WHITEPAPER

The Acceptable Use Policy

Maximising Compliance and Minimising Risk

A Whitepaper by Jonathan Naylor, Employed Barrister at Shoosmiths Solicitors

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

Contents

Are you managing your online footprint? P1

I have an AUP, surely I am now protected? P2
How do I go about creating an AUP or revising the one I currently have? P2
What about remote workers? P2
What should be in an AUP? P3
Common mistakes when creating an AUP P3
Common myths when creating an AUP P4
Maximising compliance and minimising risk P5
About Symantec Hosted Services P6

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

Are you managing your online footprint?

As the online landscape continues to evolve both employers and employees have become painfully
aware of the importance of managing their online “footprint”. Potential consequences could be as
serious as major public relations or brand damage to a business, or perhaps as trivial as the employee
who is caught out by their own employer; for example, the employee who claimed to be off sick with
terrible back pain but whose employer, on reviewing a social networking site, discovered photographs of
the employee celebrating with friends at the Rugby Union World Cup Final.

Employers whose business success depends on their reputation are becoming increasingly sophisticated
in their awareness of what information is online and how such information can be managed. Perhaps
in response to the warning a few years ago from the Trades Union Congress, that employee use of
Facebook might represent “HR accidents waiting to happen”, many employers ban all use of social
networking sites on corporate systems. Set against this, some employers view blogs, tweets or other
media as an opportunity to promote a positive image of the business. Whether to adopt a restrictive or
permissive approach will depend on the individual organisation but simply ignoring the issue is a risky
strategy.

Over the last decade businesses have, either through good planning and awareness or, alternatively,
painful experience of something going wrong, learnt that with ever increasing employee access to
Internet, email and Instant Messaging (“IM”) systems while at work, regulation of this area cannot be
left to chance.

The AUP is the bedrock of any organisation’s management of employee use of corporate IT systems. A
well drafted AUP will, amongst other things:

• set out the types of behaviour expected of employees (and equally the types of behaviour that will
result in an employee facing disciplinary action);

• detail specific provisions that are tailored to the organisation’s needs or particular areas of risk; and

• highlight to employees that the systems are predominantly for work use and that personal use
should not interfere with an employee’s ability to undertake their duties; and

• explain that an employee’s usage will be monitored and where necessary disciplinary action will be
taken.

It is crucial, once an AUP has been drafted, that it is distributed to all staff, there is an explanation given
to the employees so that they can understand why the policy is needed and what it is there to do, and
that the policy is then consistently enforced by management so that it does not fall into either disuse or
disrepute.

A common failing is that organisations feel that they have “fixed” the problem simply by drafting an
AUP. This AUP may then gather dust on the shelf, while the company, its employees and the risks that
the business faces, all change. This can mean that when an act of misconduct by an employee prompts
management to dust down the AUP and seek to enforce it, they find that the specific problem they now
face is not adequately covered by the AUP. In this type of situation, the employee may also be able to
raise substantial arguments about his lack of knowledge of the AUP or the previous lack of enforcement
by the employer, that may lead a Tribunal to conclude that the company has acted unfairly in taking
whatever action it did against the employee.

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

I have an AUP, surely I am now protected?

Simply establishing an AUP is not in itself a sufficient response. Part of the challenge for employers is to
explain to employees why misuse of the Internet, email or IM system is so potentially damaging.

Employees must be informed as to why misuse of these company systems can be so significant. Employees
are never likely to welcome the fact that an employer will monitor their activities while at work but, if it is
conveyed to the employee that part of the reason for the monitoring is to avoid the potential of personal
consequences for any employee, then it may be that at least a grudging understanding is obtained. For
example, many employees may not appreciate that if a colleague brings a claim of discrimination
(perhaps a claim of sexual harassment based on offensive emails) not only can the employer be liable for
any compensation ordered by a Tribunal, but the individual employee can be named as a Respondent in
any proceedings and a financial award made personally against that employee. The fact that there may
be a direct financial consequence to the offending employee may help to concentrate their mind.

Furthermore, any AUP must be backed up with a tailored technology solution; the AUP is only part of the
story. The technical solution that you put in place must be relevant to the particular risks that you face
as a business and also the policy that has been drawn up to meet those risks.

