Acceptable Use Policy (Canada)
Canadian Workplace Technology Acceptable Use Policy
Organization: [Company Name]
Effective Date: [Effective Date]
Province: [Province]
IT / Compliance Contact: [IT Contact]
1. PURPOSE AND SCOPE
[Company Name] (the "Organization") provides employees, contractors, and other personnel with access to technology resources — including computers, email systems, internet access, mobile devices, telephone systems, cloud services, and other digital infrastructure — to support legitimate business activities. This Acceptable Use Policy (the "Policy") establishes the standards governing the use of these resources.
This Policy applies to all employees, officers, contractors, consultants, temporary workers, and volunteers of [Company Name] (collectively, "Personnel") who are granted access to company technology resources. It applies to all technology resources owned, leased, or managed by [Company Name], and to all Personnel regardless of their location or employment status.
2. ACCEPTABLE USE
Company technology resources are provided primarily for business purposes. Acceptable uses include: performing assigned work duties and responsibilities; communicating with clients, colleagues, and business partners on behalf of [Company Name]; accessing information and resources necessary for job performance; using company-approved software and applications; and participating in company-approved training and development activities.
3. PROHIBITED ACTIVITIES
The following activities are strictly prohibited when using company technology resources: (a) Illegal content and activities: accessing, downloading, storing, transmitting, or distributing content that is illegal under Canadian law, including child sexual abuse material, hate speech contrary to the Criminal Code (R.S.C., 1985, c. C-46), or materials that violate intellectual property rights; (b) Harassment and discrimination: sending, storing, or displaying communications that are harassing, discriminatory, or offensive based on any ground protected under the Canadian Human Rights Act (R.S.C., 1985, c. H-6) or applicable [Province] human rights legislation; (c) Confidential information: unauthorized disclosure of confidential company information, trade secrets, client information, or personal information of employees or third parties; (d) Privacy violations: unauthorized access to personal information, accessing colleagues' accounts or files without authorization, or any use of personal information contrary to PIPEDA (S.C. 2000, c. 5) and applicable provincial privacy legislation; (e) Security circumvention: attempting to bypass, disable, or circumvent security controls, firewalls, access restrictions, or monitoring systems; (f) Unauthorized software: installing unlicensed software, using software in violation of applicable licence terms, or downloading software without IT approval; (g) Personal commercial activities: using company resources for personal business ventures, freelance work, or other commercial activities unrelated to company business; (h) Fraudulent activities: using technology resources to commit fraud, misrepresentation, or any dishonest act; (i) Network abuse: activities that degrade network performance including unauthorized peer-to-peer file sharing, excessive personal streaming, or cryptocurrency mining; (j) Phishing and social engineering: initiating or participating in phishing attacks, social engineering attempts, or other deceptive practices.
4. EMAIL AND INTERNET STANDARDS
Personnel must use company email accounts professionally and in accordance with this Policy. Email communications should be written as if they could be disclosed publicly or used in legal proceedings — because they can be. Personnel must not open attachments or click links from unknown or suspicious sources. Phishing attempts and suspicious emails must be reported immediately to [IT Contact].
Internet use must support legitimate business activities. Personnel must not access websites containing illegal content, adult content, or content that could create a hostile work environment. Streaming services, social media platforms, and other bandwidth-intensive personal uses are restricted to break periods and must not interfere with network performance.
5. COMMERCIAL ELECTRONIC MESSAGES AND CASL COMPLIANCE
Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) governs the sending of commercial electronic messages (CEMs). Personnel who send commercial emails on behalf of [Company Name] must comply with CASL requirements: (a) obtain express or implied consent from recipients before sending CEMs; (b) include [Company Name]'s full legal name and contact information in all CEMs; (c) include a functioning unsubscribe mechanism in all CEMs; (d) process unsubscribe requests within 10 business days; and (e) use only company-approved email marketing platforms. Personnel must not send bulk commercial email without verified consent records. CASL violations can result in administrative monetary penalties of up to $10 million per violation.
6. SOCIAL MEDIA
Personnel must not disclose confidential company information, client data, or personal information of colleagues on social media platforms. Personnel must not make statements that could reasonably be mistaken for official company communications. Discriminatory or harassing social media content that creates a hostile work environment or affects workplace relationships may be subject to disciplinary action even if posted outside working hours. When discussing [Company Name] on personal social media, Personnel should identify that their views are personal and not those of the company.
