Information

Internet and Email – Acceptable Use Policy

Introduction 

This guidance concerns the use of internet and e-mail services provided by Northamptonshire Police for the means of OPFCC business communication. This policy aims to ensure the appropriate use of internet and email services provided by Northamptonshire Police for OPFCC business communication while adhering to the principles of the UK GDPR and DPA 2018

Internet

Access to the Force’s internal website (Intranet) will typically be provided to all OPFCC employees who have been granted a network logon. The information on the intranet is available to anyone with such a log on – no further access controls are applied. The monitoring and auditing of internet usage is based on the legitimate interests of the OPFCC/force, as per Article 6(1)(f) of the UK GDPR. This monitoring is necessary to ensure appropriate usage, optimal system performance, and the protection of the OPFCC/force’s systems and reputation. Access to the force Intranet is permitted only from devices configured for that purpose by the Digital, Data and Technology Department. Access to the Internet on a force networked device is via an appropriately configured proxy server; staff must not attempt to reconfigure a force computer to bypass this proxy. Access to the World Wide Web, local and force systems is provided for legitimate corporate business usage.

The internet access should NOT be used to conduct any activity that: –

  • Could result in a negative impact on the OPFCC / force.
  • Could discredit the OPFCC / force image or reputation.
  • Could result in any legal action against the OPFCC / force.
  • Is not in the best interests of the OPFCC / force.
  • Conduct any personal business activity.
  • Conduct any political activity.
  • Perform unauthorised fund raising.
  • Disseminate Official (or higher) material outside of the Public Services Network.
  • Perform any unlawful action.
  • Represent your views or opinions as those of the OPFCC / force.
  • Intentionally access any website that is known to present a security threat to the force network or computer systems.
  • Access web facilities that could disguise an employee’s internet usage activity.
  • Access web facilities that could circumvent the internet security protection utilised by the force.
  • Access websites or services that require payment-to-surf.
  • Access any unauthorised instant messaging, internet chat or internet relay chat service.
  • Access any internet-based multimedia service that could interfere with the performance or operation of the force’s internet facilities.
  • Access any websites containing pornographic, racist, sexist, homophobic or otherwise offensive material.
  • Access any web-based e-mail or equivalent internet communication facility unless they have approval in advance to do so from the Information Security Officer. Using these facilities increases the risk posed by internet viruses.
  • Subscribe to any online bulletin boards or newsgroups unless they have approval in advance to do so from the Information Security Officer and it is appropriate to their role.
  • Submit comments or opinions to message boards or forums unless they have been authorised in advance to do so by the OPFCC Communications Team.
  • Purchase products or services that are not relevant to their business role and for which they do not have appropriate authorisation to procure.
  • Access any online trading, brokerage or auction service.
  • Access any online gambling service.
  • Access any peer-to-peer web services or any other form of internet based personal storage or file sharing facility.
  • To develop or maintain a website or access a web hosting service unless staff have approval in advance to do so from the Information Security Officer and they are employed by the OPFCC in a role requiring internet or intranet development duties.

Staff should be aware the force utilises internet access filtering products to routinely restrict access to websites that: –

  • Present known security risks to the force network and computer systems.
  • Contain links to known fraudulent or phishing threats.
  • Could adversely affect the performance of force internet systems.
  • Could result in the download of unnecessary data such as advertisements.
  • Routinely fall outside the average force employee’s business requirements.
  • Are likely to result in a loss of productivity from employees.

Personal use of force internet facilities is permitted during rest periods provided: –

  • The usage is legal, presents no security risk and complies with the force’s maintained list of accessible web sites, web site categories and other terms of acceptable web usage.
  • The usage does not affect adversely the performance of the force internet systems such as by accessing websites or services requiring high bandwidth delivery.
  • The duration is within acceptable limits, is agreeable to your line manager and the usage does not affect your role, business routine, objectives, deadlines or workloads.
  • The downloading of any documents, images and all forms of data to any system or media is only permitted for business use and must not be undertaken for personal use.
  • During personal usage of the internet employees should always identify themselves as acting in a personal capacity and not use any OPFCC identity such as their force provided e-mail address.
  • The user is not working from home. On the basis that home broadband is needed for home working, personal devices are readily available, and the secure remote connection has limitations on capacity, home workers are expected to use their own devices for personal browsing at all times.

Force provided Intranet and Internet access is monitored and audited: –

  • To ensure employee usage is appropriate and in accordance with the employee’s role and responsibilities and the defined terms of force internet usage.
  • To ensure optimal system performance.
  • To maintain system integrity and security and protection from threats such as viruses.

