Internet and Email Policy (UK)
England and Wales
[Organisation Name]
Effective: [Effective Date] | Review: [Review Date] | Owner: [Policy Owner]
1. INTRODUCTION AND SCOPE
1.1 This Internet and Email Policy (the "Policy") sets out the rules governing use of [Organisation Name]'s IT systems, including computers, mobile devices, email, internet, and cloud services, by [Policy Scope].
1.2 All individuals covered by this Policy must read, understand, and comply with it. Breach of this Policy may result in disciplinary action, up to and including summary dismissal for gross misconduct.
2. ACCEPTABLE USE
2.1 Company IT systems must be used primarily for legitimate business purposes. All use must comply with applicable law, including the Computer Misuse Act 1990, the Data Protection Act 2018, and the UK GDPR.
2.2 When using company IT systems, individuals must:
- use only authorised software and applications;
- keep login credentials confidential and not share passwords;
- lock screens when leaving workstations unattended;
- report suspected security incidents to [Reporting Contact] immediately;
- comply with the organisation's data classification and handling procedures; and
- not attempt to access systems, data, or networks beyond their authorised level.
3. PROHIBITED ACTIVITIES
3.1 The following activities are strictly prohibited on company IT systems:
- accessing, downloading, or distributing illegal, obscene, racist, discriminatory, or offensive material;
- sending emails or messages that are threatening, harassing, or discriminatory under the Equality Act 2010;
- using company email to make unauthorised commitments or representations on behalf of the organisation;
- downloading or installing unauthorised software, applications, or browser extensions;
- introducing viruses, malware, or any harmful code into company systems (an offence under section 3 of the Computer Misuse Act 1990);
- circumventing or attempting to disable security controls, firewalls, or monitoring systems;
- using company IT systems to operate a personal business or for commercial gain; and
- accessing colleagues' emails, files, or data without proper authorisation.
4. EMAIL USE
4.1 Emails sent from company accounts are official business communications and may be relied upon as evidence in legal proceedings.
4.2 Individuals must not send emails that could constitute defamation, harassment, or discrimination. Care must be taken before forwarding confidential information and when using 'Reply All'.
4.3 Company email accounts must include the organisation's standard email footer (including the company's legal name, registered address, and data protection notice).
4.4 Emails containing personal data must be treated as confidential. Before sending personal data outside the organisation, consider whether encryption or secure file transfer is appropriate.
5. DATA SECURITY
5.1 All individuals must handle personal data in accordance with the UK GDPR and the organisation's Data Protection Policy.
5.2 Any suspected data breach (including loss of a device containing personal data) must be reported to [Reporting Contact] immediately and no later than within one hour of discovery.
6. CONSEQUENCES OF BREACH
6.1 Breach of this Policy may result in disciplinary action under the organisation's disciplinary procedure, up to and including summary dismissal for gross misconduct.
6.2 Certain breaches (such as unauthorised access to computer systems or introduction of malware) may constitute criminal offences under the Computer Misuse Act 1990 and may be reported to the police.
6.3 This Policy is governed by the laws of England and Wales.
Policy Owner / IT Director
________________
Signature
Date: ________________
Employee Acknowledgement
________________
Signature
Date: ________________
What Is a Internet and Email Policy (UK)?
An Internet and Email Policy in the United Kingdom sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and is governed by the Computer Misuse Act 1990.
The legal framework underpinning a UK Internet and Email Policy draws on several overlapping statutes. The Computer Misuse Act 1990 (as amended by the Serious Crime Act 2015) creates criminal offences for unauthorised access to computer systems under sections 1, 2, and 3. The Investigatory Powers Act 2016 regulates the lawful interception of communications and requires employers to satisfy one of the statutory grounds before monitoring employee communications. The UK GDPR and the Data Protection Act 2018 impose obligations on employers as data controllers: any monitoring of employee email or browsing activity constitutes processing of personal data, requiring a lawful basis under UK GDPR Article 6 and, where special category data may be captured, Article 9 as well. A Data Protection Impact Assessment (DPIA) under UK GDPR Article 35 is required before implementing high-risk monitoring.
