IT Acceptable Use Policy (Ireland)

An IT Acceptable Use Policy in Ireland sets out the standards, responsibilities, and procedures the organisation expects everyone to follow.

The ePrivacy Regulations 2011 are particularly significant because they govern the interception and monitoring of electronic communications — including email, instant messaging, and web browsing — in Ireland. Regulation 5 of S.I. No. 336 of 2011 provides that the interception or surveillance of electronic communications is prohibited except where the users have given their consent or where it is carried out for the purpose of providing the communication service. In the employment context, the Data Protection Commission (DPC) has interpreted this to mean that employers may carry out proportionate, transparent monitoring of IT systems where employees have been clearly informed through an acceptable use policy — but that covert or blanket monitoring without prior notice is unlawful.

GDPR imposes overlapping obligations: personal data processed through IT systems (including email content, web browsing history, and device activity logs) is subject to all of GDPR's data protection principles. The organisation must have a lawful basis for any monitoring, must inform employees through a data protection notice, must confirm that monitoring is proportionate and purpose-limited, and must implement appropriate technical and organisational security measures under GDPR Article 32.

The Criminal Justice (Offences Relating to Information Systems) Act 2017 creates criminal offences of unauthorised access to, and interference with, information systems. By making employees aware of these offences through the IT acceptable use policy, the organisation strengthens both its security posture and its legal position if it needs to pursue disciplinary or criminal action against an employee who misuses its systems.

For organisations in regulated sectors — including financial services firms regulated by the Central Bank of Ireland, healthcare organisations regulated by the Health Information and Quality Authority (HIQA), and law firms regulated by the Law Society of Ireland — specific IT security and data protection obligations may arise under sectoral rules in addition to the general GDPR and ePrivacy framework. These obligations should be reflected in the IT acceptable use policy.

A well-drafted IT Acceptable Use Policy is a foundational element of an organisation's information security governance framework, complementing technical controls with the human behavioural standards needed to protect sensitive data and systems.

The NIS2 Directive (Directive (EU) 2022/2555) required transposition by EU member states by 17 October 2024. Ireland missed this deadline; the transposing legislation — the National Cyber Security Bill 2024 — was published in 2024 but had not completed the Oireachtas legislative process by the deadline. The Bill, when enacted, will transpose NIS2 into Irish law and give the National Cyber Security Centre (NCSC) enhanced regulatory and enforcement powers over operators of essential services (OES) and important entities (IE) across sectors including energy, transport, water, healthcare, financial infrastructure, digital infrastructure, and public administration. Irish organisations likely to fall within these categories should begin preparing for compliance now, as the obligations — including mandatory cybersecurity risk management policies, supply chain security measures, and 24-hour initial incident reporting to the NCSC — will apply from the date of enactment. The NCSC publishes practical cybersecurity guidance for Irish organisations at ncsc.gov.ie, including frameworks aligned with ISO 27001 and NIST CSF.

The Computer Security Incident Response Team (CSIRT) Ireland, part of the NCSC, provides technical assistance to Irish organisations experiencing cybersecurity incidents and publishes alerts and advisories about current cyber threats. An IT acceptable use policy that requires employees to report suspected security incidents immediately to the NCSC-compliant incident response process is a foundational element of any Irish organisation's cybersecurity posture, and directly supports compliance with both the NIS2 Directive and GDPR Article 33 personal data breach notification obligations.

An Irish IT Acceptable Use Policy is needed by any organisation that provides employees, contractors, or other users with access to IT systems, devices, or data — which in practice means virtually every organisation operating in Ireland today. The combination of mandatory GDPR compliance, ePrivacy Regulations obligations, and the prevalence of cybersecurity threats makes an IT acceptable use policy essential for organisations of all sizes.

You need an IT Acceptable Use Policy if your organisation: provides employees with laptops, mobile phones, tablets, or other devices for use in connection with their work; allows employees to access corporate systems remotely, whether from home or while travelling; operates email, instant messaging, collaboration platforms (such as Microsoft Teams or Slack), or other electronic communication systems; stores, processes, or transfers personal data in digital form — which, given the breadth of GDPR's definition of personal data, includes almost all organisations; has experienced or is concerned about IT security incidents, including phishing attacks, ransomware, unauthorised data access, or data exfiltration by departing employees; is subject to sector-specific IT security requirements, such as the Central Bank of Ireland's Information Technology and Cybersecurity Risk Management requirements for regulated financial entities, the NIS2 Directive (Directive (EU) 2022/2555, being transposed into Irish law by the National Cyber Security Bill 2024, which is expected to be enacted in 2025 and will be enforced by the National Cyber Security Centre (NCSC)) for operators of essential services and digital service providers, or the Payment Card Industry Data Security Standard (PCI DSS) for organisations that process card payments; operates a BYOD (bring your own device) policy or allows remote working, creating security risks associated with personal devices accessing corporate systems; or is preparing for a GDPR audit by the Data Protection Commission (DPC) and needs to demonstrate that appropriate technical and organisational measures are in place.