 

Misuse Statement

Staff should be aware that Intranet and Internet usage is monitored by the Force and activity is identifiable to individual employees. Any misuse of the force IT systems including Intranet or Internet facilities will be subject to disciplinary action. Staff should not allow any other person to access the Intranet or Internet using their network logon or electronic identity. The force reserves the right to revoke access to intranet and internet facilities from staff where misuse has been identified. Publishing any material (whether using the employer’s IT system, the employee’s own personal computer or any other device) which is classified as SECRET or above is prohibited. This applies to publication by email, blogging, podcasting or any other form of publication, whether electronic or otherwise. This also applies to any material which damages the reputation of the OPFCC / force, including people associated with the force such as volunteers.

 

E-mail

 Emails, like other documents, are subject to disclosure rules and rights of access by individuals as provided by the Data Protection Act. This means that emails, including those which may have been deleted and are still ‘held’ by the system, may be searched and retrieved by the organisation in order to comply with legislation. All staff should ensure appropriate language is used to maintain the professional standards required by the organisation. Staff should adhere to the principle of data minimisation when sending emails containing personal data. Only the necessary personal information should be included, and appropriate security measures, such as encryption, should be applied when sending sensitive or confidential information via email.

  • All messages must reflect the high standards expected of OPFCC staff as set out in the organisation’s Code of Conduct which necessitates the highest levels of integrity, conduct and accountability.
  • The civil and criminal legislation relating to written communication applies to e-mail messages, including the laws relating to defamation, copyright, obscenity, fraudulent misrepresentation, freedom of information, libel, harassment, wrongful discrimination, Data Protection Act, Official Secrets Act and Criminal Procedures and Investigation Act. Staff must not enter anything in an e-mail that you would not write on paper – all emails are retrievable and auditable.
  • Staff should not use jargon or abbreviations and should use plain English with each other as well as with the public.
  • A message is conversational and therefore does not need to be in any particular format, such as an internal memo.
  • Staff should ensure that they review messages at least once on each working day and delete any as soon as they are no longer required.
  • When on annual leave you should always configure the ‘Out of Office’ reply.
  • Important messages that need to be retained should be saved in a folder in the user’s mailbox.
  • Important documents should be stored in the most appropriate record store. The primary purpose of e-mail is for communication purposes and not storage or records management. For personal documents this may be your H: drive; for OPFCC project documents or papers this may be in Teams, or in a designated folder on W: drive.
  • The email system is provided for business use only, it is the property of the force and must be used accordingly.
  • Internal chain letters must not be used.
  • Caution should be exercised when documents containing graphics or logos are sent by email as this can make the email size large and potentially more difficult to send, receive and manage, these considerations should also apply when including attachments which are large.
  • Messages sent via email can be forwarded to other users without the originator’s knowledge or permission; users should consider the originator’s view before forwarding emails which have been sent to them.
  • Email should not be used by line managers in place of ‘face to face contact’ when development needs are to be discussed.
  • Each user must delete any old or unwanted messages regularly.
  • Messaging systems such as Cisco Jabber and Teams chat can be efficiently and effectively used to avoid unnecessary e-mail.
  • Target messages to only those who need it.
  • Never send a message rashly or when you are angry; take time to calm down and consider the content of the message.
  • Do not assume that a message has been read (ask for confirmation if required).
  • Programs e.g. registered software such as any Microsoft products; are not allowed to be sent as attachments using email.
  • When sending emails to individuals outside of the force, the content should be of a standard as if it was a letter.
  • Email forwarding must not be set to automatically send any email received to our “.gov.uk” email addresses outside of the “.police.uk” network, i.e. to personal email accounts.

 

Consideration must be given to ensuring that where sensitive or personal information is included in an email it is appropriately protected. All emails must be treated as at least ‘Official’ under the Government Security Classification scheme and it is the responsibility of the sender to ensure that it is sent securely, and appropriate handling instructions are included where necessary. Whilst personal use of the force internet facilities has been approved, as above, staff are reminded that force provided email accounts should not be used for personal purposes. The wide distribution of email addresses increases the risk of phishing and other attacks. The creation of private email account backups (PST files) is prohibited with the exception of ISD. ISD have the responsibility to ensure all emails are safely backed up at regular intervals and are easy to recover. Staff are prohibited from using email in ways that may disrupt or prevent other colleagues from legitimately using the email system. If you are aware of or suspect misuse of the email system either notify your line manager or the Information Security Officer who will take any further action deemed necessary.