The Human Rights Act 1998, which gives domestic effect to the European Convention on Human Rights, protects employees' right to respect for private life and correspondence under Article 8. The Strasbourg Court of Human Rights established in Bărbulescu v Romania (2017) that employees retain a reasonable expectation of privacy even in relation to communications made on workplace systems. UK employment law, including the Employment Rights Act 1996 and the ACAS Code of Practice on Disciplinary and Grievance Procedures, requires that any disciplinary action taken for breach of an internet and email policy follows a fair process with appropriate investigation and the right to be accompanied at a disciplinary hearing under section 10 of the Employment Relations Act 1999.
The Information Commissioner's Office (ICO) supervises compliance with the UK GDPR and the Data Protection Act 2018 and has published employment practices guidance covering workplace monitoring. The ICO can impose fines of up to £17.5 million or 4% of annual global turnover for serious data protection breaches. The Network and Information Systems (NIS) Regulations 2018 impose additional cybersecurity obligations on operators of essential services and relevant digital service providers, requiring them to take appropriate and proportionate technical and organisational measures to manage network and information system security risks — obligations best addressed in part through a documented internet and email policy. Financial Conduct Authority (FCA)-regulated firms must also comply with FCA Conduct Rules requiring staff to act with integrity and to follow proper standards of market conduct, which a well-drafted internet and email policy supports.
The forms-legal.com Internet and Email Policy (UK) template reflects the requirements of the Computer Misuse Act 1990, the Investigatory Powers Act 2016, the UK GDPR, and the Data Protection Act 2018, and can be adapted to the specific needs of any UK organisation.
When Do You Need a Internet and Email Policy (UK)?
A UK Internet and Email Policy is needed by any organisation that provides employees, workers, contractors, or volunteers with access to company IT systems, email accounts, or internet connectivity. Any business with even one member of staff accessing the internet or email through company-provided systems should have a written policy in place before granting that access.
The policy is particularly important in the following circumstances. Where an employer wishes to monitor employee internet or email usage — whether to detect data breaches, investigate misconduct, or manage productivity — a pre-existing, communicated policy is the primary legal mechanism for limiting employees' reasonable expectation of privacy under the Human Rights Act 1998 and the Investigatory Powers Act 2016. Without such a policy, monitoring may constitute unlawful interception or breach the UK GDPR. The Employment Tribunal has consistently held that disciplinary sanctions for IT misuse are more likely to be upheld where the employer had a clear, published policy that the employee had acknowledged.
Organisations regulated by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) are expected to maintain documented IT policies as part of their operational risk management frameworks under the FCA's Senior Managers and Certification Regime (SM&CR). Similarly, businesses that handle personal data at scale are expected by the Information Commissioner's Office (ICO) to have documented controls over how employees access and process that data, and an internet and email policy is one of the foundational controls in any UK GDPR compliance programme.
Where a business has suffered a cybersecurity incident — such as a phishing attack, malware infection, or data breach notifiable to the ICO under UK GDPR Article 33 — the absence of a documented internet and email policy will be treated as an aggravating factor in any regulatory investigation by the ICO or the National Cyber Security Centre (NCSC). The ACAS Code of Practice on Disciplinary and Grievance Procedures confirms that workplace policies must be clearly communicated to employees before they can form the basis of a disciplinary sanction under the Employment Rights Act 1996.
What to Include in Your Internet and Email Policy (UK)
A well-drafted UK Internet and Email Policy should cover the following key elements to be effective and legally compliant.
The scope clause defines the systems, devices, and staff covered — including company-owned devices, personal devices used for work (BYOD), remote access via VPN, and any cloud-based systems provided by the employer. Clear scope avoids disputes about whether a particular device or system was subject to the policy when disciplinary proceedings are brought under the ACAS Code of Practice on Disciplinary and Grievance Procedures.
