Internet & Email Acceptable Use Policy (Singapore)

An Internet & Email Acceptable Use Policy in Singapore sets out the standards and procedures the organisation expects its people to follow.

PDPA compliance is the foremost driver of acceptable use policies for Singapore businesses. The Personal Data Protection Commission (PDPC) has issued multiple enforcement decisions penalising organisations for data breaches originating from employee misuse of email — sending personal data to incorrect recipients, using unsecured personal email accounts for business communications, and failing to encrypt sensitive attachments. Section 24 of the PDPA requires organisations to implement reasonable security arrangements to protect personal data, and an acceptable use policy demonstrates compliance with this obligation.

The Computer Misuse Act (Cap. 50A) criminalises unauthorised access to computer systems (Section 3), unauthorised modification of computer material (Section 5), and unauthorised use of computer services (Section 6). An acceptable use policy defines the boundaries of authorised use for employees, establishing that activities outside the policy constitute potential criminal conduct. The Cyber Security Agency of Singapore (CSA) recommends that all organisations implement acceptable use policies as a baseline cybersecurity measure.

The Employment Act 1968 (Cap. 91) and common law principles of employment govern the employer's authority to monitor employee communications and impose disciplinary consequences for policy violations. The Industrial Arbitration Court and the State Courts have upheld employer terminations for gross misconduct involving internet misuse where the employer had published and communicated a clear acceptable use policy.

MAS-regulated financial institutions — banks, insurers, capital markets intermediaries — face additional requirements under MAS Technology Risk Management (TRM) Guidelines and MAS Notice 655, which mandate specific controls over employee access to internet banking systems, customer data, and electronic trading platforms. Acceptable use policies for financial sector employers must address these regulatory overlays.

The Spam Control Act (Cap. 311A) administered by the Info-communications Media Development Authority (IMDA) regulates unsolicited commercial electronic messages sent from Singapore. An acceptable use policy should prohibit employees from sending unsolicited bulk emails that could expose the employer to enforcement action under the Act.

The Official Secrets Act (Cap. 213) applies to government employees and contractors with access to classified information, imposing additional restrictions on internet and email use that supplement the standard acceptable use policy provisions.

The Protection from Harassment Act (Cap. 256A) addresses online harassment through email and internet platforms, creating civil remedies (protection orders) and criminal penalties for threatening, abusive, or insulting communications. An acceptable use policy that prohibits harassing communications through company email systems protects both the recipient employees and the employer from vicarious liability.

The Telecommunications Act (Cap. 323) and IMDA regulations govern the use of company telecommunications infrastructure, including internet connectivity. Acceptable use policies should reference IMDA's content regulation framework, which prohibits access to content classified as objectionable by the IMDA Content Code — including material that promotes racial or religious hatred, which may also contravene the Sedition Act (Cap. 290) and the Maintenance of Religious Harmony Act (Cap. 167A).

An Internet and Email Acceptable Use Policy in Singapore becomes necessary when an organisation provides employees with access to company internet, email, and digital communication systems, creating both operational risks and regulatory compliance obligations.

Company incorporation and employee onboarding through ACRA represent the initial trigger. From the first hire, the employer assumes responsibility under the PDPA for how employees handle personal data through company email and internet systems. The PDPC expects organisations to implement data protection policies — including acceptable use policies — from the outset, not retroactively after a breach.

Cybersecurity incidents affecting Singapore businesses have increased substantially, with the Cyber Security Agency of Singapore (CSA) reporting rising cases of phishing, business email compromise (BEC), and ransomware attacks targeting local companies. Implementing an acceptable use policy reduces exposure to these threats by establishing clear rules on email attachment handling, link clicking, and external website access.

MAS-regulated entities face mandatory policy requirements. MAS Technology Risk Management Guidelines require financial institutions to implement policies governing employee use of IT resources, including internet access and email. An MAS inspection or audit will specifically request evidence of an acceptable use policy and employee acknowledgement records.

Remote and hybrid work arrangements — accelerated by the Tripartite Guidelines on Flexible Work Arrangements published by MOM, SNEF, and NTUC — expand the attack surface for employer IT systems. Employees accessing company email from personal devices and home networks require policy coverage addressing VPN usage, device security, and the separation of personal and business communications.

