Acceptable Use of Information and Mobile Technology Policy
Last Updated 5 Jun 2022 in Ways of Working
Overview
Our IT facilities are important to the running of our business. This policy outlines how colleagues should use these assets effectively and safely.
Key points covered:
- What is considered to be Society IT equipment
- Safe use of passwords, removable media and Society software
- What is acceptable use of email and the internet
About this Policy
This policy outlines the standards that all colleagues are expected to follow with regard to the secure and acceptable use of the Society’s IT facilities and personal devices (equipment and technology personally owned by and used solely by the colleague).
This policy also covers the use of all forms of social media, including Facebook, LinkedIn, Twitter, Wikipedia, Instagram, Tumbl, Tiktok, Snapchat, WhatsApp and all other social media sites, internet postings and blogs. It applies to the use of social media for business purposes as well as personal use that may impact on the wellbeing of colleagues and that may affect our business in any way. The Society recognises and promotes the benefits of using IT resources, such as PC’s laptops, tablets and phones for working and connecting with our customers, members and fellow colleagues. However inappropriate use can have a negative impact upon colleagues and the reputation of the Society.
The purpose of this policy is to enable colleagues to use IT devices in aneffective, efficient, secure and ethical manner; and in a way that does not bring the Society or individual colleagues into disrepute whether inadvertent or deliberate, and to reduce the risk to IT assets including information assets relating to the Society’s customers and members.
This policy applies to all colleagues (whether employed on a full-time, part-time, fixed term or permanent basis), as well as agency staff and contractors. Anyone visiting our premises must also comply with the guidelines set out in the policy.
This policy does not form part of a colleague’s contract of employment and we may amend it at any time.
A failure to comply with this policy will be dealt with in accordance with our Disciplinary Policy and may result in disciplinary action up to and including dismissal. Colleagues may be requested to remove any social media content that we consider to constitute a breach of this policy.
This policy is to be read in conjunction with the Society’s Data Protection Policies.
Who is Responsible for this Policy?
All colleagues are expected to follow the guidelines set out in this policy. Colleagues are encouraged to raise concerns informally or report any misuse of IT to their line manager as soon as possible to ensure the matters are dealt with quickly and efficiently. Colleagues are asked to work with their line manager in the first instance to seek resolution or if they need assistance with this policy.
All colleagues must understand that the documents, data/information created using the Society’s IT facilities, remain the property of the Society. It should be noted that this includes all emails sent and received using Society email addresses.
All managers must treat colleagues fairly and consistently in accordance with this policy. Managers must ensure all colleagues and visitors are informed of the policy and any signage to support this policy is clearly displayed in the appropriate places.
Society IT Facilities
The Society’s IT facilities include, but are not limited to, any computer (including laptops, and tablets), server or data/voice networks, wireless networks and any mobile phones, desk phones provided and supported by the Society (includes interface with and use of public networks).
The hardware, network and telecommunications systems are the property of the Society and access to the equipment is provided as a tool to support the Society’s business. Society equipment may be used for business, business related, and colleague personal use (if personal use is of an incidental nature and does not interfere with business activities). Usage and access to the Society’s equipment will only be granted through IS (Information Services) on an as needed basis defined by line managers. The Society reserves the right to temporarily or permanently limit, withdraw or restrict use of, or access to, any IT facilities at any time and for any reason.
Colleagues are reminded that whilst at work, the use of the IT facilities is intended for work purposes only.
Secure Use of Computer Systems
-
Software Installation – Colleagues are not allowed to install or upgrade software on any PC without the specific permissions of the Society’s IT Group (known as Information Services, IS).
-
Hardware Integrity – It is the responsibility of each user to take all reasonable precautions to safeguard the physical security of the IT facilities. All systems must be reasonably protected against wilful and accidental damage, e.g. physical hazards such as liquid spills, not allowing unauthorised physical access to the machine.
-
Software Integrity- Colleagues must take reasonable precautions to safeguard computer systems and data/information in their care. Colleagues are not allowed to use programs, utilities and/or any other device to circumvent security measures, determine or identify passwords nor breach conditional access systems. Malicious programs can cause serious disruption to the Society’s systems. You must not allow these programs onto your system and must take all reasonable steps to avoid such programs being loaded onto the Society’s systems.