7. DATA HANDLING AND SECURITY
Personnel are responsible for protecting company data and systems. Specific requirements include: use strong, unique passwords and change them as directed by IT; do not share login credentials with any person; lock workstations when away from the desk; use only company-approved methods for transferring or sharing company data; report security incidents, suspected breaches, or lost devices to [IT Contact] immediately; comply with all data classification and handling procedures established by [Company Name]; and do not use public Wi-Fi for accessing company systems without a company-approved VPN.
8. CONSEQUENCES OF VIOLATIONS
Violations of this Policy may result in disciplinary action up to and including termination of employment or contract for cause, in accordance with applicable [Province] Employment Standards Act or the Canada Labour Code (R.S.C., 1985, c. L-2) where applicable. The severity of disciplinary action will be proportionate to the nature and gravity of the violation. Serious violations — including unauthorized disclosure of confidential information, criminal activity using company systems, or deliberate circumvention of security controls — may result in immediate termination for cause without notice or pay in lieu. Violations may also result in civil or criminal liability for the individual involved.
9. REPORTING AND REVIEW
Personnel who become aware of a violation of this Policy, a security incident, or suspicious activity are required to report it promptly to [IT Contact] or [HR Contact]. Reports made in good faith will be treated with confidentiality to the extent practicable. [Company Name] prohibits retaliation against Personnel who report policy violations in good faith. This Policy will be reviewed at least annually and updated as required by changes in law or company practice. Questions should be directed to [IT Contact].
Authorized Company Representative
________________
Signature
Date: ________________
Employee / Personnel Acknowledgment
________________
Signature
Date: ________________
What Is a Acceptable Use Policy (Canada)?
An Acceptable Use Policy in Canada sets the rules for permitted use of the organisation’s systems, networks, or services, governed primarily by common-law and provincial employment principles.
In Canada, an AUP serves multiple legal functions simultaneously. It provides the electronic monitoring disclosure required by Ontario's Working for Workers Act, 2022 for employers with 25 or more employees. It documents the PIPEDA-compliant notice that employees have no expectation of privacy when using company systems. It sets out the CASL compliance obligations for employees sending commercial electronic messages. It establishes the workplace technology standards that support progressive discipline and, where necessary, termination for cause decisions.
The policy covers acceptable and unacceptable uses of company technology, internet and email standards, social media conduct, data handling obligations, software installation and licensing requirements, and the consequences of policy violations.
For federally regulated employers subject to the Canada Labour Code (R.S.C., 1985, c. L-2), an AUP is particularly important because it establishes the workplace rules that support just cause termination, which is subject to more rigorous scrutiny under the Code than under provincial employment standards legislation.
A well-drafted AUP that is distributed to all employees, acknowledged in writing, and consistently enforced forms a critical component of an employer's legal compliance framework.
The legal framework governing the Acceptable Use Policy (Canada) in Canada draws on several key statutes and regulatory bodies. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Parties executing a Acceptable Use Policy (Canada) in Canada should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) sets the foundational requirements.
When Do You Need a Acceptable Use Policy (Canada)?
An acceptable use policy is needed in the following circumstances:
Ontario employers with 25+ employees — Ontario's Working for Workers Act, 2022 requires a written electronic monitoring policy by January 1, 2023 for employers with 25+ employees as of January 1, 2022. An AUP incorporating the electronic monitoring disclosure satisfies this requirement.
Onboarding new employees — An AUP should be provided to every new employee during onboarding, with written acknowledgment obtained before providing access to company systems.
Technology rollout — When an employer introduces new technology (remote access systems, collaboration platforms, company mobile devices, BYOD programs), updating the AUP confirms employees understand the rules governing the new systems.
Cybersecurity incident — Following a data breach or phishing attack involving employee systems, updating and reissuing the AUP with strengthened security requirements demonstrates the employer's commitment to improved practices.
CAASL compliance — When employees regularly send commercial electronic messages on behalf of the organization, an AUP that includes CASL compliance requirements reduces organizational and personal liability.
Remote and hybrid work — When employees work remotely on company systems or personal devices, an AUP that addresses remote access security, use of personal devices (BYOD), and home network security is essential.
Disciplinary action — When an employer seeks to discipline or terminate an employee for misuse of technology resources, a clearly written and distributed AUP is essential evidence that the employee was on notice of the prohibited conduct.