For organisations that have experienced a data breach — a personal data breach must be reported to the DPC within 72 hours under GDPR Article 33 — having an up-to-date IT acceptable use policy is often an important element of demonstrating to the DPC that the organisation had adequate organisational measures in place, which is relevant to the DPC's assessment of whether corrective action, a reprimand, or a fine is appropriate.

Solicitors and cybersecurity consultants advising Irish businesses recommend reviewing the IT acceptable use policy at least annually, and whenever there are material changes to the organisation's IT systems, working arrangements, or applicable regulatory requirements. The Workplace Relations Commission (WRC) has consistently upheld disciplinary sanctions — including dismissal — imposed on employees for serious IT policy breaches where the policy was clearly communicated and the sanction was proportionate to the severity of the breach. Employers who have not documented and communicated a clear IT acceptable use policy face significant difficulty in disciplining employees for IT misuse.

A thorough Irish IT Acceptable Use Policy should contain several essential provisions to address the organisation's legal obligations and its practical IT security requirements.

The purpose and scope clause identifies the IT systems, devices, and services covered by the policy (including corporate-owned and personal devices used for work purposes) and specifies the categories of users to whom the policy applies (employees, contractors, agency workers, volunteers, and any other persons granted access to the organisation's IT systems).

The permitted use clause defines what uses of IT systems are authorised. Most policies permit limited personal use of corporate devices, provided it does not interfere with work duties, consume excessive resources, or breach the policy in other respects. The clause should specify the categories of use that require explicit management approval — such as accessing cloud storage accounts, installing third-party software, or connecting to external networks.

The prohibited use clause is the central substantive provision and should enumerate all categories of prohibited conduct in detail. Prohibited conduct commonly includes: accessing, downloading, or distributing illegal content (including child sexual abuse material, material that infringes intellectual property rights, or material that constitutes an offence under the Criminal Justice (Incitement to Violence or Hatred and Hate Offences) Act 2024); unauthorised access to areas of the organisation's systems outside the user's role; unauthorised copying or downloading of confidential data to personal devices or external storage; use of personal email accounts to transmit corporate data; circumventing security controls such as firewalls, content filters, or authentication systems; installing unauthorised software or applications; using IT systems in connection with gambling, online gaming, or other personal activities that pose a reputational or legal risk to the organisation; and engaging in any conduct that could constitute a criminal offence under the Criminal Justice (Offences Relating to Information Systems) Act 2017.

The password and access control clause establishes minimum password requirements (length, complexity, rotation frequency) and multi-factor authentication obligations. It must require users to keep passwords confidential, prohibit sharing login credentials, and establish a process for reporting compromised credentials.

The device security clause sets out requirements for securing devices: encryption, screen lock, automatic timeout, physical security, and requirements for reporting lost or stolen devices immediately. For BYOD devices, the clause should address minimum security standards and the employer's rights in relation to corporate data on the device.

The monitoring clause informs users — in compliance with GDPR transparency requirements and the ePrivacy Regulations 2011 — of the nature and scope of any monitoring that the organisation conducts. The clause must specify the legal basis for monitoring, the types of data that may be collected, the purpose for which monitoring data will be used, and the retention period. This clause is critically important for GDPR compliance.

The incident reporting clause requires users to report IT security incidents — including suspected malware, unauthorised access, data loss, or data breach — to the designated IT security contact immediately. The clause should outline the organisation's GDPR breach notification procedure and the user's role in supporting a prompt response.

The disciplinary consequences clause states that breaches of the policy will be addressed through the organisation's disciplinary procedure, with the range of sanctions depending on the severity of the breach. It should confirm that serious breaches — such as accessing unauthorised data, introducing malware through negligent conduct, or stealing confidential data — may constitute gross misconduct and may also be reported to the Garda Síochána. The forms-legal.com IT Acceptable Use Policy (Ireland) template covers the mandatory elements under Companies Act 2014.