---

Important Note: The document below was drafted long before the RIP Act and various Data Protection Codes.

The TUC and Industrial Society (now The Work Foundation) have jointly produced guidelines which suggest that any code of practice should set out to encourage responsible behaviour, good management practice and safeguard worker privacy. Policies should:

• warn users that emails may be electronically scanned for obscene, indecent, racist or illegal remarks
• allow for the occasional and reasonable personal use of email, as long as this does not interfere with an employee's work
• give assurances that emails between union reps and members will not be monitored or read by managers
• remind employees that their emails may be checked by others at work if they are unexpectedly absent or have gone on leave without leaving forwarding arrangements.

The Information Commissioner's Office has a section on Codes of Practice under Data Protection law. Part 3 covers Monitoring at Work.

Another source of advice is currently (Feb 01) available on AccountingWeb (registration required). Ignore the reference to more being available on Baltimore Tech website, though!

---

This document is of uncertain origin, but could be a useful starting point and the basic approach is sound. You may well need to remove or adapt sections which do not apply - e.g. if your organisation does not have an intranet (web site for internal access only).

Acceptable Use of <yourorg>'s IT facilities

1. Reasons for having this policy

All <yourorg>'s IT facilities and information resources remain the property of <yourorg> and not of particular individuals, teams or departments (Note 1). By following this policy we'll help ensure IT facilities are used:
- legally;
- securely;
- without undermining <yourorg>;
- effectively;
- in a spirit of co-operation, trust and consideration for others;
- so they remain available.

The policy relates to all Information Technology facilities and services provided by <yourorg>. All staff and volunteers are expected to adhere to it.

2. Precautionary and Disciplinary Measures

Deliberate and serious breach of the policy statements in this section will lead to disciplinary measures which may include the offender being denied access to computing facilities.

2.1 Copyright:
Take care to use software legally in accordance with both the letter and spirit of relevant licensing and copyright agreements.
Copying software for use outside these agreements is illegal and may result in criminal charges.

2.2 Security:
* Don't attempt to gain unauthorised access to information or facilities. The Computer Misuse Act 1990 makes it a criminal offence to obtain unauthorised access to any computer (including workstations and PCs) or to modify its contents. If you don't have access to information resources you feel you need, contact your IT Support person or provider.
* Don't disclose personal system passwords or other security details to other staff, volunteers or external agents and don't use anyone else's login; this compromises the security of <yourorg>. If someone else gets to know your password, ensure you change it or get IT Support to help you (Note 2).
* If you leave your PC unattended without logging off, you are responsible for any misuse of it while you're away.
* ALWAYS check floppy disks for viruses, even if you think they are clean (contact IT Support to find out how). Computer viruses are capable of destroying <yourorg>'s information resources. It is better to be safe than sorry.

2.3 Information about people: If you're recording or obtaining information about individuals make sure you are not breaking Data Protection legislation (your IT Manager or Line Manager can give you more information).

2.4 You are a representative of <yourorg> when you're on the Internet using email:
* Make sure your actions are in the interest (and spirit) of <yourorg> and don't leave <yourorg> open to legal action (e.g. libel).
* Avoid trading insults with other people using the Internet with whom you disagree.
* Obscenities/Pornography: Don't write it, publish it, look for it, bookmark it, access it or download it.

2.5 'Electronic monitoring': Any information available within IT facilities must not be used to monitor the activity of individual staff in anyway (e.g. to monitor their working activity, working time, files accessed, internet sites accessed, reading of their email or private files etc.) without their prior knowledge. Exceptions are:
* in the case of a specific allegation of misconduct, when the Management Team can authorise accessing of such information when investigating the allegation
* when the IT Support section cannot avoid accessing such information whilst fixing a problem.
In such instances, the person concerned will be informed immediately and information will not be disclosed wider than is absolutely necessary. In the former case their access to IT facilities may be disabled pending investigation.

3. Email Policy

3.1 When to use email:
* Use it in preference to paper to reach people quickly (saving time on photocopying / distribution) and to help reduce paper use. Think and check messages before sending (just as you would a letter or paper memo).
* Use the phone (including voicemail if no reply) for urgent messages (email is a good backup in such instances).
* Use <yourorg>'s intranet (not email) to communicate all relatively static information ( e.g. policy, procedures, briefing documents, reference material and other standing information). Record information on the intranet in a well structured manner, (consulting with the Web Systems Administrator as appropriate). Use email merely as a pointer to draw attention to new and changed information on the intranet.

3.2 Use of Distribution Lists:
* Only send Email to those it is meant for; don't broadcast (i.e. send to large groups of people using email aliases) unless absolutely necessary since this runs the risk of being disruptive. Unnecessary (or junk) email reduces computer performance and wastes disc space.
* Use the standard aliases (Note 3) for work related communication only.
* If you wish to broadcast other non work related information or requests (e.g. information or opinions on political matters outside the scope of <yourorg>'s campaigning, social matters, personal requests for information etc.) it is better to use a Webmail account (Note 4) or a personal email account at home; don't use the standard (work) aliases.
* Keep <yourorg>'s internal email aliases internal. If you are sending an email both to a <yourorg> alias and outside of <yourorg>, use the alias as a blind carbon copy (i.e. the bcc address option) so that the external recipient does not see the internal alias.
* Don't broadcast emails with attachments to large groups of people - either note in the email where it is located for recipients to look, or include the text in the body of the email. Failure to do this puts an unnecessary load on the network.