As an employer, the organisation has a duty to take reasonable steps to put in place a safe system of
work for employees. This will involve, for example, putting in place reasonable technical solutions to
seek to block spam emails from reaching employees. Employers are not obliged to go to unlimited
expense to implement the most perfect system for dealing with every conceivable threat, but they will be
expected to put in place a reasonable level of protection for their own employees.

How do I go about creating an AUP or revising the one I currently have?

The starting point is to assess the particular needs of the business in the light of the specific risks that
it will face; hence a risk assessment of some sort is the first step. Such an assessment will provide the
basis for drafting the necessary AUP and subsequently the tailoring of a technical solution to support
that AUP. Failure to make a proper assessment at the outset will lead to an incomplete solution being
implemented later in the process.

When drafting the AUP itself, input should be obtained from any HR support within the organisation.
What is technically possible is not necessarily good employment practice and therefore this has to be an
area where an organisation’s IT department talks with its HR department to create a combined solution.
Senior management approval must be sought at an early stage so that there is a real commitment to the
principles in the AUP.

When the AUP is complete and ready for distribution, there is a requirement to educate employees,
so that they understand why the new policy is being produced and what it is intended to achieve. As
mentioned above, a shrewd employer will seek to explain to employees the risks that the employer is
attempting to address under the AUP and therefore to demonstrate the benefits not only to the business
but also to individual employees from having a clear AUP to set the boundaries of reasonable behaviour.

What about remote workers?

There is some evidence that remote workers may be more likely to access inappropriate material and
websites when working away from the office, so any AUP needs to consider specific risks that might
relate to such workers.

An employer should conduct a risk assessment prior to any remote worker commencing work,
identifying any specific steps that might be taken to mitigate possible dangers. The employer can
maintain a degree of control by retaining ownership of the equipment used by the remote worker,
ensuring appropriate security is used and by conducting regular checks on the equipment.
2

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

The increasing use of mobile technology such as Blackberries and laptops, combined with the growth in
wireless technology, also demands a response from employers to protect the security of data. Security
solutions are required but organisations should also ensure that their AUP deals with remote working
and provides guidance to employees as to the additional risks.

What should be in an AUP?

The contents of AUPs vary; some are comprehensive, covering all forms of communications used by
the business (including Blackberries/PDAs, telephone communications, etc) whereas others are more
limited. Which coverage is most suitable for an organisation will depend on the nature of the usage by
employees. For example, if the use of Blackberries is confined to one or two directors of the business,
the need for any AUP to cover this is obviously greatly reduced when compared with a business which
has scores of users. All AUPs should clearly state which categories of workers are covered, for example,
if a business uses contractors or temporary workers it should be stressed that the policy also applies to
them.

In setting the boundaries of acceptable use of corporate IT systems, the AUP should deal with issues
such as the downloading of software or other material from external sources and what is appropriate
email etiquette (such as the avoidance of chain emails or an aggressive/abusive tone in emails).

Being clear about the limits of reasonable personal web and email use is obviously a key factor, both
in terms of the content of material to be accessed or sent and also the time involved in such personal
use. For example, will the employer permit reasonable personal use at all times (provided it does not
interfere with the employee’s ability to undertake their work duties) or should personal use be confined
to time outside normal working hours? Examples of the categories of website which are unacceptable
for employees to visit should be given (such as gambling or pornographic sites).

The steps that the employer will take to monitor employee use should be explained and it should be
specified that misuse may lead to disciplinary action being taken by the employer. Recent case law,
such as Grant & Ross –v- Mitie Property Services, highlights the importance of clear terms in any
disciplinary policy to justify disciplinary action for Internet misuse. In that case, the dismissal of two
employees for personal use of the Internet during working hours was held to be unfair as the company’s
disciplinary policy did not class this behaviour as gross misconduct and the employer’s decision was
deemed unreasonable.

Common mistakes when creating an AUP

One of the most frequent errors made by employers is drafting the AUP and then almost immediately
forgetting about it, considering the “box to have been ticked”. What is equally important is the
distribution of the policy to, and education of, employees regarding the AUP so that they understand
what is being proposed and why. This will help to achieve at least a degree of employee “buy in” to the
aims of the organisation.

