Is an Acceptable Use Policy legally required for UK organisations?

There is no single statutory requirement in England and Wales that compels every organisation to maintain a formal Acceptable Use Policy. However, several pieces of legislation make it strongly advisable — and in regulated sectors, effectively mandatory — to have one in place. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations acting as data controllers are required to implement appropriate technical and organisational measures to confirm a level of security appropriate to the risk (Article 32 UK GDPR). The Information Commissioner's Office (ICO) regards documented policies governing the use of systems that process personal data as a core part of those organisational measures. Under the Computer Misuse Act 1990, employees who access computer systems or data without authorisation commit a criminal offence. An Acceptable Use Policy defines the scope of authorised access and helps establish whether an employee's conduct crossed into unauthorised territory. In employment law, a clearly communicated AUP, incorporated by reference into contracts of employment or the staff handbook, forms the basis for disciplinary action if an employee misuses company systems. The Employment Rights Act 1996 and the ACAS Code of Practice on Disciplinary and Grievance Procedures require that employees be made aware of the rules and standards expected of them before disciplinary sanctions can be imposed.

Can an employer lawfully monitor employees' use of company IT systems?

Yes, but only within the boundaries set by UK data protection law and employment law. Under the UK GDPR and the Data Protection Act 2018, monitoring employees constitutes processing of personal data and must be lawful, fair, and transparent. The employer must have a lawful basis for the monitoring — typically legitimate interests under Article 6(1)(f) UK GDPR, requiring a balancing test between the employer's interests (for example, network security, preventing data breaches, ensuring productivity) and the employee's right to privacy. The employer must inform employees that monitoring takes place, what is monitored, the purpose of monitoring, and how the data will be used. This is why it is essential to include a monitoring clause in the Acceptable Use Policy and to bring the policy to employees' attention. Covert monitoring is only justifiable in exceptional circumstances — for example, where there is reasonable suspicion of serious criminal activity — and should be proportionate and limited in scope and duration. Under the Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016, intercepting communications without authorisation is a criminal offence, but an employer's monitoring of business communications systems with employee consent (given via the AUP) falls within the lawful interception regime.

What constitutes an offence under the Computer Misuse Act 1990?

The Computer Misuse Act 1990 creates three principal offences. The first offence (section 1) is unauthorised access to computer material — commonly known as 'hacking'. This is committed when a person causes a computer to perform any function with intent to secure access to any program or data held in any computer, knowing at the time that the access is unauthorised. This is a summary offence carrying up to 12 months' imprisonment. The second offence (section 2) is unauthorised access with intent to commit or help commission of a further offence — for example, accessing a computer system in order to commit fraud. This carries up to five years' imprisonment. The third offence (section 3) is unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of any computer — for example, introducing malware, deleting data, or causing a denial of service. This carries up to ten years' imprisonment. The Serious Crime Act 2015 added a fourth offence (section 3ZA): making, supplying, or obtaining articles for use in Computer Misuse Act offences, and an aggravated section 3 offence where the unauthorised act causes or creates a significant risk of serious damage. An Acceptable Use Policy reinforces the boundary between authorised and unauthorised use and, combined with audit logs, provides evidence of the scope of authorised access if criminal proceedings are required.

How should a UK organisation handle a breach of its Acceptable Use Policy?

A breach of the Acceptable Use Policy should be handled through the organisation's disciplinary procedure in accordance with the ACAS Code of Practice on Disciplinary and Grievance Procedures. The disciplinary outcome will depend on the nature and severity of the breach: minor infractions (such as occasional personal use of the internet in contravention of a restriction) will normally warrant a first written warning; more serious breaches (such as accessing inappropriate content, circumventing security controls, or sharing confidential data without authorisation) may justify a final written warning or dismissal; gross misconduct (such as accessing child sexual abuse material, distributing malware, or deliberately exfiltrating confidential data to a competitor) may warrant summary dismissal without notice. An employer who dismisses an employee for an AUP breach must be able to demonstrate that a fair investigation was conducted, the employee was given the opportunity to respond, and dismissal was within the band of reasonable responses, as required by section 98 of the Employment Rights Act 1996. If the breach also constitutes a personal data breach under the UK GDPR, the organisation must assess whether it is required to report the breach to the ICO within 72 hours (Article 33 UK GDPR) and, in high-risk cases, notify the affected individuals (Article 34 UK GDPR).

Do I need a lawyer to create a Acceptable Use Policy (UK) in United Kingdom?

