>ACCEPTABLE USE POLICIES – WHY, WHAT & HOW

>ACCEPTABLE USE POLICIES ? WHY, WHAT & HOW

>A PRACTICAL GUIDE TO IMPLEMENTING AN AUP >A WHITEPAPER BY JONATHAN NAYLOR, EMPLOYED BARRISTER

>CONTENTS

>WHY DO I NEED AN AUP?

>1

>I HAVE AN AUP, SURELY I AM NOW PROTECTED?

>2

>HOW DO I GO ABOUT CREATING AN AUP

OR REVISING THE ONE I CURRENTLY HAVE?

>3

>WHAT SHOULD BE IN AN AUP?

>3

>COMMON MISTAKES WHEN CREATING AN AUP

>4

>COMMON MYTHS WHEN CREATING AN AUP

>5

>MAXIMISING COMPLIANCE AND MINIMISING RISK

>7

THE AUP IS THE BEDROCK OF ANY ORGANISATION'S MANAGEMENT OF EMPLOYEE USE OF CORPORATE IT SYSTEMS

>WHY DO I NEED AN AUP?

Ten or so years ago, implementation of Acceptable Use Policies ("AUPs") within organisations was patchy. Many employers limited employee Internet and email use to certain categories of staff and large numbers of smaller and medium sized enterprises either had a very brief AUP or, alternatively, none at all.

Over the last decade businesses have, either through good planning and awareness or, alternatively, painful experience of something going wrong, learnt that with ever-increasing employee access to Internet, email and Instant Messaging ("IM") systems while at work, regulation of this area cannot be left to chance.

The AUP is the bedrock of any organisation's management of employee use of corporate IT systems. A well-drafted AUP will, amongst other things:

? set out the types of behaviour expected of employees (and equally the types of behaviour that will result in an employee facing disciplinary action);

? detail specific provisions that are tailored to the organisation's needs or particular areas of risk,

? highlight to employees that the systems are predominantly for work use and that personal use should not interfere with an employee's ability to undertake their duties

? and explain that an employee's usage will be monitored and where necessary disciplinary action will be taken.

It is crucial, once an AUP has been drafted:

1. that it is distributed to all staff,

2. there is an explanation given to the employees so that they can understand why the policy is needed and what it is there to do,

3. and that the policy is then consistently enforced by management so that it does not fall into either disuse or disrepute.

A common failing is that organisations feel that they have "fixed" the problem simply by drafting an AUP. This AUP may then gather dust on the shelf, while the company, its employees and the risks that the business faces, all change. This can mean that when an act of misconduct by an employee prompts management to dust down the AUP and seek to enforce it, they find that the specific problem they now face is not adequately covered by the AUP. In this type of situation, the employee may also be able to raise substantial arguments about his lack of knowledge of the AUP or the previous lack of enforcement by the employer, and either claim may lead a Tribunal to conclude that the company has acted unfairly in taking whatever action it did against the employee.

1

ANY AUP MUST BE BACKED UP WITH A TAILORED TECHNOLOGY SOLUTION; THE AUP IS ONLY PART OF THE STORY

>I HAVE AN AUP, SURELY I AM NOW PROTECTED?

As explained above, simply establishing an AUP is not in itself a sufficient response. Part of the challenge for employers is to explain to employees why misuse of the Internet, email or IM system is so potentially damaging. Despite widespread publicity about employee email misuse and all of the embarrassment that this can cause both to the employee and the organisation, hardly a day passes without a further example of a careless email or inappropriate use of the web.

It is therefore important that employees are educated as to why misuse of these company systems can be so significant. Employees are never likely to welcome the fact that an employer will monitor their activities while at work but, if it is conveyed to the employee that part of the reason for the monitoring is to avoid the potential for personal consequences for any employee, then it may be that at least a grudging understanding is obtained. For example, many employees may not appreciate that if a colleague brings a claim of discrimination (perhaps a claim of sexual harassment based on offensive emails) not only can the employer be liable for any compensation ordered by a Tribunal, but the individual employee can be named as a Respondent in any proceedings and a financial award made personally against that employee. The fact that there may be a direct financial consequence to the offending employee may help to concentrate the mind and stress the importance of abiding by the AUP.

Furthermore, any AUP must be backed up with a tailored technology solution; the AUP is only part of the story. The technical solution that you put in place must be relevant to the particular risks that you face as a business and also the policy that has been drawn up to meet those risks.

As an employer, the organisation has a duty to take reasonable steps to put in place a safe system of work for employees. This will involve, for example, putting in place reasonable technical solutions to seek to block spam emails from reaching employees. Employers are not obliged to go to unlimited expense to implement the most perfect system for dealing with every conceivable threat, but they will be expected to put in place a reasonable level of protection for their own employees.

2

>HOW DO I GO ABOUT CREATING AN AUP OR REVISING THE ONE I CURRENTLY HAVE?

The starting point is to assess the particular needs of the business in the light of the specific risks that it will face; hence a risk assessment of some sort is the first step. Such an assessment will provide the basis for drafting the necessary AUP and subsequently the tailoring of a technical solution to support that AUP. Failure to make a proper assessment at the outset will lead to an incomplete solution being implemented later in the process.

When drafting the AUP itself, input should be obtained from any HR support within the organisation. What is technically possible is not necessarily good employment practice and therefore this has to be an area where an organisation's IT department talks with its HR department to create a combined solution. Senior management approval must be sought at an early stage so that there is a real commitment to the principles in the AUP.

When the AUP is complete and ready for distribution, there is a requirement to educate employees, so that they understand why the new policy is being produced and what it is intended to achieve. As mentioned above, a shrewd employer will seek to explain to employees the risks that the employer is attempting to address under the AUP and therefore to demonstrate the benefits not only to the business but also to individual employees from having a clear AUP to set the boundaries of reasonable behaviour.

Assess risk

Conduct thorough risk assessment

Identify areas of concern

Create policy

Tailor policy to specific risks

Fig. 1 Creating and maintaining your AUP

Distribute & educate

Distribute the AUP Educate employees on why AUP is being implemented

Monitor compliance

Implement technical solution to monitor and report on AUP compliance

Enforce policy

Enforce the AUP consistently when

it is breached

>WHAT SHOULD BE IN AN AUP?

The contents of AUPs vary; some are comprehensive, covering all forms of communications used by the business (including Blackberries/PDAs, telephone communications, etc) whereas others are more limited. Which coverage is most suitable for an organisation will depend on the nature of the usage by employees. For example, if the use of Blackberries is confined to one or two directors of the business, the need for any AUP to cover this is obviously greatly reduced when compared with a business which has scores of users. All AUPs should clearly state which categories of workers are covered, for example, if a business uses contractors or temporary workers it should be stressed that the policy also applies to them.

3

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download