Government contracts and tenders administered through GeBIZ (the Singapore government's electronic procurement portal) often include cybersecurity requirements for contracted vendors. An acceptable use policy may be a mandatory submission document for tenders involving access to government systems or data.

Industry certifications — ISO 27001 (Information Security Management), SOC 2, and the CSA Cyber Essentials/Cyber Trust marks — require documented acceptable use policies as part of the certification audit. Singapore businesses pursuing these certifications need a policy that addresses internet and email use as a control measure.

Internal investigations into employee misconduct — data theft, harassment via email, personal use of company resources — rely on the acceptable use policy as the baseline for determining whether the employee's conduct was authorised. The Employment Act 1968 (Cap. 91) permits dismissal for misconduct under Section 14, but the employer must demonstrate that the employee was aware of the applicable rules.

An Internet and Email Acceptable Use Policy compliant with the PDPA 2012, the Computer Misuse Act (Cap. 50A), the Cybersecurity Act 2018, and the Employment Act 1968 (Cap. 91) should contain the following mandatory and recommended components. The forms-legal.com Singapore Internet and Email Acceptable Use Policy template addresses each element with structured sections aligned to PDPC guidance and CSA cybersecurity recommendations.

The purpose and scope section states the policy's objective — protecting company IT assets, confirming regulatory compliance, and defining acceptable employee behaviour — and identifies the personnel covered. Standard Singapore practice extends coverage to all employees, contractors, temporary staff, and interns with access to company IT resources, regardless of whether they are covered by the Employment Act.

The permitted use section defines acceptable internet and email activities during working hours and on company devices. Singapore employers typically permit limited personal use (checking personal email, browsing news during breaks) while restricting bandwidth-intensive activities (streaming, large file downloads) that affect business operations. The policy should distinguish between company-owned devices and personal devices used under a bring-your-own-device (BYOD) arrangement.

The prohibited activities section lists specific actions that constitute policy violations. Common prohibitions include: accessing or distributing pornographic, discriminatory, or harassing content (violations may also contravene the Protection from Harassment Act, Cap. 256A); downloading unauthorised software (risking malware infection and Computer Misuse Act liability); sending unsolicited commercial emails (exposing the company to Spam Control Act enforcement); forwarding confidential business information to personal email accounts (PDPA breach); and accessing competitor systems or restricted websites using company infrastructure.

The email standards section establishes rules for professional email communication — mandatory email disclaimers, restrictions on auto-forwarding to external addresses, attachment size limits, and encryption requirements for emails containing personal data. The PDPC's enforcement decisions have specifically cited the absence of email encryption as a factor in assessing PDPA penalties.

The monitoring and surveillance disclosure section notifies employees that the company may monitor internet browsing activity, email content, and digital communications on company systems. Section 4(6)(c) of the PDPA provides an exception for monitoring evaluative purposes, but Singapore employment lawyers recommend explicit employee consent — obtained through the policy acknowledgement — to reduce legal risk. The policy should specify what monitoring technologies are deployed (web filtering, email archiving, endpoint detection) and who has access to monitoring data.

The security incident reporting section requires employees to report suspected cybersecurity incidents — phishing attempts, malware detection, unauthorised access, data breaches — to the company's IT department or Data Protection Officer (DPO). The Cybersecurity Act 2018 requires Critical Information Infrastructure (CII) owners to report incidents to CSA, and the PDPA's mandatory data breach notification provisions (effective 2021) require organisations to notify the PDPC of significant breaches within three calendar days.

The consequences of breach section outlines the disciplinary framework for policy violations — verbal warning, written warning, suspension, and termination for gross misconduct. The Employment Act 1968 permits dismissal without notice for willful breaches of employment conditions under Section 14, and the policy should cross-reference the company's disciplinary procedures. Criminal violations (Computer Misuse Act offences, Official Secrets Act breaches) are referred to the Singapore Police Force.

The employee acknowledgement section requires each employee to sign and date a confirmation that they have read, understood, and agree to comply with the policy. The acknowledgement creates an evidentiary record supporting disciplinary action in the event of policy violation. Singapore employers should obtain acknowledgements from all existing employees upon policy implementation and from new hires during the onboarding process.

The review and update section specifies the policy review cycle — typically annual — and identifies the responsible department (IT, Legal, Human Resources, or the DPO). Regulatory changes from MAS, PDPC, CSA, or MOM may trigger interim policy updates outside the regular review cycle.