ICT Acceptable Use Policies

Lasa logo By Lasa Information Systems Team

We often receive enquiries from organisations looking for help in developing policies for IT use by staff. Although we don’t have a standard policy, this article looks at why organisations need to have an Acceptable Use Policy (AUP), provides a framework for what the policy should contain, and how to implement it. Links to some background resources are also provided.

What is an Acceptable Use Policy?

As Joni Podolsky states in her excellent book Wired For Good - Strategic Technology Planning for Non Profits:

"Any organisation needs to inform its people about the type of behaviour it expects of those using technology in the workplace and about the consequences for abusing technology privileges".

An Acceptable Use Policy (AUP) is the policy which provide this information to users of the organisation's ICT resources be they staff, volunteers, clients, trainees, management committee, trustees and so on.

Why Have Policies?

Organisations are required by law to have certain policies e.g. Health & Safety (if there are any employees then it is a legal requirement) and disciplinary and grievance (if over 20 employees then mandatory). It is good practice, and often a requirement to conform with quality standards such as Quality Mark, Pqasso and Investors in People, to have certain policies in place e.g. Equal opportunities, Environmental, Data protection & confidentiality; and… ICT!

In addition, policies exist for the protection and guidance of the organisation and individuals by giving users ground rules for acceptable use of the equipment etc. so there are no misunderstandings. They should also provide guidelines if, for example, misuse occurs. An AUP also demonstrates to potential funders that the organisation is professional in its approach to managing users.

Framework for policies

The Acceptable Use Policy Framework Document contains suggested headings and topics which will be applicable for a typical Acceptable Use Policy for a small voluntary sector organisation. Lasa does not advocate the use of "model" policies as they tend to be adopted without consideration of the finer points or for the needs of the organisation.

The framework has attempted to cover most of the areas which will be required for an AUP but not all need be adopted e.g. if an organisation only has a small number of standalone PCs then the specific items on networks etc. will not be necessary. Of course, should the organisation change its ICT infrastructure then the AUP will need to be revised - we suggest that the AUP is reviewed every year as new technologies etc. will have impacted upon it.

For convenience, the framework is split into 6 main areas which are then subdivided - these areas are:

  • Introduction
  • General computer use
  • Email
  • Web & other online usage
  • Security
  • Training

AUP Implementation process

The following is a suggested process for initiating and implementing an AUP - this will differ depending on the size and nature of the organisation.

  1. Initiate - discuss in team/staff/volunteer/management committee meetings etc.
  2. Form working group (if appropriate) to draw up AUP
  3. Use framework for consultation with users and gain feedback
  4. Draft policy and circulate amongst working group for comment
  5. Write up final policy
  6. Publish and distribute
  7. Publicise to people in organisation
  8. Monitor and review annually


Copyright © 2000 Lasa Information Systems Team

Creative Commons Attribution

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 UK: England & Wales License.

Helpful Advice from those Friendly People at DOT-COMmunICaTions