A Acceptable Use Policy (UK) does not legally require a lawyer in United Kingdom, and individuals and businesses may draft and execute the document independently. The Companies Act 2006 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified United Kingdom lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of Justice has jurisdiction over disputes arising from this type of document, and Companies House may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Acceptable Use Policy (UK)

Acceptable Use Policy

ACCEPTABLE USE POLICY

[Organisation Name]

[Organisation Address], [Organisation Postcode]

Effective Date: [Effective Date]

Version: 1.0

1. Introduction

1. INTRODUCTION

1.1 This Acceptable Use Policy (the "Policy") sets out the rules and standards that govern the use of the information technology systems, networks, devices, and digital resources of [Organisation Name] (the "Organisation").

1.2 The Organisation's IT systems are provided to support the performance of legitimate business activities. This Policy is designed to protect the security and integrity of those systems, to ensure compliance with applicable law, and to set clear expectations about acceptable conduct.

1.3 This Policy is made pursuant to, and should be read alongside, the Organisation's data protection policy, information security policy, and other relevant policies and procedures. It operates in the context of the Organisation's obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Computer Misuse Act 1990, and applicable employment law.

2. Scope

2. SCOPE

2.1 This Policy applies to [Covered Persons] (each referred to in this Policy as a "User").

2.2 This Policy applies to the use of [Systems Description] (collectively referred to as the "Systems").

2.3 This Policy applies whether the User is accessing the Systems from the Organisation's premises, from a remote location, or from a personal device used for work purposes. It applies to access via any means, including wired connections, Wi-Fi, virtual private networks (VPNs), and mobile data.

2.4 By accessing or using the Systems, each User agrees to be bound by and to comply with this Policy. Users who do not agree to comply with this Policy must immediately notify their line manager or the IT department and must not access the Systems.

3. Permitted Use

3. PERMITTED USE

3.1 The Systems are provided primarily for business purposes in connection with the User's role at the Organisation.

3.2 [Personal Use Permitted]

3.3 All use of the Systems must comply with this Policy and with all applicable laws and regulations. Users must not use the Systems in any way that would bring the Organisation into disrepute or that could result in criminal or civil liability for the Organisation or any individual.

4. Prohibited Activities

4. PROHIBITED ACTIVITIES

4.1 The following activities are strictly prohibited when using the Systems. This list is not exhaustive, and the Organisation reserves the right to treat other conduct as a breach of this Policy if it is harmful, unlawful, or contrary to the Organisation's interests.

4.2 Users must not:

access, store, distribute, or transmit any material that is unlawful, offensive, defamatory, threatening, discriminatory, or likely to harass any person;
access, store, distribute, or transmit any material that infringes the intellectual property rights of any third party, including software, music, films, or written works;
access, store, or distribute content that is pornographic, sexually explicit, or otherwise inappropriate in a professional workplace context;
access any computer system, program, or data without authorisation or in excess of the User's authorised access — this may constitute an offence under section 1 of the Computer Misuse Act 1990;
introduce any virus, malware, ransomware, spyware, trojan, or other malicious code into the Systems — this may constitute an offence under section 3 of the Computer Misuse Act 1990;
circumvent, disable, or attempt to bypass any security control, firewall, content filter, encryption measure, or access control implemented by the Organisation;
share login credentials, passwords, or access tokens with any other person, including colleagues;
use the Systems to conduct any personal business or commercial activity for the User's own financial gain;
use the Systems to send unsolicited commercial communications (spam) in breach of the Privacy and Electronic Communications Regulations 2003;
use the Systems to engage in any activity that could constitute a criminal offence, including fraud, money laundering, or bribery under the Fraud Act 2006, the Proceeds of Crime Act 2002, or the Bribery Act 2010;
download, install, or use any software on the Systems without the prior written approval of the IT department;
connect any unauthorised personal device, USB drive, or external storage medium to the Systems;
access, copy, transfer, or disclose any personal data for any purpose other than a legitimate business purpose authorised by the Organisation, in compliance with the UK GDPR and the Data Protection Act 2018;
make or attempt to make any alteration to the Systems' configuration, hardware, or software without the prior written approval of the IT department.

5. Internet and Email Use

5. INTERNET AND EMAIL USE

5.1 The Organisation's internet connection is provided for business use. Users must not use the internet connection to access websites or online services that are blocked by the Organisation's content filtering systems, or to circumvent such filters using proxies, VPNs not provided by the Organisation, or any other means.

5.2 The Organisation's email system is provided for business communications. Users must not use the Organisation's email address or email system to:

send communications that are defamatory, abusive, threatening, discriminatory, or likely to harass the recipient;
send communications that disclose confidential information of the Organisation or any third party without authorisation;
send bulk commercial emails or marketing communications without appropriate consent in compliance with the Privacy and Electronic Communications Regulations 2003;
impersonate any other person or send emails using a false sender identity.

5.3 Users should be aware that emails sent from the Organisation's systems may be legally binding on the Organisation and should be treated with the same professionalism as formal written correspondence.

