Docaro

United Kingdom Acceptable Use Policy Clause Library

Created:
Explore a practical clause library for drafting acceptable use policies in the United Kingdom. This dataset helps readers compare, adapt, and understand key policy provisions, and supports the creation of an AI Generated Acceptable Use Policy for use in the United Kingdom.
Clause Name
Purpose
Typical Importance
Applies To
Example Wording
Access and authentication
Individual User Accounts
Ensure each user is accountable for activity on corporate systems.
High
All staff
Users must access corporate systems only through their own allocated account and must not use another person's credentials.
Password Confidentiality
Prevent unauthorised access caused by shared or exposed passwords.
High
All staff
Users must keep passwords confidential and must not disclose, share, write down insecurely or reuse them in a way that creates security risk.
Multi-Factor Authentication
Reduce account compromise by requiring an additional authentication factor.
High
All staff
Users must use multi-factor authentication where required and must not attempt to bypass, disable or transfer authentication factors.
Privileged Account Use
Restrict administrator rights to approved business purposes.
High
Privileged users
Privileged accounts must be used only for authorised administrative tasks and not for ordinary email, browsing or personal activity.
Screen Locking
Prevent unauthorised access to unattended devices.
High
All staff
Users must lock screens or log off before leaving any device unattended, including when working away from company premises.
Access Changes And Leavers
Ensure access is amended or removed when roles change or end.
High
Employees only
Users must notify their manager promptly if system access is no longer needed or appears inconsistent with their role.
Least Privilege Access
Limit access to the minimum needed for the user's role.
High
All staff
Users must access only systems, folders and information that they are authorised to use for their work.
Authentication Tokens And Passcodes
Protect hardware tokens, authenticator apps and recovery codes.
High
All staff
Users must keep authentication tokens, one-time passcodes and recovery codes secure and must report any loss or suspected compromise immediately.
Email and messaging
Shared Mailboxes
Control accountability and access to shared email accounts.
Medium
All staff
Shared mailboxes must be used only by authorised users and in accordance with any role-based permissions or retention requirements.
Email Attachments
Reduce malware, phishing and accidental disclosure risks.
High
All staff
Users must take care when opening attachments or links and must not open suspicious content or send sensitive attachments without appropriate protection.
Phishing And Suspicious Messages
Ensure suspicious communications are reported and contained quickly.
High
All staff
Users must report suspected phishing, malicious links, unexpected payment requests or impersonation attempts using the approved reporting process.
Business Email Use
Set professional standards for corporate email communications.
Medium
All staff
Users must use corporate email professionally and must not send misleading, abusive, discriminatory, unlawful or unauthorised messages.
Instant Messaging And Collaboration Tools
Apply acceptable use standards to chat and collaboration platforms.
Medium
All staff
Users must use approved messaging and collaboration tools for business communications and must not share confidential information in unauthorised channels.
External Email Forwarding
Prevent uncontrolled transfer of corporate and personal data.
High
All staff
Users must not automatically forward corporate email to personal or unapproved external accounts unless expressly authorised.
Bulk Email And Distribution Lists
Prevent spam, disclosure errors and reputational damage.
Medium
All staff
Users must use distribution lists carefully and must check recipients before sending bulk messages or messages containing confidential information.
Internet use
Lawful Internet Use
Prohibit unlawful or harmful online activity using company systems.
High
All staff
Users must not use company systems to access, create, store or transmit unlawful, offensive, discriminatory, harassing or harmful material.
Unsafe Websites
Reduce exposure to malware, scams and credential theft.
High
All staff
Users must avoid websites that are suspicious, unsafe or unrelated to legitimate business purposes where they may expose systems to security risk.
Prohibited Online Content
Set boundaries for unacceptable online content and conduct.
High
All staff
Users must not access or distribute content that is illegal, pornographic, extremist, discriminatory, abusive or likely to bring the organisation into disrepute.
Excessive Bandwidth Use
Prevent excessive personal or non-business use affecting systems.
Medium
All staff
Users must not use company networks for excessive streaming, gaming, file sharing or other high-bandwidth activity unless authorised for business purposes.
Social Media Use
Manage reputational, confidentiality and conduct risks online.
Medium
All staff
Users must not post confidential information, make unauthorised statements on behalf of the organisation or use social media in a way that breaches workplace standards.
Web Uploads And Forms
Prevent accidental disclosure through online forms and uploads.
High
All staff
Users must not upload company information to websites, portals or online forms unless the destination is approved and the disclosure is authorised.
Device use
Company Device Care
Protect company laptops, phones and other equipment from loss or damage.
High
All staff
Users must take reasonable care of company devices and must keep them secure against loss, theft, damage and unauthorised use.
Bring Your Own Device
Set conditions for using personal devices for work.
High
All staff