3.3 General points on email use:
* When publishing or transmitting information externally be aware that you are representing <yourorg> and could be seen as speaking on <yourorg>'s behalf. Make it clear when opinions are personal. If in doubt, consult your line manager.
* Check your in-tray at regular intervals during the working day. Keep your in-tray fairly empty so that it just contains items requiring your action. Try to decide what to do with each email as you read it (e.g. delete it, reply to it, save the whole email in a folder, or extract just the useful information and save it somewhere logical).
* Keep electronic files of electronic correspondence, only keeping what you need to. Don't print it off and keep paper files unless absolutely necessary.
* Use prefixes in the subject box whenever appropriate (Note 5).
* Treat others with respect and in a way you would expect to be treated yourself (e.g. don't send unconstructive feedback, argue or invite colleagues to publicise their displeasure at the actions / decisions of a colleague).
* Don't forward emails warning about viruses (they are invariably hoaxes and IT Support will probably already be aware of genuine viruses - if in doubt, contact them for advice).

3.4 Email etiquette :
* Being courteous is more likely to get you the response you want. Do address someone by name at the beginning of the message, especially if you are also copying another group of people.
* Make your subject headers clear and relevant to your reader(s) eg Don't use subject headers like "stuff" Don't send a subject header of, say "accounts" to the accountant
* Try to keep to one subject per email, especially if the content is complex. It is better for your reader(s) to have several emails on individual issues, which also makes them easy to file and retrieve later. One email covering a large variety of issues is likely to be misunderstood or ignored.
* Using asterisks at each end of a word (eg *now*) is common practice for highlighting text.
* Capitals (eg NOW) can also be used to emphasise words, but should be used sparingly as it commonly perceived as 'shouting'.
* Don't open email unless you have a reasonably good expectation of what it contains,
eg Do open report.doc from an Internet colleague you know Don't open explore.zip sent from an address you've never heard of, however tempting. Alert IT Support if you are sent anything like this unsolicited.
This is one of the most effective means of protecting <yourorg> against email virus attacks.
* Keep email signatures short.
Your name, title, phone/fax and web site address may constitute a typical signature.
* Understand how forwarding an email works.
If you forward mail, it appears (to the reader) to come from the originator (like passing on a sealed envelope).
If you forward mail *and edit it* in the process, it appears to come from you - with the originator's details usually embedded in the message. This is to show that the original mail is no longer intact (like passing on an opened envelope).

4. Miscellaneous

4.1 Hardware and Software: All purchases should be approved by the IT Manager, preferably through the IT budget.

4.2 Installing Software: Get permission from IT Support before you install any software (including public domain software - see Note 6) on equipment owned and/or operated by <yourorg>.

4.3 Data transfer and storage on the network:
* Keep master copies of important data on <yourorg>'s network and not solely on your PC's local C: drive or floppy discs. Otherwise it will not be backed up and is therefore at risk.
* Ask for advice from IT Support if you need to store, transmit or handle large quantities of data, particularly images or audio and video. These large files use up disc space very quickly and can bring your network to a standstill.
* Be considerate about storing personal (non- <yourorg>) files on <yourorg>'s network. (Note 7).
* Don't copy files which are accessible centrally into your personal directory unless you have good reason (i.e. you intend to amend them or you need to reference them and the central copies are to be changed or deleted) since this uses up disc space unnecessarily.

4.4 Use of facilities for leisure or personal purposes (e.g. sending and receiving personal email, playing computer games and browsing the Internet) is permitted so long as such use does not:
* incur specific expenditure for <yourorg>
* impact on your performance of your job (this is a matter between each member of staff and their line manager)
* break the law
* bring <yourorg> into disrepute.

4.5 Care of equipment:
* Don't re-arrange how equipment is plugged in (computers, power supplies, network cabling, modems etc.) without first contacting IT Support.
* Don't take food or drink into rooms which contain specialist equipment like servers (Note 8). Access to such rooms are limited to authorised staff.

NOTES

(1) In-house software: This is software written by staff or volunteers using <yourorg>'s equipment. It is <yourorg>'s property and must not be used for any external purpose. Software developers (and students) employed at <yourorg> are permitted to take a small "portfolio" of such in-house software source code/executables, which they may have developed, for use in subsequent work, subject to agreement with the IT Manager.
(2) Personal passwords: Disclosure to other staff, volunteers or external agents: This may be necessary in some circumstances. Such a practice is allowed only if sanctioned by a member of the Management Team after discussion
with the IT Support. If the password is disclosed for a one-off task, the owner must ensure that his / her password is changed (by contacting IT Support) as soon as the task is completed.
(3) Email aliases are pre-defined 'shortcuts' for distributing internal email to specific groups of people. IT Support can tell you what these are and how to use them.
(4) Webmail accounts are personal email accounts that are stored on the Internet and can be accessed from anywhere with a standard browser, eg home or cybercafe. IT Support can advise you on setting up such an account.
(5) Subject box prefixes: These are ''U:' for Urgent', 'FYI' for your information and 'AC:' requires action. If the email is a very brief message confined solely to the subject line, it should in addition be prefixed with '**' to indicate "just read this line".
(6) Public domain software or Freeware: This is software that is available free of charge, usually by downloading from the internet.
(7) Personal Data: As a guideline, keep your personal data down to 10MB. Ten emails require 0.15MB on average (depends a lot on whether they have attachments). A 10-page word processed document requires about 0.1MB. Screen saver images require much more disc space and vary greatly - some may be as large as 2MB.
(8) Computer Room: This room on the ???? floor contains <yourorg>'s file server.
Keep the door closed at all times and locked outside normal working hours.