-
Networked devices/computers – Colleagues are not allowed to change or attempt to change network settings on any device without prior authorisation from the IS Group.
-
FTP (File Transfer Protocol) Uploading – FTP is used to securely transfer files from one computer to another via the internet, this is generally used to transfer data to and from external contacts. Secure FTP must be used when transferring sensitive or confidential data/information. Anonymous FTP uploads are not allowed. Secure FTP sessions must be implemented through IS.
-
Removable Media Use- Removable media such as USB flash drives, memory cards, mobile phones, laptops and PDA’s (also known as a handheld PC) must only be used with explicit authorisation from your Line Manager. Only IS approved removable media devices must be used. Removable electronic media must be encrypted where possible and only encrypted devices must be used to store or transport sensitive or confidential data. Where possible the use of removable electronic media should be avoided and if used to transport sensitive or confidential data, the data must be removed as soon as possible after the need to have the data on the removable media.
-
IT user identification and access- You must only access and use the Midcounties Co-operative Society network, systems and applications if you are authorised to do so. If you are granted access, it is to allow you to perform your duties efficiently and access has been granted for your sole use by means of a unique user account and password. You must not give details of your user account and password to anyone, including your Line Manager. If a colleague has a requirement for access to email, drives or applications on the Midcounties network while located outside Midcounties sites or offices, a VPN connection is required. This will be provided by IS with the authorisation of your Line Manager (refer to section 5.6 for further detail).
-
Office 365 – Files in Teams, SharePoint or OneDrive must not be shared with people outside of the organisation unless with specific permission.
-
Use of IT facilities for personal trading: Colleagues should not use Society’s IT facilities to solicit or distribute material connected with any business not owned by Midcounties. Please refer to Society’s Colleague Personal Trading Policy for more information.
Passwords
Colleagues must always use strong passwords. Ensure the following:
-
Passwords must be changed every 60 days.
-
Do not use easily guessable words
-
Passwords must not be written down, shared (not even to IS) or disclosed to anyone, except upon termination when colleagues will be required to hand over their access to their Line Managers prior to leaving.
-
Passwords must be at least 8 characters long, constructed using letters, both uppercase and lower case, numbers and special characters, e.g. $%^&*()£”!/\{}[].
-
Colleagues who use a till must ensure that they use the correct till operator number and do not share their operator number and passwords with other colleagues. If you suspect that an account or password has been compromised, report the incident by logging an incident on ServiceNow and change all passwords.
Colleagues can change their password by using the FastPass password manager service.
Email Use
The Society will make reasonable efforts to maintain the integrity and effective operation of its email systems, but users are advised that those systems should in no way be regarded as a secure medium for the communication of sensitive or confidential information. Because of the nature and technology of electronic communication, the Society can assure neither the privacy of an individual user's use of the Society's email resources nor the confidentialirt of particular messages that may be created, transmited, received, or stored thereby.
While the Society has what we consider to be a strong virus protection system, care must be taken when opening email and email attachments. Colleagues must not open attachments from senders that they do not know or did not expect. If colleagues are unsure about any email or attachment, contact IS or delete the message as soon as possible.
Email mailboxes and folders must be kept free of unnecessary emails that would not be considered business related. Retaining an excessive amount of email causes poor email performance, extended email backup times and utilises unnecessary storage space.
Unacceptable use of emails includes:
-
Sending messages which may be considered to be abusive or which may violate the dignity of a person or create an intimidating, hostile, degrading, humiliating or offensive environment (including, without limitation any messages that are sexist, racist, obscene, abusive or defamatory). Emails of this nature could make the Society and the individual colleague liable in a court of law, and also would be in breach of the Respect in the Workplace Policy.
-
The use of the email system to create or cause any detrimental impact on the Society or its systems.
-
The use of third-party messaging systems other than those provided by the Society. Instant messaging systems are only permitted when required for daily functions or duties and approved by line managers.
-
Using or allowing large attachments such as games, screensavers and pictures, etc. tobe received and/or circulated via the Society’s email system. Auto-forwarding of Society emails is not permitted.
-
Sending personal or sensitive information over the email system or via messaging systems. Please refer to the Data Protection Policies including information security policy for more information on Sensitive information.