Personal devices may be used for work only where approved and must comply with required security, access and remote wipe controls.
Removable Media
Reduce malware and data loss risks from USB drives and similar media.
High
All staff
Users must not use removable media for company information unless authorised and must protect approved media against loss, malware and unauthorised access.
Mobile Phones And Tablets
Secure portable devices used to access business systems.
High
All staff
Mobile devices used for work must be protected by a passcode or biometric control and must not be jailbroken, rooted or insecurely configured.
Lost Or Stolen Devices
Enable rapid containment and breach assessment after device loss.
High
All staff
Users must report lost, stolen or compromised devices immediately so that access can be disabled and any data breach risk assessed.
Device Encryption
Protect information if a device is lost or stolen.
High
All staff
Users must not disable encryption or other security controls applied to company devices or approved personal devices used for work.
Unauthorised Peripherals
Prevent risks from unknown hardware connected to company systems.
Medium
All staff
Users must not connect unauthorised storage devices, network equipment or other peripherals to company systems without approval.
Data handling
Personal Data Handling
Ensure personal data is handled lawfully, securely and only for authorised work purposes.
High
All staff
Users must handle personal data only as authorised and in accordance with the organisation's data protection policies and procedures.
Security Of Processing
Require appropriate technical and organisational security measures for personal data.
High
All staff
Users must follow required security measures when accessing, storing, sending or deleting personal data.
Confidential Information
Protect business secrets, client information and internal records.
High
All staff
Users must keep confidential information secure and must not disclose it except where authorised and necessary for their work.
Data Classification
Help users apply appropriate handling controls to different information types.
Medium
All staff
Users must classify, label and handle information in accordance with the organisation's approved classification scheme where one applies.
Secure Data Transfer
Protect information when shared inside or outside the organisation.
High
All staff
Users must use approved secure methods when transferring confidential information or personal data, particularly outside the organisation.
Cloud Storage And File Sharing
Prevent uncontrolled storage or sharing through unapproved cloud services.
High
All staff
Users must store and share company information only through approved cloud services and must apply access restrictions appropriate to the information.
Retention And Deletion
Avoid keeping personal data and records longer than needed.
High
All staff
Users must retain, archive and delete records in accordance with approved retention rules and must not keep unnecessary local copies.
Printing And Hard Copy Records
Reduce disclosure risks from printed documents.
Medium
All staff
Users must collect printed documents promptly and dispose of confidential hard copy records using approved secure disposal methods.
Personal Data Breach Reporting
Support prompt assessment and notification of personal data breaches.
High
All staff
Users must report any suspected loss, unauthorised disclosure or compromise of personal data immediately through the approved incident process.
Monitoring and enforcement
System Monitoring Notice
Inform users that system activity may be monitored for lawful purposes.
High
All staff
The organisation may monitor use of its systems for security, compliance, operational and investigation purposes in accordance with applicable privacy information.
Proportionate Workplace Monitoring
Ensure monitoring is limited, justified and transparent.
High
All staff
Monitoring will be carried out only where lawful, necessary and proportionate to a legitimate business purpose.
Audit Logs
Enable detection, investigation and accountability for system activity.
High
All staff
System access and activity may be logged and reviewed to protect systems, investigate incidents and verify compliance with this policy.
Breach Of Policy
Explain that misuse may result in action under company procedures.
High
Employees only
Breach of this policy may result in access restrictions, investigation and disciplinary action in accordance with the organisation's procedures.
Contractor Non-Compliance
Provide consequences for non-employee misuse of systems.
Medium
Contractors and consultants
Contractors and consultants who breach this policy may have access withdrawn and the matter may be referred to their employer or contracting party.
Cooperation With Investigations
Require users to assist reasonable security or compliance investigations.
Medium
All staff
Users must cooperate with reasonable requests relating to security, compliance or misuse investigations, including requests to return devices or provide relevant information.
Remote working
Remote Working Security
Apply security controls when working away from company premises.
High
Remote workers
Remote workers must take reasonable steps to protect devices, systems and information when working from home, client sites or public locations.
VPN And Secure Remote Access
Require approved secure channels for remote access.
High
Remote workers
Remote access to company systems must be made only through approved secure methods such as the organisation's VPN or managed remote access service.
Public Wi-Fi
Reduce interception and unauthorised access risks on public networks.
Medium
Remote workers
Users must take extra care when using public Wi-Fi and must use approved secure remote access where required.
Screen Privacy In Public
Prevent shoulder surfing and accidental disclosure in public places.
Medium
Remote workers
