Your browser does not support JavaScript

IT policy

£ 9
Get much more with our
Security and information policy bundle:

This model policy outlines the standards expected of users of Company communication systems, and the action taken in respect of breaches of these standards.

Reading time
How long to understand and implement this policy?
15 mins
Word count
How many words in this policy?
We also have budget-friendly bundles featuring this template:

What is an IT policy?

The purpose of this IT policy is to provide you with a flexible and customisable document to serve as a robust and effective starting point for you.

By using our IT policy, you can streamline your process, maintain consistency and accuracy, and save time, and it can be easily adapted to fit your specific scenario.

Best practice timescale for this to be issued
When should this policy be issued?
During onboarding / after changes / planned refresher
Issued by who, to whom
Who should issue this policy, and to whom?
Internally issued to appropriate recipients in your Company
Applicable legal jurisdictions
In which jurisdictions can this policy be used?
Great Britain & NI (United Kingdom), Worldwide

What legislation and best practice guidelines have been taken into account in the development of this template?

United Kingdom
  1. Computer Misuse Act 1990: This legislation addresses unauthorized access to computer systems, unauthorized access to data, and the creation and distribution of malicious software. It helps protect the organization's IT systems and data from unauthorized use and cyberattacks.

  2. Data Protection Act 2018 (DPA): The DPA governs the processing and handling of personal data, including employee data. An IT policy should align with the DPA's principles to ensure the proper handling and protection of personal information.

  3. General Data Protection Regulation (GDPR): Although it is an EU regulation, GDPR applies to UK organizations. It imposes stricter requirements on the processing of personal data, including employee data, and an IT policy should address GDPR compliance.

  4. Electronic Communications Privacy Regulations (ECPR): These regulations cover the use of electronic communications, such as email and telephone communications. An IT policy should address the monitoring and privacy implications of electronic communications within the organization.

  5. Human Rights Act 1998: The Human Rights Act incorporates the European Convention on Human Rights (ECHR) into UK law. It includes the right to privacy, which has implications for employee monitoring and data protection in the workplace.

  6. Regulation of Investigatory Powers Act 2000 (RIPA): RIPA sets out rules for the interception of communications, surveillance, and data acquisition. An IT policy should align with RIPA when it comes to monitoring employee communications and activities.

  7. Copyright, Designs and Patents Act 1988: This legislation governs the use of copyrighted materials, including software and digital content. An IT policy should address copyright compliance and the appropriate use of software and digital assets.

  8. Equality Act 2010: This Act protects employees from discrimination and harassment based on protected characteristics. An IT policy should address equal access to IT resources and avoid any discrimination in technology use.

  9. Health and Safety at Work Act 1974: Although not solely focused on IT, this legislation includes provisions related to the safety of employees using technology and computer equipment in the workplace.

  10. Whistleblowing Policy: An IT policy should reference the organization's whistleblowing policy to encourage employees to report any IT-related concerns or security breaches.

Other territories

Consult your jurisdiction's employment legislation or labor laws to ensure compliance with the template. Review the language for local precision.

IT Policy


This policy outlines standards regarding the use of the Company's computing and computer based communications capabilities including, but not limited to, electronic mail and Internet systems.


This policy is applicable to all employees of [company name].

General principles

Equipment and Software

All the computing resources (e.g., equipment, software and telecommunications capabilities) used by the Company to provide computing and network connections throughout the business are considered the property of the Company. Further, they are intended solely for use by the Company's employees to conduct the Company's business, and should not be used for communication of a personal, private or non-business nature, without authorisation from a senior manager.

It is the Company's intention to use only properly licensed software and to comply with the manufacturers' licensing provisions and the terms of other agreements the Company has signed with the manufacturers. No actions are to be taken by an employee to obtain or use software that has not been properly licensed.

The Company will provide its employees with all software needed to conduct their business. Consequently, the Company's employees (other than appropriately authorised Information Technology staff) are not permitted to copy software from any source onto the Company's network or the computer they use. This is not only policy, it can be illegal, and/or expose both the computer and the Company's network to viruses.

All hardware and software requests, procurement and installation should be processed via the IT department so that the software/hardware compatibility and asset register can be maintained.