Employers often underestimate the importance of tailoring the AUP to their specific needs. Tempting
though it may be to rely on the low cost solution of a standard template (or even a document used by
another organisation) this may prove to be a false economy. The AUP (which after all will form the basis
of your monitoring and the way in which your technical solution will operate) must do what you want it
to do. Many employers who use a generic form of AUP then get into difficulty when trying to implement
this in specific situations which have arisen. For example, if the AUP does not contain a sufficiently clear
linkage to the organisation’s disciplinary procedures, it may be that employees will seek to argue that
they did not appreciate that an act which is contrary to the AUP is also a serious disciplinary matter.

Another common failing is that many businesses do not review and revise their AUPs as the needs of
the business change. As the number of users of corporate IT systems increases, different challenges

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

will arise. For example, remote or home workers often present an even greater risk of inappropriate use,
perhaps due to a perception that they are out of sight and out of mind. If there are changes in the way
in which employees are working, then the employer may be left exposed to greater risk if the AUP is not
amended to reflect these changes.

Common myths when creating an AUP

There are also a number of myths which seem to surround the area of employee use of the Internet and
email and the consequent monitoring by employers. For example:

Personal use of IT systems is a must

Many employers seem to be under the impression that they have to allow employees to have personal
use of work Internet and email systems. This is not in fact the case, although with the increasing
flexibility demanded of employees in terms of their working hours, most employers accept that it is
reasonable to allow at least limited personal use.

It’s a breach of my human rights!

Employees who find themselves in hot water as a result of misuse of the corporate IT systems may well
argue that the employer has in some way breached their human rights by conducting monitoring. This
is generally an argument that does not find much favour with courts or tribunals. In the first instance,
direct claims for breach of the Human Rights Act can only be made by employees of public bodies such
as NHS Trusts or Local Authorities. Private sector employees can only bring a claim for breach of the
Human Rights Act if the employee can add this to another form of claim such as unfair dismissal or
breach of contract; there is no free standing right for private sector employees to bring Human Rights
Act claims.

Cases such as McGowan –v- Scottish Water and Pay –v- UK demonstrate that provided the employer’s
actions are proportionate it is highly unlikely that employees could succeed in any claim.

We all need social networking

Access to social networking sites presents a dilemma for employers. Most employers do not allow
access to these sites and there is certainly no law that insists that employees should have such access.
Some organisations take the view that these types of sites actually assist employees in making social
connections which can aid the business, but employers have to consider whether the benefits that might
arise from such use are outweighed by the damage that might be done.

Employees must also be aware that their online profile may come back to haunt them, with a survey
conducted by Microsoft in December 2009 suggesting that approximately 40% of UK recruiters had
rejected candidates following searches against their online footprint.

All blogging is evil

The increase in blogging and micro-blogging is often a concern for employers, particularly those
organisations with a public profile, such as retailers. However, just because a negative comment is
made by an employee in their blog, this is not necessarily grounds for immediate dismissal by the
employer. The question is whether the comments made by the employee amount to misconduct under
the employer’s disciplinary procedure, for example, conduct which brings the employer into disrepute,
and also the scale of the misconduct. There appears to be a recent trend of customer service operatives
using blogs or social networking sites to be very critical of both their employers and also the customers
that they serve. This can be highly embarrassing for the employer, but the organisation should not act in
haste, but rather investigate the matter thoroughly before coming to a considered decision.

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

If in doubt, archive everything

Many employers also seem to think that there is a particular magic period of time which must be allowed
to pass before emails can be deleted. Rumours abound about the need to keep all email traffic for five,
seven or even ten years. In reality, it is not as simple as setting an arbitrary deadline for all emails. The
shrewdest solution would be to make an assessment of the content of particular email traffic, enabling
business critical data to be stored and irrelevant information to be deleted.

When assessing storage times, the timeframes for litigation may be of some assistance. For example,
most personal injury claims must be brought within three years of the date of the incident giving rise
to the injury and claims for breach of contract must usually be brought within a limitation period of
six years from the date of the alleged breach. While this type of litigation “long stop” date provides at
least some rough outline to employers as to how long certain information should be kept, organisations
should recognise that there will be large elements of information which could be deleted much sooner
than the guidance dates set out above. For example, there is really no valid reason for employers
to retain the personal bank details for temporary members of staff who have not been engaged for
some years. The data is clearly out of date, is unnecessary for the employer to retain and may well be
breaching the requirement on the employer under the Data Protection Act to ensure that it does not hold
excessive data.