Users must position screens to reduce the risk of others viewing confidential information when working in public or shared spaces.
Home Printing
Control hard copy risks outside the office.
Medium
Remote workers
Users must not print confidential information at home unless necessary and must store and dispose of any printouts securely.
Household And Third-Party Access
Prevent family members or others using work devices or seeing data.
High
Remote workers
Users must not allow family members, visitors or other third parties to use company devices or access company information.
Software and downloads
Approved Software Only
Reduce malware, licensing and support risks from unauthorised software.
High
All staff
Users must install or use only software, applications and browser extensions that have been approved by the organisation.
Downloads From The Internet
Control downloads that may introduce malware or unwanted software.
High
All staff
Users must not download executable files, scripts, tools or other software from the internet unless the source and purpose are approved.
Software Licensing
Avoid unlawful copying or use of unlicensed software.
Medium
All staff
Users must not copy, install or use software unless the organisation holds appropriate licences or other permission.
Security Updates
Ensure devices and applications receive security patches.
High
All staff
Users must not prevent, delay or disable approved security updates, patches or endpoint protection on company systems.
Open Source Components
Control security and licensing risks in software development.
Medium
Privileged users
Users must use open source packages only in accordance with approved development, security review and licensing procedures.
Browser Extensions
Prevent browser add-ons from accessing data or weakening security.
Medium
All staff
Users must not install browser extensions or add-ons unless they are approved for business use.
Security obligations
Malware Protection
Maintain endpoint protection against viruses and malicious software.
High
All staff
Users must not disable malware protection, firewall settings or security tools installed on company systems.
Security Incident Reporting
Ensure suspected cyber incidents are reported quickly.
High
All staff
Users must report suspected security incidents, malware, unauthorised access, lost credentials or unusual system behaviour immediately.
Suspected Credential Compromise
Trigger fast password reset and account containment.
High
All staff
Users must report immediately if they believe a password, token, device or account has been lost, disclosed or compromised.
No Circumvention Of Security Controls
Prevent users weakening technical protections.
High
All staff
Users must not bypass, disable, alter or test security controls unless expressly authorised to do so as part of their role.
Physical Security Of IT Assets
Protect equipment and information from physical access risks.
High
All staff
Users must keep laptops, phones, access cards and other IT assets secure and must not leave them unattended in public places or vehicles where avoidable.
Unauthorised System Changes
Prevent unsupported or risky changes to systems.
High
Privileged users
Users must not alter system configurations, security settings or network connections unless authorised and, where required, approved through change control.
Vulnerability Reporting
Ensure weaknesses are reported and managed safely.
Medium
All staff
Users who identify a security weakness must report it promptly and must not exploit, publicise or test it without authorisation.
Personal use
Limited Personal Use
Permit reasonable personal use while protecting business interests.
Medium
All staff
Reasonable personal use of company systems is permitted only where it is lawful, occasional, does not interfere with work and does not create security or reputational risk.
Personal Use And Monitoring
Clarify that personal use may still be subject to lawful monitoring.
High
All staff
Users should understand that personal use of company systems may be monitored where lawful and proportionate and in accordance with privacy information provided by the organisation.
Personal Email Accounts
Prevent business data being handled through personal email.
High
All staff
Users must not send, receive, store or process company information or personal data using personal email accounts unless expressly authorised.
Personal Cloud Accounts
Prevent uncontrolled copying of business information to personal storage.
High
All staff
Users must not store, synchronise or back up company information to personal cloud storage or personal file-sharing services.
Personal Subscriptions And Accounts
Avoid mixing personal accounts with company systems and data.
Low
All staff
Users must not use company payment details, email addresses or systems for personal subscriptions unless expressly permitted.
Personal Device Connections
Reduce risks from connecting personal devices to company equipment.
Medium
All staff
Users must not connect personal devices to company computers or networks except where permitted by the organisation.
Access and authentication
Temporary Staff Access
Limit short-term users to approved access for the assignment.
Medium
Temporary staff
Temporary staff must use only the access granted for their assignment and must return devices, credentials and information when the assignment ends.
Data handling
Use Of AI Tools
Control risks from entering company or personal data into AI services.
High
All staff
Users must not enter confidential information, personal data or client data into AI tools unless the tool and use case have been approved.
Email and messaging
Payment And Bank Detail Requests
Reduce business email compromise and payment diversion fraud.
High
All staff
Users must verify payment instructions, bank detail changes and urgent financial requests through approved independent checks before acting.
Internet use