Privacy complaints — If an employee complaints about monitoring or files a privacy complaint, a clear written AUP demonstrating prior notice is the employer's primary defence.
Parties in Canada should prepare a Acceptable Use Policy (Canada) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Acceptable Use Policy (Canada)
Scope and Application — Identification of all technology resources covered (computers, email, internet, mobile devices, cloud services, telephone systems), all personnel to whom the policy applies (employees, contractors, volunteers, interns), and all locations (office, remote, home).
Electronic Monitoring Disclosure — A clear statement of whether the employer monitors employee use of electronic systems; the circumstances and methods of monitoring (email logs, internet browsing records, application usage, access logs, call recordings); and the purposes for which monitored information may be used. Required for Ontario employers with 25+ employees under Working for Workers Act, 2022.
Acceptable Uses — Business-purpose uses that are permitted; limited personal use parameters if permitted; remote access guidelines and security requirements for work-from-home environments.
Prohibited Activities — Activities that are never permitted regardless of circumstance: accessing, transmitting, or storing illegal content; harassment or discrimination of any kind; unauthorized disclosure of confidential information or personal information; circumventing security controls; unauthorized software installation; use of unlicensed software; fraudulent activities; unauthorized access to other systems; personal commercial activities.
Email and Internet Standards — Email content standards and professional communication requirements; prohibited attachments; phishing and social engineering awareness; internet browsing restrictions; streaming and bandwidth-intensive personal use restrictions.
CAASL Compliance — Requirements for commercial electronic messages including consent verification, required sender identification, unsubscribe mechanism compliance, and processing timelines; prohibition on bulk email without consent.
Social Media Standards — Permitted and prohibited social media activity during work hours; disclosure restrictions; confidentiality obligations; personal social media conduct that could affect the workplace.
Data Handling and Security — Password requirements; prohibition on sharing credentials; device security when using company systems remotely; reporting obligations for security incidents or lost devices.
Consequences — Statement that violations may result in disciplinary action up to and including termination for cause; reference to applicable provincial Employment Standards Act or Canada Labour Code provisions.
Acknowledgment — Requirement for signed acknowledgment confirming the employee has read and understood the policy.
Additional compliance elements for a Acceptable Use Policy (Canada) used in Canada include: Under the Canada Business Corporations Act (R.S.C. 1985, c. C-44), Corporations Canada maintains the federal registry. Section 12 of the CBCA governs corporate name requirements. The Competition Bureau enforces the Competition Act (R.S.C. 1985, c. C-34). Provincial securities commissions — including the Ontario Securities Commission (OSC) and British Columbia Securities Commission (BCSC) — regulate capital markets. The Federal Court of Canada has jurisdiction under the Federal Courts Act. Forms-legal.com provides this template as a starting point for Canada-compliant documentation.
Sources & Citations
Statutory citations link to official government sources.
- R.S.C., 1985, c. L-2CA official
- R.S.C. 1985, c. C-44CA official
- R.S.C. 1985, c. C-34CA official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Acceptable Use Policy (Canada) (Canada) [Legal document template]. Forms Legal. https://forms-legal.com/canada/business/policies/acceptable-use-policy-canada
"Acceptable Use Policy (Canada) (Canada)." Forms Legal, 2026, https://forms-legal.com/canada/business/policies/acceptable-use-policy-canada.
@misc{formslegal-acceptable-use-policy-canada,
author = {{Forms Legal}},
title = {Acceptable Use Policy (Canada) (Canada)},
year = {2026},
howpublished = {\url{https://forms-legal.com/canada/business/policies/acceptable-use-policy-canada}},
note = {Free legal document template. Based on Canada Business Corporations Act (R.S.C. 1985, c. C-44)}
}Also available for these jurisdictions:
Frequently Asked Questions
There is no single Canadian statute that mandates an acceptable use policy (AUP) for all employers. However, several legal requirements make an AUP functionally necessary. Ontario's Working for Workers Act, 2022 (S.O. 2021, c. 35) requires employers with 25 or more employees to have a written electronic monitoring policy disclosing whether and how the employer monitors electronic device use — and an AUP is the standard vehicle for this disclosure. Under PIPEDA (S.C. 2000, c. 5) and provincial privacy laws, employers must take reasonable steps to protect personal information on their systems, which requires setting out acceptable use rules. Under the Canada Anti-Spam Legislation (CASL, S.C. 2010, c. 23), organizations must ensure employees understand consent and unsubscribe requirements for commercial electronic messages. From a labour law perspective, courts and arbitrators consistently require that employees be informed of workplace rules before they can be disciplined for violating them — making a written, distributed AUP essential for enforcing technology policies and supporting termination for cause decisions.
