Computer use policy

[Funkstar]

Does anyone have a corporate statement regarding the acceptable use of computers?

We've discovered quite a log of things that shouldn't be on laptops and in email etc. We do have a simple statement in our T&Cs, but need a more detailed one that protects the company and the employees.

We aren't going to restrict all personal use or lock down web sites, just make it clear that having 20GB of MP3s and loading WoW on a laptop is not acceptable.

thanks (this will be run past lawyers anyway, i just wanted to see what everyone else is using)

[Kezzer]

Blimey. Usage policies usually include the usual no games, no porn etc. I've never seen one at my work, and I work for a very large company. In fact, we used to play Quake at work all the time back when I started, although that was kind of phased out.

Aren't there standard usage policies for generic companies? I thought usually they're applicable to the specific company which is why you do it all legally.

[kalniel]

Yes. But as I'm technically a civil servant it's not all that surpising. We have a code of conduct which all staff have to agree to - it's pretty large.

[Saracen]

Does anyone have a corporate statement regarding the acceptable use of computers?

I do have several, but I can't supply them, as they were commissioned by clients.

.....

We aren't going to restrict all personal use or lock down web sites, just make it clear that having 20GB of MP3s and loading WoW on a laptop is not acceptable ......

That, in my view, makes it even more important to get it right, because you're walking a fine line between allowing reasonable use, while preventing abuse. A critical part of that, in my view, will not just be writing a policy but it selling it to staff. If you can implement reasonable policies, and explain to staff why you're imposing any restrictions at all in a way that they both understand and sympathise with, then it'll be far more successful than just presenting them with a complex list of "do nots".

..... this will be run past lawyers anyway .......

An essential step, but a word of caution - lawyers can get carried away with protecting the company.

For instance, on one occasion, I discussed with a client what a AUP was intended to achieve, and gave a brief to the lawyers to implement it (and incidentally, the language used needs to be legally sound, but also clear and transparent to staff who, typically, aren't lawyers). Anyway, the lawyers came back with a contract that locked everything down tight as a gnat's anus (which was NOT the brief). One part of that was that regular contractors indemnified the company against any damage caused by incoming emails - the implication being that a virus received on an email from a contractor was the contractor's liability. Note, there didn't need to be any intent or maliciousness, just an email. And, if it meant a major shutdown, loss of hours (days) of work and a specialist company to come in and clean up dozens of computers, the contractor (and I mean self-employed individuals) was expected to foot the bill. There was no such liability on the company if they sent the contractor an email with a virus (and I pointed out that one company system I'd audited had >200 viruses and/or trojans. The thing was positively heaving with them. Nor, for that matter, did that particular PC have either competent intrusion prevention/detection software, or any half-decent way of restricting access. It had taken me less than 2 minutes to gain full admin access to it, without the benefit of even having a valid user account.

Sooooo .... the lawyers wanted contractors to pay for virus damage if something slipped past that contractor's AV software (and with the best will, and software, in the world, it is possible that something could), but that the company hadn't taken any real precautions to secure it's own position. In my opinion, the clause was likely to be grossly unreasonable, partly because it was unilateral, partly because it required no intent or even lack of care by the contractor, and partly because the company (at least on that sample PC) was grossly incompetent in terms of it's own basic security.

My opinion, VERY firmly expressed, was that if the company tried to foist that contract on the contractors (because nobody in theior right might would agree to something that onerous, one-sided and open-ended), they'd find themselves with no contractors, and as a lot of the work they themselves had accepted contracts to do was actually done by the contractors, they could find themselves unable to fulfill their own contracts. I, for instance, would decline any further work from them if they expected me to sign that.

It would have been a PR disaster. Which is the point I'm making, I guess. Yes, run it past the lawyers but also run what the lawyers tell you past your own common-sense, and be sure that whatever you try to foist on staff is reasonable AND understandable. Getting staff to understand what they're obliged to do, or not do, and to be on-side with it is a far harder part of the task than writing the policy in the first place.

Having said that, some of the things that ought to be in the policy are absolutely critical for the company's protection, and having the policy in place, and being prepared to enforce it, to the point of instant dismissal for gross misconduct if necessary, may be what prevents the company facing either substantial civil liability or even criminal prosecution.

And if you're going to dismiss staff for serious breaches, a clear policy that is KNOWN to staff may be all that stops you losing an wrongful dismissal tribunal.

I know this doesn't directly address your question, but I hope it provides a thought or two that you may find useful.

[Dareos]

can you state, very firmly, that anyone downloading pr0n, more than 1 gig of MP3's or anything other than flash games will be paid a visit by a man with a large stick... with a nail in it.

[Funkstar]

I'd be aiming for "more than a couple of MP3s" let along a gig.

Thanks for the advice. I'll be looking at it as well as management before it is published, so i'll try and make sure it isn't overly strict. Hell, i still want to be able to run MSN as well

[Saracen]

MP3s is one of the problem areas. Personally, I'd advise against ANY limit in the policy unless it explicitly makes clear that the MP3's are for business use or, at the absolute least, legit and legal. Anything less could be construed as tantamount to permission to download copyright-infringing files.

Sure, some MP3 downloads are legit, licensed, bought and authorised. But a very large proportion aren't. Part of the trouble is that personal downloading is, in many circumstances, a civil matter and unlikely to be pursued legally. But as soon as copyright infringement is done in the course of a business, it becomes a criminal matter as well, and can leave the company open to criminal prosecution (and hence, criminal penalties) as well as a civil claim.

And a factor in any civil claim is the ability of the loser to pay any damages awarded. Companies, generally, are better able to afford to do so, so make better and more tempting targets for civil actions.

Therefore, things like MP3s become part of the tactical decision that has to be made when drafting an AUP. On the one hand, it would be possible to allow staff to do a minimal amount of legal downloading, but then you have the problem of policing that, and of making sure that staff understand what is legal and what isn't.

Or, alternatively, you can prohibit it entirely, or prohibit it unless it is a legal download AND for business purposes, since it is possible that some staff may have a legit reason for downloading legal files. Deciding exactly how strict to be is a major part oft he headache.


The overall tactical decision to be made is to strike a balance between permitting reasonable personal use of company facilities for personal use. That not just includes what they download, but an assessment of the storage space requirements that it may imply, the bandwidth costs of doing it, the legal implications of anything that is downloaded and/or stored the security implications and, of course, the amount of time the employee spends doing it .... and when!

An employee spending a few minutes checking personal email during their lunchbreak is one thing, but them spending half an hour a day during working time browsing pirate music sites, or using company email to send libellous messages, is entirely another. The first example is perfectly reasonable, the second is an unjustifiable waste of time and probably grounds for disciplinary action, while the third example is and should be potential grounds for summary dismissal.

[Funkstar]

Thanks for the further input Saracen. Lots of stuff to think about, I'll print this lot out when my boss comes to speak to me about it

[Workaholic]

Don't forget to put in that as they as company property (I presume) then you can put in the usage of such equipment must be for company use and not personal use.

However putting in a "any other uses must be agreed by your manager / IT" should be fine.