6. Social Media

6. SOCIAL MEDIA

6.1 When using social media platforms, whether via the Organisation's Systems or personal devices, Users [Social Media Policy].

6.2 Users must not post content on social media that discloses confidential information, personal data of clients or colleagues, or commercially sensitive information about the Organisation without prior written authorisation.

6.3 Users are personally responsible for content they post on social media and should be aware that posts made in a personal capacity may still be associated with the Organisation if the User identifies their employer or if the content could reasonably be linked to the Organisation.

7. Data Protection

7. DATA PROTECTION

7.1 All processing of personal data using the Organisation's Systems must comply with the UK GDPR, the Data Protection Act 2018, and the Organisation's data protection policy.

7.2 Users must not:

access personal data for any purpose other than a legitimate business purpose within the scope of their role;
store personal data on personal devices, personal cloud storage accounts, or any system outside the Organisation's authorised IT environment unless specifically permitted by the Organisation's data protection policy;
transfer personal data outside the United Kingdom without the prior written approval of the Organisation's data protection lead or officer;
retain personal data beyond the period authorised by the Organisation's data retention schedule.

7.3 If a User suspects that a personal data breach has occurred — including if a device containing personal data is lost or stolen, or if personal data has been inadvertently disclosed to an unauthorised party — the User must report the suspected breach to the IT department and the data protection lead immediately, and in any event within 24 hours. The Organisation may be required to report the breach to the Information Commissioner's Office within 72 hours under Article 33 of the UK GDPR.

8. Monitoring

8. MONITORING

8.1 The Organisation reserves the right to monitor Users' use of the Systems. By accessing the Systems, each User consents to such monitoring. Monitoring may include: [Monitoring Scope].

8.2 Monitoring is carried out [Monitoring Purpose].

8.3 Monitoring constitutes processing of personal data under the UK GDPR. The Organisation processes monitoring data on the basis of its legitimate interests under Article 6(1)(f) of the UK GDPR, having balanced those interests against the rights and freedoms of Users. Users have the right to request access to personal data held about them by contacting the data protection lead.

8.4 Users should have no expectation of privacy when using the Organisation's Systems for any purpose, including personal use where permitted by this Policy.

9. Enforcement

9. ENFORCEMENT AND DISCIPLINARY CONSEQUENCES

9.1 Breach of this Policy may result in disciplinary action in accordance with the Organisation's disciplinary procedure and the ACAS Code of Practice on Disciplinary and Grievance Procedures.

9.2 The range of disciplinary outcomes includes:

informal guidance or a first written warning, for minor or first-time infractions;
a written warning or final written warning, for more serious breaches or repeated minor breaches;
dismissal with notice, for serious breaches that nevertheless fall short of gross misconduct;
summary dismissal without notice or payment in lieu of notice, for gross misconduct.

9.3 The following conduct will be treated as gross misconduct and may result in summary dismissal: [Gross Misconduct Examples].

9.4 Breach of this Policy may also result in the immediate suspension of the User's access to the Systems pending investigation, the referral of the matter to the police or other relevant authorities, and civil proceedings to recover any loss suffered by the Organisation.

9.5 Nothing in this Policy limits the Organisation's right to take any action it considers appropriate in response to a breach, including reporting the matter to law enforcement agencies or regulatory bodies.

10. Policy Review

10. POLICY REVIEW AND UPDATES

10.1 This Policy will be reviewed at least annually and updated as necessary to reflect changes in the law, the Organisation's technology environment, and best practice in information security.

10.2 The Organisation will notify Users of any material changes to this Policy. Continued use of the Systems following notification of a change constitutes acceptance of the updated Policy.

10.3 This Policy is governed by and construed in accordance with the laws of England and Wales. Any dispute arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

ACKNOWLEDGEMENT

I acknowledge that I have read, understood, and agree to comply with the Acceptable Use Policy of [Organisation Name] (version 1.0, effective [Effective Date]). I understand that breach of this Policy may result in disciplinary action up to and including summary dismissal.

User / Employee

________________

Signature

Authorised Signatory (on behalf of {{organisationName}})

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Acceptable Use Policy (UK)?

An Acceptable Use Policy in the United Kingdom sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and is governed by the Computer Misuse Act 1990.

