Acceptable Use Policy (Ireland)

An Acceptable Use Policy in Ireland sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and is governed by the Data Protection Act 2018.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Data Protection Act 2018 together require Irish organisations to require that personal data is processed lawfully and transparently. An AUP operationalises the employer's GDPR obligations by informing staff of what personal data may be processed using company IT systems, the basis on which it is processed, and the monitoring arrangements in place. Without a clear, documented AUP, an employer cannot satisfy the transparency principle under Article 5(1)(a) GDPR when monitoring employee use of IT systems.

The Criminal Justice (Cybercrime Offences) Act 2024 — which transposed the EU Directive on attacks against information systems (Directive 2013/40/EU) into Irish law — makes it a criminal offence to access information systems without authority, to interfere with data or systems, or to distribute tools used to commit such offences. An AUP that references the 2024 Act and its criminal consequences reinforces the seriousness of IT misuse and forms part of the employer's legal defence framework if criminal conduct by an employee later comes to light.

The Employment Equality Acts 1998–2015 are relevant where IT systems are used for harassment, discriminatory communications, or hate speech. An AUP that expressly prohibits such use — and is consistently enforced — provides a statutory defence for the employer under Section 15 of the Employment Equality Acts 1998–2015 against liability for harassment committed by one employee against another using company IT systems.

The Workplace Relations Commission (WRC), which administers employment rights under the Workplace Relations Act 2015, regularly decides cases involving dismissals for IT policy breaches. The WRC and the Labour Court have consistently held that a clearly communicated, proportionate AUP, which has been brought to the employee's attention and which the employee has acknowledged, supports the reasonableness of disciplinary action up to and including dismissal for serious breaches. Without a written AUP, an employer who dismisses an employee for IT misuse faces significant risk of an unfair dismissal claim under the Unfair Dismissals Acts 1977–2015.

The Data Protection Commission (DPC), Ireland's supervisory authority under the GDPR, has published guidance on employee monitoring that makes clear that any monitoring of employee use of IT systems must be based on a lawful basis under Article 6 GDPR, must be proportionate, and must be disclosed to employees in advance — requirements that are satisfied through a well-drafted AUP. The DPC can impose administrative fines of up to €20 million or 4% of global annual turnover for serious GDPR infringements. An AUP that incorporates the monitoring transparency required by Article 13 GDPR is an essential component of an employer's data protection compliance framework.

The forms-legal.com Acceptable Use Policy (Ireland) template reflects the requirements of the GDPR, the Data Protection Act 2018, the Criminal Justice (Cybercrime Offences) Act 2024, and the Employment Equality Acts 1998–2015, and is designed to support Irish employers in maintaining legally compliant and enforceable IT governance.

An Acceptable Use Policy in Ireland is needed by any organisation — whether a company registered under the Companies Act 2014, a partnership, a charity, a public body, or a sole trader — that provides employees, contractors, volunteers, or other users with access to IT systems, internet connectivity, email, or cloud-based services.

An AUP is needed at employee onboarding. Under the Terms of Employment (Information) Acts 1994–2014 and the Employment (Miscellaneous Provisions) Act 2018, employers must provide employees with written terms of employment within specified timeframes. The AUP, incorporated by reference into the contract of employment or the employee handbook, forms part of the framework of workplace policies that governs the employment relationship. New employees should sign an acknowledgement of the AUP on or before their first day.

An AUP is needed when an organisation introduces new technology — a new cloud platform, a new collaboration tool, a remote access system, or generative AI software. Each new technology introduces new risks: data exfiltration, shadow IT, GDPR compliance gaps, and potential misuse. An updated AUP that specifically addresses the new technology is essential before it is deployed.

An AUP is needed after any data breach, DPC investigation, or WRC complaint involving employee IT use. Regulatory investigations often reveal gaps in employer IT governance, and the absence of a clear, current AUP is regularly cited as a compliance failure. Updating and re-issuing the AUP after an incident demonstrates remediation and supports the employer's defence in any subsequent regulatory or employment law proceedings.

An AUP is needed for remote and hybrid workers. The shift to remote working — accelerated by the COVID-19 pandemic and now normalised under the Work-Life Balance and Miscellaneous Provisions Act 2023 — means that employees frequently access corporate IT systems from home networks, personal devices, and public locations. An AUP that specifically addresses remote working risks — including use of public Wi-Fi, storage of corporate data on personal devices, and physical security of screens — is essential for organisations with any remote workforce.