The acceptable use clause sets out what employees may lawfully do with company IT systems, including any permitted limited personal use. Where personal use is permitted, the policy should state the boundaries — for example, no streaming, no large file downloads, and no access to websites that may generate legal liability for the employer under the Communications Act 2003.
The prohibited use clause lists categories of use that are absolutely prohibited, including: accessing, creating, distributing, or storing material that is illegal under the Computer Misuse Act 1990, the Obscene Publications Act 1959, or the Communications Act 2003; making defamatory statements; disclosing confidential information without authorisation; and circumventing IT security controls.
The monitoring notice clause is required to satisfy the transparency obligations of the UK GDPR (Articles 13 and 14) and the Investigatory Powers Act 2016. It must state: that monitoring may take place; the purposes for which monitoring is carried out; the types of monitoring used (e.g. email scanning, web filtering, keystroke logging); the legal basis for monitoring under UK GDPR Article 6; whether a Data Protection Impact Assessment (DPIA) under Article 35 has been carried out; and how long monitoring records are retained. Employers regulated by the Financial Conduct Authority (FCA) should note that FCA Conduct Rules under the Senior Managers and Certification Regime (SM&CR) require staff to act with integrity, which includes complying with documented IT policies.
The data security obligations clause requires employees to comply with the organisation's information security controls, including password policies, multi-factor authentication requirements, encryption of portable devices, and reporting of suspected security incidents to the IT department or Data Protection Officer (DPO). Compliance with the Network and Information Systems (NIS) Regulations 2018 may require specific incident reporting obligations for operators of essential services.
The social media clause addresses the use of personal social media accounts during working hours and the posting of content that may bring the employer into disrepute, disclose confidential information, or breach the UK GDPR and the Data Protection Act 2018 by sharing personal data about colleagues or clients without authorisation.
The email retention and deletion clause sets out the retention periods that apply to business email communications — typically two to seven years depending on the sector — and the process for deleting emails in accordance with UK GDPR Article 5(1)(e) data minimisation and storage limitation principles.
The breach and disciplinary consequences clause confirms that breaches of the policy may result in disciplinary action up to and including dismissal under the Employment Rights Act 1996, and that in serious cases involving criminal conduct under the Computer Misuse Act 1990 the matter will be referred to the police. All disciplinary proceedings must follow the ACAS Code of Practice on Disciplinary and Grievance Procedures. The forms-legal.com Internet and Email Policy (UK) template addresses each of these elements and can be customised to reflect the sector requirements of any United Kingdom employer.
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 6EU – GDPR
- GDPR Article 35EU – GDPR
- GDPR Article 33EU – GDPR
- GDPR Article 5EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Internet and Email Policy (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/policies/internet-email-policy-uk
"Internet and Email Policy (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/policies/internet-email-policy-uk.
@misc{formslegal-internet-email-policy-uk,
author = {{Forms Legal}},
title = {Internet and Email Policy (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/policies/internet-email-policy-uk}},
note = {Free legal document template. Based on Companies Act 2006}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes, but only within the limits set by the UK GDPR, the Investigatory Powers Act 2016, and the Human Rights Act 1998 (Article 8, right to private life). Employees must be informed in advance that monitoring may occur — covert monitoring is only lawful in very limited circumstances such as detecting serious crime. Monitoring must be proportionate to the aim pursued, and employers must carry out a Data Protection Impact Assessment (DPIA) under UK GDPR Article 35 where monitoring is likely to result in high risk to employees' privacy. The Information Commissioner's Office (ICO) has published employment practices guidance confirming that workers retain a reasonable expectation of privacy even at work. A clear, communicated internet and email policy is an essential pre-condition for lawful monitoring. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
The Computer Misuse Act 1990 (as amended) creates criminal offences in relation to unauthorised access to computer systems. Employees who access computer systems beyond their authorised level — for example accessing colleagues' emails or company systems outside the scope of their role — may commit a criminal offence under section 1 of the Act. The Act also creates offences of unauthorised access with intent to commit further offences (section 2) and unauthorised modification of computer material (section 3), including introducing viruses or deleting data. The Serious Crime Act 2015 extended section 3 to cover attacks causing significant damage. An internet and email policy should make clear the boundaries of permitted access and the consequences of exceeding those boundaries, including referral to the police where criminal conduct is suspected.
