unattended devices and avoid leaving Sensitive Data visible to passers-by, particularly in public spaces;
6. Cooperate with reasonable evidence preservation and lawful disclosure requirements — including legal hold, subject access requests under UK GDPR Articles 15 and 17, and incident response investigations.

2.1 Limited Personal Use

Limited Personal Use of [Company] email, internet access and devices is permitted at the discretion of [Company], subject to the prohibitions in Clause 3. Personal Use must be reasonable in frequency and duration, must not occur during agreed working hours unless during authorised breaks, and must not generate financial or reputational liability for [Company]. Users have no expectation of privacy in respect of Personal Use on [Company] Systems beyond what is required by law.

3.Prohibited Activities

The following activities are expressly prohibited when using [Company] Systems:

3.1 Security and access controls

• Circumventing, disabling or attempting to defeat any [Company] security control;
• Sharing credentials with any other person, including colleagues, contractors and family members;
• Accessing or attempting to access any System for which the User has not been granted authorisation;
• Installing unauthorised software on [Company]-owned devices;
• Connecting personal removable media to [Company] systems without prior approval and DLP scanning.

3.2 Data and intellectual property

• Extracting [Company] data to personal devices, personal email accounts or personal cloud storage at any time;
• Using [Company] data, customer lists, supplier lists, pricing or commercially sensitive material for any non-business purpose;
• Downloading, distributing or storing material that infringes third-party intellectual property rights;
• Sending Sensitive Data to external recipients without applying the [Company]-approved encryption mechanism.

3.3 Conduct and content

• Sending, viewing, downloading or storing material that is unlawful, defamatory, obscene, harassing or discriminatory under the Equality Act 2010;
• Using [Company] Systems to harass, bully or intimidate colleagues or third parties, in breach of the Worker Protection Act 2024;
• Conducting personal commercial activity (online retail, freelance work, gambling, cryptocurrency mining) on [Company] Systems or during working hours;
• Making public statements on behalf of [Company] without prior authorisation from the Communications team.

4.Enforcement and Monitoring

Compliance with this policy is a condition of access to [Company] Systems and a contractual obligation for employees, contractors and third parties. [Company] reserves the right to suspend or terminate System access where there is evidence of breach. Breach by employees may be addressed through the [Company] Disciplinary and Grievance Procedure; serious breaches may amount to gross misconduct.

4.1 Monitoring scope and lawful basis

[Company] monitors System activity for the legitimate interests of information security, regulatory compliance, intellectual property protection and operational continuity. Monitoring is conducted lawfully under UK GDPR Article 6(1)(f) (legitimate interests) and, where personal data is involved, after a documented legitimate-interests assessment. Categories of monitoring include: authentication and access logs, email and messaging metadata, internet-browsing logs, cloud-application usage telemetry, endpoint security events, and DLP triggers. Content of messages and files is not routinely reviewed; targeted content review may be conducted on reasonable cause.

4.2 User transparency

[Company] meets its UK GDPR Article 13/14 transparency obligation through the [Company] Privacy Notice, the at-login banner on managed devices, and the new-joiner induction. Users are informed at recruitment, at induction and via this policy that their use of [Company] Systems is subject to monitoring.

4.3 Investigation procedure

Where monitoring indicates a possible breach, the [Company] Head of IT or Information Security Manager will assess proportionality, document the basis for further investigation, and, where targeted review is justified, conduct the review with HR in attendance. Findings are escalated to the disciplinary process where appropriate. The full audit-ready policy contains the detailed investigation procedure with RIPA 2000 + IPA 2016 considerations, evidence handling, and chain-of-custody requirements — see the upsell block at the end of this document.

4.4 Reporting and protected disclosure

Users who become aware of a possible breach of this policy by themselves or others are required to report it to [Company] IT or HR. Where the report concerns a qualifying disclosure under the Public Interest Disclosure Act 1998 (PIDA), the [Company] Whistleblowing Policy applies and protects the reporting User from detriment.