Organisations holding large volumes of personal data — financial services firms regulated by the Central Bank of Ireland, healthcare providers overseen by the Health Information and Quality Authority (HIQA), schools and universities — face enhanced regulatory scrutiny of their IT governance and are expected to have a current, staff-acknowledged AUP as a basic compliance measure.

An Irish Acceptable Use Policy that meets the requirements of the GDPR, the Data Protection Act 2018, the Employment Equality Acts 1998–2015, and established standards under WRC and Data Protection Commission guidance should contain the following essential elements.

The scope clause specifies the categories of persons to whom the AUP applies — employees (full-time, part-time, and temporary), contractors, consultants, volunteers, agency workers, and any other person with access to the organisation's IT systems — and the IT assets and services covered, including company-issued devices, personal devices used for work (BYOD), corporate email, internet access, cloud services, and remote access connections.

The permitted uses clause identifies what activities employees may carry out using IT systems in the course of their employment. Permitted uses typically include work-related email and internet browsing, use of approved cloud services and software tools, access to company databases within the scope of the employee's role, and, where the employer tolerates it, limited personal use within defined parameters. The clause should expressly state whether limited personal use of company email and internet is permitted, and if so, any restrictions that apply.

The prohibited activities clause is one of the most important elements of the AUP. Prohibited activities under an Irish AUP should include: accessing, downloading, or distributing illegal content (including material that infringes copyright under the Copyright and Related Rights Act 2000, or material that violates the Child Trafficking and Pornography Act 1998); using IT systems to commit offences under the Criminal Justice (Cybercrime Offences) Act 2024, including unauthorised access to external systems; using IT systems to harass, bully, or discriminate against colleagues or third parties in violation of the Employment Equality Acts 1998–2015 and the Protection against Harassment Act 1997 (as amended); sharing confidential or commercially sensitive information without authorisation; downloading or installing unauthorised software or applications; and using corporate IT systems for personal commercial activities.

The monitoring and surveillance clause is a critical element for GDPR compliance. Under Articles 5, 6, and 13 GDPR and the Data Protection Act 2018, the employer must disclose its monitoring practices to employees before any monitoring begins. The clause should specify: what monitoring is carried out (for example, email content filtering, internet access logs, device activity monitoring, CCTV in the workplace); the lawful basis for each monitoring activity under Article 6 GDPR (typically legitimate interests under Article 6(1)(f), supported by a balancing test); the categories of personal data processed; the retention period for monitoring data; and the identity of the Data Protection Officer (DPO) or the data protection contact, where applicable. The DPC has made clear in its guidance on employee monitoring that covert monitoring is only justified in exceptional circumstances and with prior consultation with the DPC. Blanket monitoring of all employee communications is unlikely to be proportionate.

The GDPR and data protection obligations clause requires employees to comply with the organisation's data protection policies, to handle personal data only in accordance with their role, and to report any suspected personal data breach to the Data Protection Officer (or designated contact) immediately on discovery. Under Article 33 GDPR, the employer (as data controller) must notify the DPC of a personal data breach within 72 hours of becoming aware of it — a timeline that can only be met if employees report incidents promptly.

The BYOD (bring your own device) clause, where applicable, sets out the conditions under which employees may access corporate IT systems using personal devices, the security requirements that must be met (minimum operating system version, password requirements, encryption), the employee's consent to remote wipe of corporate data on the personal device in specified circumstances, and the limitations on the employer's ability to access personal data stored on the personal device.

The consequences of breach clause specifies that violations of the AUP may result in disciplinary action up to and including summary dismissal for serious or repeated breaches. The clause should cross-reference the organisation's disciplinary procedure and confirm that the AUP forms part of the employee's contractual obligations. Consistent enforcement of the AUP is essential — if employers routinely tolerate minor breaches without action, they undermine their ability to rely on the AUP in dismissal proceedings before the WRC.

The acknowledgement section requires each employee to sign a dated acknowledgement confirming that they have read, understood, and agree to comply with the AUP. Signed acknowledgements should be retained on the employee's personnel file and updated whenever the AUP is revised. The forms-legal.com Acceptable Use Policy (Ireland) template includes all mandatory elements and an acknowledgement section compliant with the GDPR and Employment Equality Acts 1998–2015.

Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014.