IM is not permanent, so I don’t need to worry

Employers ignore the dangers of employee use of Instant Messaging (“IM”) at their peril. IM carries all of
the same risks associated with email correspondence, but is perhaps even harder to guard against given
the very immediate nature of the communication. Organisations need to approach IM as they would
other misuse of corporate IT systems, as the same risks of harassing/discriminatory communications,
loss of confidential data, possible brand damage, etc. all apply.

Maximising compliance and minimising risk

1. Conduct a thorough risk assessment, identifying the particular areas of concern to the specific
organisation.

2. Tailor any Acceptable Use Policy to the specific risks identified by the assessment.

3. Distribute the AUP and educate employees as to why the particular AUP is being implemented,
stressing the importance of the policy and also its role in protecting the employees and giving them
appropriate guidance on how to utilise corporate IT systems.

4. Ensure that any technical solution is also tailored to support the AUP that you have put in place.

5. Enforce the AUP consistently – there is no point in having the policy if it is never used or is
implemented in an inconsistent or unfair fashion.

6. Review the AUP regularly to ensure that it remains relevant to the threats faced by the business.

(This White Paper is for guidance purposes only and should not be taken as a statement of the law.
Detailed legal advice should always be sought in specific situations).

www.messagelabs.com
info@messagelabs.com
WHITEPAPER

About Symantec Hosted Services

Symantec Hosted Services is a leading provider of hosted messaging and web security services, with
over 29,000 clients ranging from small businesses to the Fortune 500, located in 99 countries. Symantec
Hosted Services protect, control, encrypt and archive communications across email, web and instant
messaging. These services are delivered by a globally distributed infrastructure and supported 24/7
by our security experts. This gives a convenient and cost-effective solution for managing and reducing
risk and providing certainty in the exchange of business information. For more information, please visit
www.messagelabs.co.uk.

www.messagelabs.com
info@messagelabs.com
WHITEPAPER
>EUROPE
>HEADQUARTERS
1270 Lansdowne Court
Gloucester Business Park
Gloucester, GL3 4AB
United Kingdom
Tel +44 (0) 1452 627 627
Fax +44 (0) 1452 627 628
Freephone 0800 917 7733
Support: +44 (0) 1452 627 766
>LONDON
3rd Floor
40 Whitfield Street
London, W1T 2RH
United Kingdom
Tel +44 (0) 203 009 6500
Fax +44 (0) 203 009 6552
Support +44 (0) 1452 627 766
>NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801
>BELGIUM/LUXEMBOURG
Symantec Belgium
Astrid Business Center
Is. Meyskensstraat 224
1780 Wemmel,
Belgium
Tel: +32 2 531 11 40
Fax: +32 531 11 41
>DACH
Humboldtstrasse 6
Gewerbegebiet Dornach
85609 Aschheim
Deutschland
Tel +49 (0) 89 94320 120
Support :+44 (0)870 850 3014
>NORDICS
St. Kongensgade 128
1264 Copenhagen K
Danmark
Tel +45 33 32 37 18
Fax +45 33 32 37 06
Support +44 (0)870 850 3014
Confidence in a connected world.
>AMERICAS >ASIA PACIFIC
>United states >HONG KONG
512 Seventh Avenue Room 3006, Central Plaza
6th Floor 18 Harbour Road
New York, NY 10018 Tower II
USA Wanchai
Toll-free +1 866 460 0000 Hong Kong
Main: +852 2528 6206
>Canada Fax: +852 2526 2646
170 University Avenue Support: + 852 6902 1130
Toronto, ON M5H 3B3
Canada >AUSTRALIA
Toll-free :1 866 460 0000 Level 13
207 Kent Street,
Sydney NSW 2000
Main: +61 2 8220 7000
Fax: +61 2 8220 7075
Support: 1 800 088 099
>SINGAPORE
6 Temasek Boulevard
#11-01 Suntec Tower 4
Singapore 038986
Main: +65 6333 6366
Fax: +65 6235 8885
Support: 800 120 4415
>Japan
Akasaka Intercity
1-11-44 Akasaka
Minato-ku, Tokyo 107-0052
Main: + 81 3 5114 4540
Fax: + 81 3 5114 4020
Support: + 852 6902 1130
www.messagelabs.com
info@messagelabs.com