Skip to main content
Forms Legal

Acceptable Use Policy (Australia)

Acceptable Use Policy

IT Systems, Internet and Device Usage Policy

ACCEPTABLE USE POLICY

[Organisation Name] ([ABN])

[Organisation Address]

Effective Date: [Effective Date] | Next Review: [Review Date] | Policy Owner: [Policy Owner]

1. PURPOSE AND SCOPE

1.1 This Acceptable Use Policy (the “Policy”) sets out the rules and requirements governing the acceptable use of IT systems, networks, devices, internet access, and email services provided by [Organisation Name] (the “Organisation”).

1.2 This Policy applies to: [Policy Scope] who access or use the Organisation’s IT resources, whether on-site or remotely.

1.3 The IT systems and resources covered by this Policy include: [Systems Covered].

1.4 This Policy is issued under the Organisation’s obligations under the Privacy Act 1988 (Cth), the Cybercrime Act 2001 (Cth), the Spam Act 2003 (Cth), the Telecommunications (Interception and Access) Act 1979 (Cth), and applicable Work Health and Safety legislation.

2. PERMITTED USES

2.1 The Organisation’s IT systems and resources are provided primarily for legitimate business purposes. Limited personal use is permitted provided it:

  • does not interfere with work duties or productivity;
  • does not consume excessive bandwidth or storage;
  • does not breach any provision of this Policy; and
  • complies with all applicable laws.

3. PROHIBITED USES

3.1 Users must not use the Organisation’s IT systems or resources to:

  • access, store, distribute, or transmit material that is offensive, obscene, defamatory, discriminatory, harassing, or unlawful;
  • download, install, or use unlicensed software or content in breach of copyright;
  • access systems or data without authorisation (including “hacking” or attempting to bypass security controls);
  • transmit unsolicited commercial electronic messages (spam) in breach of the Spam Act 2003 (Cth);
  • conduct any activity that may constitute a criminal offence under the Cybercrime Act 2001 (Cth) or equivalent state legislation;
  • disclose confidential business information, trade secrets, or personal information of clients or colleagues without authorisation;
  • conduct any personal business, secondary employment, or commercial activity not authorised by the Organisation;
  • install or run software or applications that have not been approved by the IT department; or
  • engage in any activity that may expose the Organisation to legal liability or reputational damage.

4. PASSWORD AND ACCESS SECURITY

4.1 Users must:

  • use strong, unique passwords for all systems and accounts;
  • not share passwords or access credentials with any other person;
  • change passwords immediately if they suspect compromise;
  • lock their workstation when leaving it unattended; and
  • report any suspected security incidents or unauthorised access to the IT department immediately.

5. EMAIL AND INTERNET USE

5.1 Users must exercise caution when using email and the internet and must:

  • not open attachments or click links in suspicious or unsolicited emails;
  • not use the Organisation’s email address to subscribe to personal mailing lists or services;
  • not send confidential information to unauthorised recipients;
  • report suspected phishing or malware attempts to the IT department; and
  • comply with the Spam Act 2003 (Cth) when sending commercial electronic messages.

6. DATA SECURITY AND PRIVACY

6.1 Users who handle personal information in the course of their work must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles at all times.

6.2 Users must not store personal or confidential data on personal cloud services, external drives, or non-approved storage solutions without IT department authorisation.

6.3 Any suspected data breach must be reported to the Privacy Officer immediately in accordance with the Organisation’s Notifiable Data Breaches procedure.

7. INCIDENT REPORTING

7.1 Users must report any suspected or actual security incidents, data breaches, malware infections, or policy violations to the IT department as soon as practicable. Prompt reporting helps limit the impact of security incidents and satisfies the Organisation’s obligations under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth).

8. BREACH OF POLICY

8.1 Breach of this Policy may result in [Breach Consequences], consistent with the procedural fairness requirements of the Fair Work Act 2009 (Cth). In serious cases involving criminal conduct, matters may be referred to law enforcement authorities.

9. REVIEW AND UPDATES

9.1 This Policy will be reviewed at least annually by [Policy Owner] and updated as required to reflect changes in technology, legislation, or organisational practice. The next scheduled review date is [Review Date].

9.2 This Policy is governed by the laws of [Governing State], Australia.

ACKNOWLEDGEMENT

I have read, understood, and agree to comply with the Acceptable Use Policy of [Organisation Name].

Name: _____________________________ Position: _____________________________

Signature: _________________________ Date: _________________________________

Employee / User

________________

Signature

Date: ________________

Authorised Representative

________________

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a Acceptable Use Policy (Australia)?

An Acceptable Use Policy in Australia sets the organisation's rules and expectations on the subject and the responsibilities of staff and users, supporting compliance with the Corporations Act 2001 (Cth).