Canadian employers can monitor employee use of company-owned technology subject to privacy law constraints and the requirement to provide advance notice. The key requirements are: (1) Legitimate purpose — monitoring must serve a genuine business purpose such as security, compliance, or performance management; (2) Necessity — the information collected must be limited to what is necessary for the stated purpose; (3) Notice — employees must be informed that monitoring occurs, the circumstances and methods of monitoring, and the purpose for which collected information may be used. Ontario's Working for Workers Act, 2022 requires a written policy for employers with 25+ employees. Covert monitoring of personal activities (accessing personal email on work devices, spyware on personal devices) is generally not permitted. PIPEDA and provincial privacy laws restrict what information may be collected and how it may be used. An AUP that clearly discloses monitoring practices — and is signed by employees — provides the notice required by privacy legislation and creates the documentation needed to enforce workplace technology rules.
Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23) imposes significant obligations on organizations and individuals who send commercial electronic messages (CEMs) — any electronic message with a commercial purpose. Under CASL, CEMs may only be sent with the recipient's express or implied consent; must identify the sender; must include contact information; and must include an unsubscribe mechanism that is processed within 10 business days. Employees who send commercial emails on behalf of their employer are acting as agents of the organization, making the organization potentially liable for CASL violations. An AUP should specifically address CASL compliance requirements: employees must not send bulk commercial emails without valid consent; employees must include required sender identification and contact information; employees must honour unsubscribe requests; and employees must use only company-approved email marketing platforms. The Canadian Radio-television and Telecommunications Commission (CRTC) can impose administrative monetary penalties of up to $1 million for individuals and $10 million for organizations per violation.
A Canadian employer's social media policy, typically included within or alongside an acceptable use policy, should address several areas. Personal social media use during work hours should be restricted to prevent productivity loss and security risks. Use of company resources (computers, internet) for personal social media requires clear rules. Employees must not disclose confidential company information, client data, or personal information of colleagues on social media — breaching PIPEDA or the applicable provincial privacy act. Employees should understand that posts about the company, even on personal accounts, can create legal liability for defamation, harassment, or disclosure of trade secrets. Employees must not make representations that could be mistaken for official company statements. Under the Canadian Human Rights Act (R.S.C., 1985, c. H-6) and provincial human rights codes, discriminatory content posted by employees — even outside work — can create employer liability if it affects the workplace. An employee's reasonable expectation of privacy for personal social media activity on personal devices outside work hours is generally protected, though seriously harmful conduct may still warrant disciplinary action.
A Acceptable Use Policy (Canada) does not legally require a lawyer in Canada, and individuals and businesses may draft and execute the document independently. The Canada Business Corporations Act (R.S.C. 1985, c. C-44) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Canada lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Canada has jurisdiction over disputes arising from this type of document, and Corporations Canada may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Code of Conduct (Canada)
Establish workplace conduct standards for a Canadian business. Covers Canadian Human Rights Act obligations, Canada Labour Code (federally regulated) or provincial Employment Standards Act compliance, harassment and discrimination prevention, conflicts of interest, confidentiality, and disciplinary procedures.
Employee Privacy Notice (Canada)
Inform employees about how their personal information is collected, used, and disclosed in the Canadian workplace. Covers PIPEDA obligations, provincial privacy law (Alberta PIPA, BC PIPA, Quebec Law 25), workplace monitoring, payroll data, and employee rights.
Anti-Discrimination Policy (Canada)
Establish a comprehensive anti-discrimination and harassment-free workplace policy compliant with the Canadian Human Rights Act and provincial human rights codes. Covers protected grounds, complaint procedures, investigation process, and remediation under federal and provincial human rights legislation.
Non-Disclosure Agreement (NDA) (Canada)
Protect your confidential business information under Canadian law with our free NDA template. Built for all provinces and territories, this agreement references PIPEDA (Personal Information Protection and Electronic Documents Act) and lets you select your governing province. Covers mutual and one-way confidentiality, trade secrets, proprietary data, and includes Canadian entity types (corporation, partnership, sole proprietorship). Fill out the wizard, preview your document in real time, and download as PDF or Word — no account required.