David Alexander, technical solutions director, Vistorm Professional Services looks at acceptable use policies.

Hopefully we can all agree that there is a right way and a wrong way to do most things, especially when it comes to the use of IT systems. Some of these ways can be considered as abuse - of the systems, procedures, people or a combination thereof.

The tricky part is agreeing exactly where the line is to be drawn and getting everyone to adhere to that decision. The most effective way to do that is formally define the behaviour that is, and is not, acceptable.

The acceptable use policy (AUP), sometimes called a computer misuse policy, is one the key tools to defining what can be done, what must not, and providing a legal defence for employees and employers alike.

The AUP serves several purposes:

• Enables a common understanding of the rules by all employees;
• Defence of the individual employee against abuse by other employees;
• Defence of the individual employee against the organisation;
• Defence of the organisation and its employees against civil and criminal litigation;
• Management of some risks to the organisation through all of the above.

There are many legal and regulatory requirements placed upon organisations, and this is not the place to discuss them all (they also vary from one country to another), but we do need to consider the potential impact upon the organisation if any of them are broken. The topics covered will certainly include:

• Data Protection;
• Intellectual property and copyright;
• Defamation;
• Racism and harassment;
• Use of Malware and hacking tools;
• Pornography and other 'adult material';
• Criminal activity - e.g. fraud;
• Content of e-mail and other material;
• Acceptable personal use - e.g. e-banking and shopping, Instant Messenger;
• Use of web 2.0 applications such as Facebook, Myspace and so on.

Let's start with the big one. There is a legal principle called Vicarious Liability. In English law, this is the legal principle by which a person or organisation (e.g. an employer) can be held liable for the wrongdoings of another person, (e.g. an employee).

The organisation can be deemed legally responsible if the individual is shown to be acting on their behalf as part of their work. This is why Norwich Union was fined £450,000 for libel in 1999 after an employee of the company sent defamatory internal emails about a competitor.

In order to defend against this, the organisation must be able to show that they have made it clear to staff that they are forbidden from acting in an unacceptable or illegal manner. The AUP is a key document in providing such a defence.

If the organisation can demonstrate due diligence in educating staff and making their responsibilities clear, they normally have a defence that is useable in court. A level of proof is required, such as the signature of the individual to confirm they have been made aware of their responsibilities, and further sign-offs should be recorded to confirm knowledge has been imparted concerning any additional changes notified to them over time.

In a similar fashion, the AUP can be used as part of a campaign against behaviour such as bullying and racism in the workplace, and to help reduce the incidence and impact of internal security incidents. It's also a useful place to inform all staff of any monitoring of the use of IT and communications systems that may take place, in accordance with regulatory and legal requirements.

Putting an AUP into operation requires an understanding of the laws and regulations that apply. The author must do their homework, talk to the company secretary and a specialist lawyer if necessary. Don't forget to include the HR department in the process.

The document must be drawn up in conjunction with them, especially the part in the AUP that defines the level of any disciplinary offences. Some behaviour can lead to an internal hearing and could lead to dismissal.

It's important that proper procedure is followed right the way through to defend against the possibility of losing at an appeal for unfair dismissal. That starts by ensuring the punishment is proportionate and the AUP will add weight to the case of the organisation at the tribunal, provided that it has been well communicated and applied fairly and consistently.

Once the list is complete, the next task is to win acceptance and understanding from the staff and any unions. It doesn't matter if this is a new concept or updates to an existing AUP. It is best to consult them and gain support for the contents - show them how they and the company benefit from the contents.

It's much easier to enforce rules that have popular support than to try and impose them, they’ll be much more effective too. Once it has been agreed, make it part of the induction training process and keep good records. Don't forget to ensure all existing staff are made aware of the contents and sign up to it, not just the new starters.

One final point, circumstances, laws and regulations change. Don't forget to review and update the document on a regular basis.

This article first appeared in the March issue of ITNOW.