Australian organisations face a complex web of statutory obligations that an AUP helps address. The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) — enforced by the Office of the Australian Information Commissioner (OAIC) — require organisations to take reasonable steps to protect personal information from misuse and unauthorised access under APP 11. The Cybercrime Act 2001 (Cth) makes unauthorised access to or modification of computer data a federal offence under ss 477 and 478. The Spam Act 2003 (Cth) prohibits the sending of unsolicited commercial electronic messages and imposes strict requirements around consent, identification, and unsubscribe mechanisms. A documented AUP demonstrates that an employer has taken reasonable steps to prevent these breaches.

Under the Telecommunications (Interception and Access) Act 1979 (Cth), employers who wish to monitor employee communications systems must comply with lawful interception provisions. Australian Privacy Principle 5 requires organisations to notify individuals of the purposes for which their personal information is collected — an AUP with a clear monitoring disclosure satisfies this obligation for employees. The Work Health and Safety Act 2011 (Cth) s 19 obliges a person conducting a business or undertaking (PCBU) to eliminate or minimise risks to health and safety, including cybersecurity risks that can disrupt business operations and harm workers.

For companies in financial services, the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Information Security requires APRA-regulated entities — including banks, insurers, and superannuation funds — to maintain information security capabilities commensurate with information security vulnerabilities and threats. An AUP is a baseline control under CPS 234. The Australian Cyber Security Centre (ACSC) publishes the Essential Eight cybersecurity strategies, which include application control, patching, and restricting administrative privileges — controls that an AUP operationalises at the staff level.

The Fair Work Act 2009 (Cth) is relevant to enforcement: under ss 387 and 388, any disciplinary action or dismissal for breaching an AUP must follow a procedurally fair process. The Fair Work Commission adjudicates unfair dismissal claims and considers whether a valid reason existed and whether the employee was notified and given an opportunity to respond. An AUP that is clearly communicated, reasonable in scope, and incorporated into employment contracts or acknowledged in writing is far more defensible before the Fair Work Commission than an informal arrangement. Forms-legal.com provides this template as a starting point for Australia-compliant IT governance documentation.

When Do You Need a Acceptable Use Policy (Australia)?

Every Australian organisation that provides employees, contractors, volunteers, or students with access to IT systems, internet connections, email accounts, or company-owned devices needs an Acceptable Use Policy. The AUP is particularly critical in several specific circumstances that arise regularly across Australian workplaces.

Organisations adopting BYOD (bring your own device) arrangements need an AUP that clearly distinguishes between personal and work data on devices, sets minimum security standards (such as encryption, PIN protection, and mobile device management enrolment), and addresses what happens to company data when a device is lost, stolen, or an employee leaves. Without clear rules, an organisation risks breaching APP 11 of the Privacy Act 1988 (Cth) when personal information stored on a personal device is accessed without authorisation.

Businesses with remote or hybrid workers need the AUP to address home network security, the use of public Wi-Fi, VPN requirements, and physical security of devices and documents outside the office. The Australian Cyber Security Centre (ACSC) has consistently identified phishing, ransomware, and credential compromise — all behaviours that an AUP can address — as the leading causes of data breaches reported to the OAIC under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth).

Organisations subject to APRA's Prudential Standard CPS 234 (banks, insurers, superannuation funds), the My Health Records Act 2012 (Cth) (healthcare providers), or the Security of Critical Infrastructure Act 2018 (Cth) (operators of critical infrastructure assets) have heightened obligations to document and enforce access controls and acceptable use rules. An AUP is an expected baseline control under each of these frameworks.

The AUP should be provided to all new employees and contractors at onboarding and signed as part of the induction process. It should be updated whenever there is a significant change in technology usage (for example, adoption of a new cloud platform or AI tool), a change in relevant law, or following a security incident. Reviews should occur at least annually, with the OAIC and ACSC guidance notes checked for recent developments affecting Australian organisations.

What to Include in Your Acceptable Use Policy (Australia)

An Australian Acceptable Use Policy should cover the following core areas to meet the expectations of the Privacy Act 1988 (Cth), the Cybercrime Act 2001 (Cth), the Spam Act 2003 (Cth), the Fair Work Act 2009 (Cth), and the ACSC Essential Eight framework.

Scope and covered persons: The AUP must clearly state who is covered — employees, contractors, volunteers, labour hire workers, students, and any other users who access the organisation's IT environment — and what systems are covered, including on-premises servers, cloud services, email, mobile devices, and remote access systems.

Permitted and prohibited uses: The policy should clearly list permitted uses (business purposes, incidental personal use if allowed) and prohibited uses, including accessing illegal material, downloading unlicensed software, transmitting confidential information to personal accounts, using organisational resources for personal commercial activity, and circumventing security controls.