Data and information

All data and information created, acquired, stored on, or transmitted using the Company's computing resources are the Company's proprietary business information and are exclusively the property of the Company. This includes information of any kind: documents, spread sheets, graphics files, emails and their attachments, records of any business transactions, creative work, directories or lists of the content of storage devices, the printed image of any such information, or files of any such information on removable storage devices or stored on non Company computing systems (e.g.: portable devices/drives, CD/DVD, or home computers).

In all cases, the Company's proprietary business information may not be sent to outside individuals or companies, or to Company employees who do not need to know the information unless authorised by a senior manager. The Company is under no obligation to provide any data or information that was created, acquired, transmitted, or stored using the Company's resources, to any employee or ex employee of the Company.


Electronic mail and other information systems of the Company should not be used in any way that may be disruptive, offensive to others, or harmful. In no case should the information systems be used to transmit messages of a sensitive, personal, or private nature, or which constitutes unlawful, threatening, disparaging, defamatory, scandalous or obscene material about employees, clients, vendors or any other person or entity.


The Company reserves the right to assign computing resources and system access privileges to employees, and to survey and monitor the use of resources, data and information by its employees.

All computer systems provided by the Company or connected to the Company's network, and all data and information created, acquired, stored on, or transmitted using Company resources are subject to access and review by Company officials, for a variety of reasons, in the course of the performance of their responsibilities at any time without notice. In all cases, monitoring and review is up to the Company's discretion.

Accordingly, employees may have no expectation that any messages or information on the system will be kept confidential from officials of the Company in the normal discharge of their duties. Those officials may also disclose such information to others, inside or outside the Company, at the Company's sole discretion, for official purposes, including system maintenance, data storage, data backup, data archiving, data transmission or retrieval, technical problem resolution, monitoring employees' work, access during an employee's absence or assurance of compliance with policies.

Incidental and occasional personal use of computing resources and electronic messaging within the Company is permitted unless abused, such decision to be made at the Company's sole discretion. However, like. all other data on the Company's systems, any personal messages may still be accessed and disclosed as provided above, even if marked "personal and confidential" or "private." In addition, the Company is under no obligation to retain or protect any such information or to provide any such information in any form to employees or former employees. The Company has no liability for erasure, destruction, use or disclosure of any such information.

Leaving the Company

Computing resources and any access to the Company's data or information provided to the Company's employees iares provided only during the term of their active employment with the Company, and only to facilitate the Company's business.

Upon termination or suspension of employment for any reason, all access to Company data and information or equipment will be discontinued, and any representations of Company data or information (printed, stored on removable media, or stored on remote or non Company computing systems) and Company provided equipment is to be returned to the Company.

Care in Delivery

Electronic mail is a tool which when used properly contributes to the efficiency of the Company as a whole. It's proper use depends on the good sense of our employees and on the careful use of this technology. Employees should consider these points prior to making a decision to communicate via electronic mail.

Electronic mail messages are forever. Once an electronic mail message has been stored on a file server, it is never truly deleted. Whether an attempt to "delete" a message is made by using a specific command or by the automatic delete function, it may be possible to locate and access an electronic mail message long after you believe it to have been deleted.

Electronic mail message distribution cannot be controlled. The author or sender of an electronic mail message cannot control the subsequent forwarding or distribution of any electronic mail message, regardless of how sensitive the message may be. Given the compatibility of our Company's electronic mail programs with Internet servers, and the increasing ability to communicate via electronic mail with our clients, such re transmission is not even limited to employees of the Company. Your message may well end up anywhere or everywhere on the vast number of networks lined by the Internet. In addition, the author or sender of an electronic mail cannot retrieve an electronic mail message once it has been sent.

If you have any questions, please refer them to your Manager.

IT incidents

Employees should report any IT incident event to the IT helpdesk immediately. An IT incident is any malfunction of hardware of software provided by the Company that stops an employee fulfilling their duty. Employees should ask before carrying out any IT related task that they are unsure of.

An IT incident represents a potential security breach or virus infection, or indeed anything that threatens harm to company data, company hardware or network integrity.  

This policy [does not] form[s] part of your terms and conditions of employment.

Version: [1.0]

Issue date: [date]

Author: [name, job title]

This is a preview. Access to the remainder requires a purchase.

£ 9

Get much more with our
Security and information policy bundle:
IT policy
it policy