-
Personal emails in the Society’s email system will be subject to monitoring. It is advisable that colleagues do not send or forward personal emails that they do not wish to be read by a third party. Personal use of emails should be kept to a minimum while at work and such use is only permitted at an appropriate time such as your lunch break or before/after the start/end of your shift and with your manager’s permission to do so.
It should be noted that emails sent or received using the Society network may be subject to protected disclosure and the Society reserves the right to access user email accounts with the approval.
Internet and Intranet Use (including Colleagues Connect)
The Society Intranet is private and confidential and should be treated as such by allcolleagues. Colleagues must not disclose information on the Intranet to unauthorised individuals or third parties. To share or disclose the Intranet or information held on it to individuals not employed by the Society, written permission must be received from the Society Communications Team (communications@midcounties.coop).
Internet and Intranet misuse includes, but is not limited to:
-
Unreasonable or excessive time online (outside of job role remit), whether inside or outside core working hours. Accessing non-business websites including audio, film and software.
-
Unauthorised blogs (web-logs), games, and anything with the following content: Gambling, pornographic or adult-oriented material or anything that may violate the dignity of a person or create an intimidating, hostile, degrading, humiliating or offensive environment (including, without limitation, websites promoting violence, any site that are of sexist, racist, obscene, abusive or otherwise inappropriate nature), or illegal under UK law. It should be noted that use of Intranet and Internet will be subject to monitoring by IS.
Acceptable use of Internet and Intranet includes, but is not limited to:
-
Industry reports, economic information, business news, Social media or any other internet or intranet use deemed relevant for colleagues’ roles or functions.
-
news, weather, and responsible use of web-based email. Such use must be kept to a minimum and must be carried out during your lunch break or before/after the start/end of your shift. You Line Manager or HR will be able to provide guidelines on this.
Colleagues may access and download information from the Internet, subject to the following restrictions:
-
Downloading of freeware and shareware by users is prohibited.
-
Downloading of non-executable data files is permitted.
Society Mobile Devices and Telephone Use
Colleagues are reminded that Society mobile phones and land lines are supplied for business purposes only. Due care must be taken when using telephones, voicemail, answering machines, facsimiles and recording equipment (e.g. photographic, video and audio equipment) to ensure the protection of confidential or personal information at all times. All of the Society’s mobile phones must be password protected. Only IT authorised apps must be downloaded on the company mobile phones.
Remote Access Technologies
All colleagues are not automatically granted remote access privileges.
Any and all work performed for the Society’s IT facilities by any and all employees through a remote access connection of any kind, is covered by this policy. Work can include (but is not limited to) email correspondence, using intranet resources, and any other Society application. Remote access is defined as any connection to the Society’s network and/or applications from off-site locations, such as the colleague’s home, hotel room, wireless devices, etc.
The Society’s resources (i.e. computer systems, networks, databases, etc.) must be protected from unauthorised use and/or malicious attack that could result in loss of information, damage to critical applications, loss of revenue, and damage to public image. Society networks must not be accessed via unsecured wireless communication mechanisms. Therefore, all remote access privileges for Society colleagues to enterprise resources must employ only Society-approved methods.
Connection to another company’s network while connected to the Society’s network is prohibited.When connected to the Society network via VPN, all Internet browsing must go through the Society firewall. No split tunnelling is allowed.Do not provide login or email passwords to anyone, not even family members.Only Society approved VPN clients must be used.Remote access connections accessing sensitive society’s information must be encrypted in transmission.Accounts enabled for vendor access will immediately be deactivated after use.
The Use of Personal Devices at Work
The Society understands that colleagues may need to use their personal mobile devices during their working day. However, colleagues must limit the use of their own devices to allocated break times and in dedicated break areas, unless otherwise agreed with their manager. Colleagues and visitors of our Society nurseries must never use mobile devices whilst children are present or in view.
Under no circumstances should personal mobile devices be used whilst colleagues are working in or visiting designated customers, or member areas, for example: shop floors or nursery premises. Personal mobile devices should be stored in a safe place and turned off, or in silent mode.
It is important to note that the Society does not accept liability for personal mobile devices which colleagues choose to bring to their place of work.
Colleagues should adhere to any local procedures in relation to the use of mobile phones in their work area.