Monitoring and privacy notice: Under the Telecommunications (Interception and Access) Act 1979 (Cth) and APP 5 of the Privacy Act 1988 (Cth), the AUP must notify users that IT systems, internet usage, and email may be monitored for security and compliance purposes, and explain how monitoring data is used and retained.

BYOD requirements: Where personal devices are permitted, the policy must specify minimum security standards, enrolment in mobile device management (MDM) systems, and the organisation's right to wipe company data from a personal device in specified circumstances.

Social media and communications: Rules governing the use of social media, both on company systems and on personal accounts where there is a connection to the organisation, addressing defamation risks, confidentiality obligations, and reputational considerations under the Corporations Act 2001 (Cth) and Privacy Act 1988 (Cth).

Password and access management: Minimum password standards, multi-factor authentication requirements, prohibition on sharing credentials, and obligations to report suspected compromise promptly to the IT security team.

Incident reporting: A clear obligation for users to report suspected security incidents, data breaches, or policy violations promptly, enabling the organisation to assess potential NDB scheme notification obligations to the OAIC and affected individuals within the timeframes required by Part IIIC of the Privacy Act 1988 (Cth).

Consequences of breach: A graduated consequence framework from warnings through to summary dismissal for serious misconduct, consistent with the Fair Work Act 2009 (Cth) procedural fairness requirements and the relevant modern award or enterprise agreement. Forms-legal.com provides this template as a starting point for building an Australia-compliant cybersecurity and data governance policy suite.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Acceptable Use Policy (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/business/policies/acceptable-use-policy-australia

MLA

"Acceptable Use Policy (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/business/policies/acceptable-use-policy-australia.

BibTeX
@misc{formslegal-acceptable-use-policy-australia,
  author       = {{Forms Legal}},
  title        = {Acceptable Use Policy (Australia) (Australia)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/australia/business/policies/acceptable-use-policy-australia}},
  note         = {Free legal document template. Based on Corporations Act 2001 (Cth)}
}

Also available for these jurisdictions:

United StatesUnited StatesCanadaCanadaHong KongHong KongIrelandIrelandIndiaIndiaKenyaKenyaMalaysiaMalaysiaNigeriaNigeria

Frequently Asked Questions

Based on Corporations Act 2001 (Cth) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Data Protection Policy (Australia)

Create a comprehensive Data Protection Policy for an Australian organisation. Compliant with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). Covers data collection, use, storage, disclosure, access rights, and breach notification.

Data Consent Form (Australia)

Obtain valid consent for the collection and use of personal information in Australia. Compliant with the Privacy Act 1988 (Cth), Australian Privacy Principles, and the Notifiable Data Breaches scheme. Covers data use, storage, third-party sharing, and withdrawal of consent.

Workplace Code of Conduct (Australia)

An Australian Workplace Code of Conduct is a formal employer document that sets out the standards of professional behaviour, ethical conduct, and workplace values expected of all workers. It provides a clear framework for decision-making in situations that are not always expressly covered by other workplace policies, and establishes the consequences for falling below the required standards. A Code of Conduct is one of the most fundamental documents in any Australian employer's suite of workplace policies. The legal foundation for a Workplace Code of Conduct in Australia rests on the employer's implied common law right and contractual right to issue lawful and reasonable directions to employees. A direction is lawful if it does not require an employee to do something unlawful, and reasonable if there is a legitimate business justification for it. The Fair Work Act 2009 (Cth) is central to the enforcement and legal effect of a Code of Conduct: under ss 387 and 388, the Fair Work Commission will consider, when assessing whether a dismissal for a Code breach was unfair, whether the employer had a valid reason for the action, whether the employee was notified of that reason, whether the employee was given an opportunity to respond, and whether dismissal was proportionate to the conduct in question. The Australian Public Service (APS) Code of Conduct established under the Public Service Act 1999 (Cth) ss 13 and 15 provides a widely referenced model for conduct standards in the public sector. While this model is specific to Commonwealth public servants, the conduct categories it employs — honesty, respect, diligence, care of Commonwealth resources, compliance with laws, and avoidance of conflicts of interest — reflect the conduct standards expected across Australian workplaces generally and are the basis for private sector codes of conduct throughout Australia. A well-structured Code of Conduct addresses a comprehensive range of conduct obligations: honesty and integrity in dealings with the organisation and its stakeholders; respectful treatment of all persons, including the prohibitions on bullying, harassment, and discrimination under the Sex Discrimination Act 1984 (Cth), Racial Discrimination Act 1975 (Cth), Disability Discrimination Act 1992 (Cth), and Age Discrimination Act 2004 (Cth); confidentiality obligations and privacy compliance under the Privacy Act 1988 (Cth) and the Australian Privacy Principles; responsible use of organisational property and resources; compliance with all applicable laws and professional obligations; responsible use of social media; avoidance of conflicts of interest; and proper handling of gifts, benefits, and hospitality. The Code should also address outside employment (secondary employment), which is increasingly common in the modern workforce. While the Fair Work Act 2009 (Cth) limits the extent to which employers can prohibit outside employment, reasonable restrictions connected to genuine business interests — such as those that address conflicts of interest, confidentiality, or performance impacts — are permissible. Conflicts of interest and gifts management are particularly important for organisations operating in regulated industries such as financial services (where the Corporations Act 2001 (Cth) ss 181–183 impose specific duties on directors and officers), healthcare, government contracting, and professional services. Robust disclosure and management processes for conflicts of interest and gifts help organisations maintain integrity and comply with applicable regulatory requirements. The bribery and corruption provisions of the Criminal Code Act 1995 (Cth) apply to all organisations operating in Australia. The Code of Conduct should make clear that offering or accepting bribes — whether in the form of cash, gifts, or other benefits — to improperly obtain or retain business is unlawful and will result in immediate disciplinary action, including referral to law enforcement authorities. This Workplace Code of Conduct is suitable for Australian businesses of all sizes and industries. It should be incorporated by reference into all employment contracts, acknowledged in writing by all workers upon commencement and following any amendment, and enforced consistently and in accordance with procedural fairness principles under the Fair Work Act 2009 (Cth).