Copyrighted Material
Prevent unauthorised copying, downloading or sharing of protected works.
Medium
All staff
Users must not use company systems to copy, download, stream or distribute copyright material unless permitted by licence or law.
Security obligations
Unauthorised Access To Systems
Prohibit hacking, unauthorised access and misuse of systems.
High
All staff
Users must not attempt unauthorised access to any system, account, data or network, whether belonging to the organisation or a third party.
Email and messaging
Abusive Or Threatening Communications
Prevent offensive, threatening or abusive electronic communications.
High
All staff
Users must not send messages that are threatening, abusive, grossly offensive, discriminatory, harassing or intended to cause distress.
Discriminatory Or Harassing Use
Prevent use of systems for discrimination, harassment or victimisation.
High
All staff
Users must not use company systems to discriminate, harass, bully or victimise any person, including on grounds protected by equality law.
Internet use
Obscene Or Illegal Images
Prohibit illegal obscene content and safeguard users and systems.
High
All staff
Users must not access, store, create, transmit or distribute obscene, indecent or illegal images or material using company systems.
Terrorism And Extremist Content
Prohibit accessing or sharing terrorist or extremist material.
High
All staff
Users must not access, download, store or distribute terrorist or extremist material unless expressly authorised for a lawful business purpose.
Monitoring and enforcement
Interception And Communications Privacy
Ensure communications monitoring respects legal limits.
High
All staff
Communications monitoring will be carried out only where permitted by law and authorised by the organisation for legitimate purposes.
Email and messaging
Business Communications Records
Keep business communications accessible as organisational records.
Medium
All staff
Business communications sent or received using company systems are organisational records and must be stored and managed in approved systems.
Data handling
Clear Desk And Clear Screen
Prevent casual viewing or loss of confidential information.
Medium
All staff
Users must keep confidential papers, devices and screens secure when away from their workstation or working in shared areas.
Use Of Approved Storage Locations
Ensure work data is backed up and recoverable.
High
All staff
Users must save work information in approved storage locations and must not keep the only copy of business data on local devices or removable media.
Encryption For Sensitive Transfers
Protect sensitive information sent outside controlled systems.
High
All staff
Users must encrypt or otherwise protect sensitive information before sending it externally where required by policy or risk assessment.
Email and messaging
Meeting Recording
Control privacy and confidentiality risks from recorded meetings.
Medium
All staff
Users must not record meetings or calls unless authorised and participants have been informed where required.
Internet use
Guest Network Use
Separate visitor and unmanaged device traffic from business systems.
Medium
Contractors and consultants
Visitors, contractors and unmanaged devices must use only approved guest network access unless separate access is authorised.
Security obligations
Access Cards And Badges
Protect physical access credentials linked to IT and premises security.
Medium
All staff
Users must keep access cards and badges secure, must not lend them to others and must report loss immediately.
Device use
Return Of IT Assets
Ensure company equipment and data are returned when access ends.
High
Employees only
Users must return all company devices, media, access cards and information when requested or when their employment or engagement ends.
Secure Disposal Of Devices And Media
Prevent data recovery from retired devices or media.
High
Privileged users
Devices and media containing company information must be disposed of, reused or transferred only through approved secure processes.
Software and downloads
Administrative Tools
Control powerful tools that can alter systems or extract data.
High
Privileged users
Administrative, scanning, remote control or scripting tools may be used only by authorised users for approved business purposes.
Data handling
Production Data In Testing
Limit personal or confidential data in non-production environments.
High
Privileged users
Production data must not be copied into test or development environments unless authorised and protected by appropriate controls.
Remote working
Remote Support Sessions
Control third-party or internal remote access to devices.
Medium
Remote workers
Users must permit remote support access only through approved tools and only where the support request is expected or verified.
Data handling
Photography And Screenshots
Prevent data leakage through photos, screenshots or screen captures.
Medium
All staff
Users must not take or share photographs, screenshots or screen recordings of confidential information unless authorised for a business purpose.
Security obligations
Network Scanning And Security Testing
Prevent unauthorised testing that may disrupt systems or breach law.
High
Privileged users
Users must not conduct vulnerability scans, penetration tests or similar activity unless expressly authorised and scoped by the organisation.
Access and authentication
Temporary Credentials
Control short-term passwords, guest access and emergency accounts.
Medium
Temporary staff
Temporary credentials must be used only for the approved period and purpose and must not be shared or retained after access ends.
Personal use
Separation Of Personal And Business Data
Reduce privacy and retrieval issues on company systems.
Medium
All staff
Users should keep personal files and communications separate from business records and should not store excessive personal material on company systems.