Email accounts should be maintained regularly to ensure efficient use is made of Network resources. Care must be taken to ensure distribution groups are up to date to prevent excessive or inappropriate disclosure of data.

Excessive or inappropriate disclosure is the most common data breach, but most of the breaches can be prevented with due care and paying attention to the functions built into our e-mail system:

  • Pay attention to out of office messages – when you are sending internally these pop up before you send the mail and could indicate that the mail should be sent to someone else.
  • Pay attention warnings about external recipients – these are a prompt to check that the content is suitable to send outside the organisation.
  • Respond to undelivered messages – these can indicate that someone has left their role and should be removed from contact lists or distribution groups.
  • Data Loss Prevention tools in Outlook notify when certain types of data are sent, such as NI numbers or bank account details.
  • Your individual named account is designed to only be used by you. You are responsible for any additional access or permissions if you choose to assign them.
  • Delegate permissions on an individual account should only be used in limited circumstances e.g. for PAs to manage calendars. Other more suitable options are available for other circumstances e.g. group calendars and mailboxes should be used for sharing workloads across a team; Form 1250 should be used to request access in the event of unplanned absence of a member of the team.
  • If you have granted any delegated access to your personal e-mail, you need to be aware of staff changes and should remove or amend access accordingly. See Access Control (including Joiner, Mover, Leaver for more advice)
  • Autocomplete (autofill – where previously used e-mail addresses are remembered and can be auto populated into the address fields) facility can be managed by and turned off by individuals. See Autofill guidance on ForceNet.

Email signatures must be used to provide adequate and appropriate contact details for the benefit of mail recipients.

Staff on leave, otherwise absent from work, or who are unable to access their email account for more than three consecutive days, should set their “Out of Office Assistant” to alert email correspondents of the user’s absence. An example of an appropriate message is:

I am out of the office until DDMMYYYY. I will reply to your email when I return. If your email is urgent, please contact [NAME (03000 111222) Ext???]

Care should be taken to ensure that email communications are clear and reflect the expected professional standards as set out in the Code of Conduct. Correspondence should be appropriate, courteous and respectful. For example, it is highly inadvisable to send any communication that you would not feel comfortable reading aloud to your colleagues, as a basic test of ‘reasonableness’. Read through messages before sending to ensure that the content will not be misinterpreted or have the potential to cause offence.

The corporate typeface for emails is Verdana, size 11 (black) and should be used in all emails. Users will not use any form of ‘stationery’, such as Outlook stationery, decorative panels, clipart pictures, sliding/animated signatures or other embellishments that deviate from the prescribed corporate style.

The automatic spellchecker facility in Outlook should be configured to check outgoing messages at all times. Poorly spelt messages may lead to misunderstanding and / or undermine the professional image of the OPFCC.

Most people are unaware of what happens to email when they click the ‘send’ button; it doesn’t just go from you to the person you intended to send it to. Although email appears to be a quick process, each message traverses the public internet going from system to system until it arrives at its intended destination. On its journey email is little more than an electronic postcard, which is open to others along the way. If someone wants to intercept copy or even alter your emails – and the information they hold – they can do so with relative ease.

Data Subject Rights

All staff members have certain rights under the UK GDPR and DPA 2018 regarding their personal data processed through the internet and email systems provided by the OPFCC/force. These rights include:

  • The right to access: Staff members have the right to request access to their personal data processed by the OPFCC/force.
  • The right to rectification: Staff members have the right to request the correction of inaccurate or incomplete personal data.
  • The right to erasure: Staff members have the right to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

Requests related to data subject rights should be directed to the OPFCC/force’s Data Protection Officer (DPO). The DPO will respond to such requests in accordance with the UK GDPR and DPA 2018 requirements.

Training and Awareness

The OPFCC/force is committed to providing training and awareness programs to ensure that all staff members understand their responsibilities and obligations under this policy and the relevant data protection laws. Regular training sessions will be conducted to:

  • Familiarise staff with the contents of this policy and its practical application.
  • Educate staff on the principles of the UK GDPR and DPA 2018, and how they relate to internet and email usage.
  • Provide guidance on the secure handling of personal data and the prevention of data breaches.

Attendance at these training sessions is mandatory for all staff members. The OPFCC will maintain records of attendance and ensure that all staff receive the necessary training.

Monitoring and review

Information Security will regularly assess for compliance against this enabling guidance. Any violation will be investigated and if the cause is found to be due to wilful disregard or negligence, it will be treated as a disciplinary offence.