Whistleblower Policy (Australia)

An Australian Whistleblower Policy is a formal document that explains to employees, officers, contractors, and other eligible persons how they can report suspected misconduct or wrongdoing, and what legal protections apply to them when they do. The policy is required by law for certain companies and must set out the key features of the whistleblower protection regime established under Part 9.4AAA of the Corporations Act 2001 (Cth). The whistleblower protection reforms in the Corporations Act 2001 (Cth) commenced on 1 July 2019, significantly expanding the protections available to whistleblowers in the corporate sector. Under s 1317AI, public companies, large proprietary companies, and proprietary companies that are trustees of registrable superannuation entities must have a whistleblower policy. The policy must be made available to officers and employees of the company. Failure to have a compliant policy is an offence attracting a civil penalty. The regime defines an 'eligible whistleblower' broadly under s 1317AA to include current and former employees, officers, contractors, suppliers, associates of the company, and their relatives or dependants. This wide definition ensures that those with genuine knowledge of misconduct — including former employees and supply chain workers — can come forward and receive protection. A disclosure qualifies for protection under s 1317AA(1) if the eligible whistleblower has reasonable grounds to suspect that the information concerns misconduct, or an improper state of affairs or circumstances, in relation to the company or a related body corporate. This includes suspected contraventions of the Corporations Act or the ASIC Act 2001 (Cth), conduct representing a danger to the public or the financial system, and tax-related misconduct under the Taxation Administration Act 1953 (Cth). The key protections afforded to eligible whistleblowers who make qualifying disclosures include: confidentiality protection under s 1317AAE, making it a criminal offence to disclose the identity of a whistleblower without their consent; protection from detriment under s 1317AD, prohibiting dismissal, demotion, harassment, discrimination, or any other adverse action because of a disclosure; civil and criminal immunity under s 1317AB, meaning a whistleblower cannot be sued or prosecuted in respect of their disclosure; and compensation rights under s 1317AE for any loss, damage, or injury suffered as a result of unlawful detriment. The whistleblower policy must, under s 1317AI(3), include information about: the protections available to whistleblowers; the disclosures to which those protections apply; how disclosures can be made; how the company will support and protect whistleblowers, including confidentiality measures; how the company will investigate disclosures; how the company will ensure fair treatment of employees mentioned in disclosures; and how the policy will be made available to officers and employees. In addition to the Corporations Act regime, whistleblower protections for tax-related disclosures are provided under ss 14ZZC to 14ZZE of the Taxation Administration Act 1953 (Cth), administered by the Australian Taxation Office. The Public Interest Disclosure Act 2013 (Cth) also provides a parallel regime for public sector whistleblowers. Best-practice whistleblower programs include independent external hotlines to allow anonymous reporting, regular training for managers and the Whistleblower Protection Officer on handling disclosures, clear procedures for managing conflicts of interest in investigations, and regular Board-level reporting on whistleblower disclosures. ASIC has published regulatory guidance (RG 270) providing detailed guidance on implementing whistleblower policies in practice. This Whistleblower Policy template covers all mandatory elements required by s 1317AI of the Corporations Act 2001 (Cth), including eligible whistleblowers and disclosures, protections from detriment and breach of confidentiality, how to make a disclosure to internal and external recipients, the investigation process, fair treatment obligations, and Board authorisation.