Every organisation (like a company, university, or school) should have a good Acceptable Use of IT Policy setting out what it regards as acceptable use of its information, communications, or technology (IT or ICT) by its users (often employees, contractors, and suppliers). Users should agree (or consent) to be bound by the policy before you give them access.

The policy must dovetail with your organisation’s other policies and policy framework. This policy is actually a combined policy that deals with many different issues. This is possible because the target audience is the same – they are all users.

Why is an IT Policy important?

  • Ensure others can continue to use the IT system by preventing abuse of the system by a few individuals.
  • Comply with the law and therefore avoid sanctions for non-compliance.
  • Avoid labour disputes.
  • Be in a position to take disciplinary action against someone if necessary.
  • Reduce the risk of your organisation being held liable (damages or a fine) for the actions of an employee.
  • Secure the integrity and confidentiality of information, including personal information.
  • Prove to the Information Regulator or a customer that you have been responsible in protecting the personal information. It is an important part of complying with POPI. If the Information Regulator decides to fine you, it must consider whether you had good policies. The fine could be up to R10 million. If you want to reduce a possible fine, you need to have a good policy.

What should be in them?

An Acceptable Use of IT Policy should clearly set out:

  • what users can and can’t do with IT
  • what will happen if they do not use IT acceptably
  • users’ acceptance of the policy

It should deal with the use of the following specific things:

  1. information (including personal and confidential information),
  2. the content of communications and communication tools (like email, Internet, social media, and mobile and fixed line phones), and
  3. technology (computers, laptops, company and personally owned (or BYOD) devices, and software).

Characteristics of good ones

They should be:

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and inline with the latest laws and rules
  • clear on what is permitted and what is not
  • specific, relevant, and applicable to the target audience
  • give your users a practical understanding of what is expected of them