Charging personal mobile devices on Society premises is not permitted as the Society does not have visibility that the charging device has been PAT tested (Portable Appliance Tested) accordingly.
Emergencies and Exceptional Circumstances
We appreciate there may be emergency situations or exceptional circumstances that require colleagues to use personal mobile devices during working time. In such instances, colleagues must discuss this with their line manager and any necessary communication should be done during break times wherever possible. Colleagues should record their workplace contact number so they can be contacted in the event of an emergency.
Accessing Society Systems and Data on Personal Devices
Colleagues may access certain Society systems on their personal mobile devices outside of working hours, for example: Colleague Connect, Kronos app and Outlook. Colleagues are reminded that this practice is entirely voluntary on their behalf, and when doing so must follow the guidelines within this policy and Data Protection Policy
Colleagues must not access any part of the IT facilities for which they do not have authorisation. If colleagues have a legitimate business reason or are wishing to access data or programs on their personal mobile device, they must first raise this with their line manager. Colleagues are provided with Society mobile phones where it is necessary in the performance of their role.
Use of Social Media
The Society respects the right of all colleagues to use social media and will generally seek to avoid any involvement in non-work related activities and behaviour. However, there are exceptions to this as set out in this policy. Those exceptions can include social media activity outside of working hours where colleagues are reasonable identifiable as a Society employee, or where interacting with other work colleagues.
We encourage colleagues to join in the conversations on our social media channels. Alongside this policy, the Society has a set of Social Media Guidelines that we ask everyone engaging with us on social media to use. This can be found on our Social Media page on colleagues connect.
Colleagues should consult with the communications team or individual trading groups before any social media is used on behalf of the Society.
Colleagues must be responsible about what they put on social media, they must ensure that their profile and related content is consistent with how they would wish to present themselves with colleagues, customers and members. Colleagues should remember that whatever their privacy settings, what is posted on social media is unlikely to be private and may be available to be read by a wider audience.
Colleagues should use their own discretion and common sense when engaging in online communication. The following guidance gives some general rules and best practices for colleagues to follow when using social media. Colleagues activity in breach of this guidance may be subjected to disciplinary action.
-
Colleagues must avoid making any social media communications that could damage our business interests or reputation, even indirectly.
-
Colleagues must avoid making social media communication that could damage the employer/colleague relationships.
-
Colleagues must not use social media to bully, harass or unlawfully discriminate against colleagues, customers or members.
-
Colleagues should not engage in exchanges in response to unofficial social media reports about the Society and must report any such activity to their manager and the communications team. Colleagues must not respond without written approval.
-
Colleagues should not make social media communication in the workplace unless doing so for specific Society/community platforms.
-
Unless authorised to speak on behalf of the Society, either using a Society social media account or otherwise, colleagues should make it clear in social media postings that they are speaking on their own behalf and not on behalf of the Society.
-
Colleagues must comply with the law in regard to copyright/plagiarism. Posting of someone else’s work without permission is not allowed.
-
Colleagues must not share sensitive business information, such as the Society’s performance, personal data or any other confidential information.
-
If colleagues are uncertain or concerned about the appropriateness of any statement or posting, they should refrain from posting it until they have discussed it with their manager.
-
If colleagues have a concern or a complaint about the Society or their work, they should speak to their line manager rather than posting on social media.
Monitoring
Internet filters will be used to filter unsuitable content from downloads, log IP addresses and user details to keep on record.
The Society reserves the right to monitor, intercept and review, without further notice, colleague activity using our IT resources and communications systems, including but not limited to social media postings and activities. This is to ensure that our rules are being complied with and for legitimate business purposes and colleague consent to such monitoring by your use of such resources and systems.
Colleagues should be aware that the Society may ask them to remove content that is not in line with this policy. Unreasonable refusal to do so may result in disciplinary action being taken.
Additional Support
If colleagues need further information or advice on this policy, they should discuss this with their line manager in the first instance or contact IS by logging a service request through ServiceNow.
Alternatively, they can contact the HR Advisor for their business group, or email HR.advice@midcounties.coop.
Policy name: |
Acceptable Use of Information and Mobile Technology Policy |
Date of last review: |
May 2022 |
Policy owner: |
HR |
Issue number: |
002 |