In England and Wales, an AUP operates against the backdrop of several important statutory frameworks. The Computer Misuse Act 1990 criminalises unauthorised access to computer material and unauthorised acts that impair the operation of computer systems. By defining the scope of authorised access and the conditions attached to it, the AUP helps delineate what constitutes 'authorised' use — an important consideration if disciplinary or criminal proceedings are ever required. The UK General Data Protection Regulation (UK GDPR), retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 impose obligations on organisations to implement appropriate technical and organisational security measures to protect personal data. The Information Commissioner's Office (ICO) regards documented acceptable use policies, employee training, and access controls as core organisational measures required to demonstrate compliance with the accountability principle (Article 5(2) UK GDPR). The Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016 govern the lawful interception of communications, including business communications on employer-provided systems. Employment law, including the Employment Rights Act 1996 and the ACAS Code of Practice on Disciplinary and Grievance Procedures, requires that employees be clearly informed of conduct standards before disciplinary sanctions can be imposed.

The legal framework governing the Acceptable Use Policy (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Acceptable Use Policy (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2006 sets the foundational requirements.

When Do You Need a Acceptable Use Policy (UK)?

An Acceptable Use Policy is appropriate for any organisation in England and Wales — whether a business, charity, public authority, or educational institution — that provides employees, contractors, volunteers, or other authorised users with access to IT systems, email, the internet, or any shared digital resources. The policy should be implemented before granting system access to users, and reviewed and updated whenever there are material changes to the organisation's technology, working practices, or legal obligations.

An AUP is particularly important in the following situations. Where employees work remotely or use personal devices for work purposes (bring your own device, or BYOD), the policy must make clear which rules apply to work use of personal devices and what the organisation's rights are with respect to accessing or wiping data on those devices. Where staff handle personal data as part of their role, the AUP complements the organisation's data protection policy by setting out the rules for accessing, storing, transferring, and deleting personal data from systems. Where the organisation is subject to sector-specific regulatory requirements — for example, under the Financial Conduct Authority (FCA) rules, the NHS Data Security and Protection Toolkit, or Cyber Essentials certification — the AUP provides documented evidence of the organisational controls required to meet those requirements. Where the organisation wishes to preserve its right to monitor employee use of systems for security, compliance, or productivity purposes, the AUP provides the transparency and informed consent mechanism required by UK data protection law. Where there is a risk of insider threat — intentional or accidental data loss, sabotage, or exfiltration of confidential information — a clearly communicated AUP, supported by technical controls and audit logging, strengthens the organisation's ability to detect, investigate, and act on such incidents.

Parties in United Kingdom should prepare a Acceptable Use Policy (UK) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

What to Include in Your Acceptable Use Policy (UK)

A well-drafted Acceptable Use Policy for an organisation in England and Wales should contain a number of essential elements that reflect both legal requirements and practical governance needs.

The scope clause defines who the policy applies to — typically all employees, contractors, agency workers, and visitors with access to the organisation's systems — and which systems are covered, including workplace devices, personal devices used for work, cloud services, email, and internet access.

The permitted use clause sets out what the systems may be used for. Most policies permit use for legitimate business purposes and may allow limited, reasonable personal use if the organisation chooses to do so. Clarity here prevents disputes about whether a particular use was authorised.

The prohibited activities clause is the core of the policy. It should address: accessing, storing, or distributing unlawful, offensive, discriminatory, or sexually explicit content; circumventing security controls or installing unauthorised software; sharing passwords or access credentials; using systems to conduct personal business for profit; accessing systems or data beyond the user's authorised scope; and any activity that would constitute an offence under the Computer Misuse Act 1990, the Fraud Act 2006, or the Bribery Act 2010.

The internet and email use clause addresses personal use of the internet and company email during working hours, expectations around professional conduct in external communications, and the prohibition on using company email for personal correspondence that might create legal liability.

The social media clause sets out the rules for posting content that relates to the organisation, its clients, or colleagues, and the distinction between personal and professional use of social media platforms.

The data protection clause reinforces the organisation's obligations under the UK GDPR and the Data Protection Act 2018 in the context of system use — including rules about storing personal data on personal devices, transferring data outside the organisation, and the obligation to report suspected data breaches.

The monitoring clause is legally essential. Under the UK GDPR, employees must be informed that monitoring takes place, what is monitored, the purpose, and the legal basis. Without this transparency, monitoring may be unlawful.

The enforcement clause explains the consequences of a breach, including the right to suspend system access pending investigation, and the range of disciplinary outcomes up to and including dismissal for gross misconduct.

Additional compliance elements for a Acceptable Use Policy (UK) used in United Kingdom include: Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Acceptable Use Policy (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/policies/acceptable-use-policy-uk

MLA

"Acceptable Use Policy (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/policies/acceptable-use-policy-uk.

BibTeX

@misc{formslegal-acceptable-use-policy-uk,
  author       = {{Forms Legal}},
  title        = {Acceptable Use Policy (UK) (United Kingdom)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/uk/business/policies/acceptable-use-policy-uk}},
  note         = {Free legal document template. Based on Companies Act 2006}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Companies Act 2006 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know