Under UK GDPR Article 6, employers must identify a lawful basis for processing personal data found in employee emails or browsing records. Legitimate interests under Article 6(1)(f) is commonly relied on, but a balancing test against employees' privacy rights is required. Where special category data (such as health information or trade union membership) may be captured in email communications, Article 9 of the UK GDPR applies additional restrictions. Employers must provide employees with a clear privacy notice before commencing any monitoring, as required by UK GDPR Articles 13 and 14. The Data Protection Act 2018 (Schedule 2, paragraph 26) permits some restrictions on data subject rights where processing is for management purposes, but this exemption is narrow. The ICO can impose fines of up to £17.5 million or 4% of annual global turnover for serious breaches of the UK GDPR.
Many UK employers permit limited personal use of company IT systems provided it does not interfere with work duties, consume excessive bandwidth, or breach other policy provisions. Whether personal use is permitted, and to what extent, is a matter of employer policy rather than legal requirement. If personal use is permitted, the policy should make clear that the employer still retains the right to monitor the systems, that employees should have no expectation of privacy in personal communications made on company equipment, and that any content that breaches the acceptable use provisions remains subject to disciplinary action. Employers should note that the Human Rights Act 1998 (Article 8) and the Employment Rights Act 1996 protect employees from arbitrary interference. ACAS guidance recommends that policies be applied consistently and that disciplinary procedures under the ACAS Code of Practice on Disciplinary and Grievance Procedures are followed before any sanction is imposed.
An Internet and Email Policy does not require a solicitor to draft, and UK employers routinely prepare and update such policies in-house or using trusted templates. However, professional legal review is advisable where the organisation processes large volumes of personal data, operates in a regulated sector such as financial services (where the Financial Conduct Authority expects documented IT governance), or where the policy will be incorporated into employment contracts. A qualified employment solicitor can confirm that the monitoring provisions comply with the UK GDPR, the Investigatory Powers Act 2016, and the Human Rights Act 1998. The ICO's employment practices guidance and the ACAS Code of Practice are free resources that provide practical compliance guidance. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement — UK GDPR (England & Wales)
Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.
Privacy Policy (UK)
Create a detailed UK Privacy Policy compliant with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This template covers data controller identification, ICO registration, lawful bases for processing, data subject rights, cookies under PECR, international data transfers, data retention, and breach notification. Suitable for websites, apps, and online services operating in England and Wales. Fill in your organisation's details, preview in real time, and download as PDF or Word.
Code of Conduct (UK)
Create a Code of Conduct for employees or members of an organisation operating in England and Wales. Sets out standards of professional behaviour, ethical obligations, conflicts of interest, confidentiality, social media use, and disciplinary consequences. Aligned with the Equality Act 2010, the Bribery Act 2010, UK GDPR, and the ACAS Code of Practice. Download as PDF or Word.
Anti-Bribery and Corruption Policy (England & Wales)
Create a detailed Anti-Bribery and Corruption Policy for England and Wales, designed to constitute "adequate procedures" under section 7(2) of the Bribery Act 2010. This template covers the six MoJ principles: top-level commitment, risk assessment, proportionate procedures, due diligence, communication and training, and monitoring. Includes gifts and hospitality register threshold, facilitation payments prohibition, political and charitable donations rules, third party due diligence, whistleblowing procedures, investigation and sanctions, and record retention aligned to the Limitation Act 1980. Download as PDF or Word.
Acceptable Use Policy (UK)
Define the rules and expectations for using your organisation's IT systems, networks, and digital resources with a detailed Acceptable Use Policy for England and Wales. This template addresses compliance with the Computer Misuse Act 1990, the Data Protection Act 2018 and UK GDPR, and relevant employment law obligations. It covers permitted and prohibited activities, internet and email use, social media conduct, data handling, monitoring rights, and enforcement procedures.