What Should A UK Acceptable Use Policy Cover?

A strong UK acceptable use policy should cover more than basic internet rules. The clause library shows that the highest-priority areas are access control, authentication, data handling, security reporting, monitoring notices, software restrictions, remote working and email use. These areas align with UK data protection expectations, cyber security good practice and common employment risk controls.

How Should Monitoring Be Addressed In An Acceptable Use Policy?

Monitoring clauses should be clear, proportionate and linked to legitimate business purposes such as security, compliance, service management and investigation of misuse. UK employers should explain what may be monitored, why it may be monitored and who may review the information. This supports transparency duties under the UK GDPR and Data Protection Act 2018.

Which Clauses Are Most Important For UK Data Protection Compliance?

The most important data-related clauses are those covering confidential information, personal data, removable media, cloud storage, email attachments, data classification, data transfer, incident reporting and secure disposal. These controls help reduce risks of unauthorised disclosure, loss, malware infection and personal data breaches.

Should Personal Use Be Allowed?

The dataset supports allowing only limited, reasonable personal use where it does not interfere with work, create security risks, breach law or involve offensive, unlawful or excessive activity. If personal use is permitted, the policy should make clear that use of corporate systems may still be monitored in accordance with the organisation's monitoring notice and privacy information.

Who Needs Extra Rules?

Remote workers and privileged users need additional controls. Remote workers should be subject to rules on VPN use, secure Wi-Fi, screen privacy, device storage and reporting lost devices. Privileged users should be subject to stricter rules on administrator accounts, elevated access, segregation of duties, logging and approval of high-risk system changes.

Acceptable Use Policy Clause Library
Want to Generate Your own Acceptable Use Policy?
Docaro AI can help you write your own Acceptable Use Policy for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

A United Kingdom Acceptable Use Policy clause library is a collection of pre-drafted clauses commonly used to create or customise an IT acceptable use policy for UK organisations.
Show All FAQs

You Might Also Be Interested In

UK Acceptable Use Policy Compliance Considerations
UK acceptable use policy compliance tips covering key legal, security, and workplace considerations for organisations.
IT Resources Covered by Acceptable Use Policies
Learn which IT resources are covered by acceptable use policies in the United Kingdom and why they matter for compliance.
United Kingdom IT Acceptable Use Policy Scope Decision Tree
United Kingdom IT acceptable use policy scope decision tree for deciding coverage, users, systems, and workplace technology risks.
United Kingdom Acceptable Use Policy Sign-Off Decision Tree
United Kingdom guide to acceptable use policy sign-off decisions, helping teams identify the right reviewers and approvers.

References and Information Sources