MPAL – Electronic communications and Wi-Fi policy

Last revised April 2022

1. Introduction

Electronic Communication is an integral part of the work that we do here at MPAL, and how we communicate reflects on MPAL itself and on us, as individuals.

This policy sets out rules for communication using MPAL’ information systems.

  1. Purpose

· to ensure that users of MPAL’ information systems are aware of their responsibilities

· to ensure that MPAL complies with relevant legislation

· to ensure that the commercial interests of MPAL stakeholders are not adversely affected.

 

  1. Scope

This policy sets out acceptable use (business and personal) of all MPAL information systems, which includes but is not limited to telephones, mobile devices, email, internet access including student/guest wi-fi, printer/copiers, instant messages and MPAL’ desktop and virtual desktop environment - together these are referred to in this policy as ‘MPAL systems’.

 

The policy applies to all MPAL employees and all those who have the right to use MPAL systems in any capacity.
 

  1. Responsibilities

It is important that everyone with access to MPAL systems reads, understands and complies with this policy.
 

Non-MPAL employees and/or organisations with access to MPAL systems should confirm their acceptance of this policy.
 

Access to MPAL’ systems will not be granted until the MPAL Systems Terms of Use, or another appropriate contract which explicitly refers to data management (confidentiality, data protection, freedom of information) has been signed.  It is the responsibility of the person commissioning a contract from a third party to ensure the procedure is followed.

 

2 Electronic communications as records
 

2.1 Information must be shared

All electronic communications, in any media or format, that record business activity must be saved into MPAL systems. Your colleagues need information to be shared in order to do their jobs effectively and MPAL needs a complete record of its activity to produce as evidence in legal action.
 

To comply with MPAL policies you are required to give colleagues access to your email as and when required, based on an assessment of operational need, and to make your calendar available to all staff and keep it up to date.
 

2.2 Electronic business communications

When you use the MPAL systems to correspond externally (whatever you write whether via letter, fax, email, on a web forum or using social media) you are corresponding on behalf of MPAL.

 

All MPAL’ business correspondence, including email, must declare our registered office and company number.  MPAL external email messages require particular care because they contain our registered office and company numbers, therefore you should not put anything in an external email that you would not put on MPAL headed note paper.
 

2.3 Data Protection and electronic communications

Under the Data Protection Act, people can ask for access to their personal information. Data in any format that identifies a living person may be made available to that person should they make a subject access request. This includes email, instant messages which have been saved or emailed, and voicemail messages.
 

2.4 Freedom of Information and electronic communications

It is essential that employees are aware that any communication using an MPAL address may be disclosed to an enquirer under MPAL’ commitment to meet the standards of openness and accountability of the Freedom of Information Act.

 

3. Acceptable and unacceptable use

 

You are expected to use electronic communications for business purposes in the best interests of MPAL. However MPAL also permits employees limited use of MPAL systems for personal reasons.

 

Whether you are using MPAL systems for business or personal reasons do not use, communicate, download, upload or access anything that could damage MPAL’ reputation or your own, or result in any unauthorised loss, damage or expense to MPAL.

 

If you misuse MPAL systems or violate this policy, you may face disciplinary action. This may include action up to and including dismissal.

 

Acceptable use is subject to:

· not interfering with the performance of your duties

· not incurring unwarranted expense for MPAL

· not engaging in illegal activity

· not carrying out personal business transactions.

 

Acceptable use allows limited use of MPAL systems for personal interest, recreation, research and studies.

 

3.1 Access to the Internet

When accessing an internet site, always read and comply with the terms and conditions governing its use.

 

MPAL may block access to websites completely and/or at specific times of the day

3.2 Social media

The use of social media in a personal capacity is permitted as long as it does not impact on MPAL work. Personal use of social media is covered by acceptable use detailed above.

 

MPAL’ social media activity is managed by the Managing Director and staff must follow the Guidance on the use of social media and Community guidelines and information when using social media on MPAL’ behalf.

 

3.3 Electronic communications and information security

MPAL’ Information Security Policy requires you to safeguard MPAL’ systems and information assets and to report any suspected breach of security to your line manager immediately.

 

3.4 Viruses and Phishing emails

Be aware of the potential threat and impact of viruses. Do not remove, disable or restrict any MPAL-installed antivirus or firewalling software.

 

Do not pass on or carry out any action contained in an emailed virus warning, without taking advice from MPAL’ IT Support.

 

If you receive an email asking you to verify sensitive information or passwords, you should simply delete it and under no circumstances click on any links in the email. These “phishing” emails often look genuine but will direct you to fake web-sites. Never open a suspect email - even clicking on a link, or downloading pictures might be enough for the attacker to get control of your computer. If you do need to check the contents of the email (if it purports to come from an important contact for instance) then the MPAL IT Support can help you access it securely.

 

3.5 Working remotely

When you are working remotely you must:

· ensure that you take reasonable precautions to prevent theft, disclosure of or tampering with any MPAL equipment, data or media in your possession

· inform the MPAL IT Support of any breach of security or theft of equipment as soon as possible

· ensure that any work which you do remotely is saved to MPAL’ network as soon as reasonably practicable.

 

Extra caution is required when using MPAL equipment on external wi-fi networks – they can be insecure (think before you click!).
 

3.6 Mobile phones

You are permitted to use MPAL mobile phones for personal calls in line with the usage tariff that you signed up to when the phone was issued to you. When you receive your mobile phone you commit to keeping them secure and reporting any loss to the Office Manager.

 

4 Confidentiality of electronic communications

 

Information relating to MPAL’ contacts and our own business operations can be confidential and/or commercially sensitive. Treat all information with care. Passing on personal data, confidential or commercially sensitive information to third parties without authorisation will be viewed as gross misconduct.

4.1 Email

Email is rarely an appropriate media to transmit sensitive personal data or commercially confidential data. Un-encrypted email is not secure, no matter what email system is used.

 

You should also be aware that other colleagues may have access to either your or the recipient's emails and therefore their content (e.g. delegated mailbox access).

 

When sending email relating to a confidential or sensitive matter it is good practice to limit the amount of information in the subject line so that other staff who routinely access your inbox are not given information they do not need. It is also good practice to mark these emails as confidential or sensitive.

 

You should never open or read an email marked confidential or sensitive that is not addressed to you, without the prior arrangement of the addressee, unless there is a clear business need.

 

Never leave your computer screen logged on and unlocked.  You will be held responsible for all inappropriate email activity generated through your account.

 

Line managers:

 

To enable communication between HR and line managers, line managers should not give team members access to their mailbox.  To provide cover, the line managers may give mailbox access to other line managers.

 

4.2 Voicemail

 

You should not open and listen to another staff member’s voicemail messages without their prior arrangement, unless there is a clear business need.

 

4.3 Data protection and electronic communications

In using electronic communications MPAL systems you must comply with MPAL’ Data Protection Policy. You have a responsibility to ensure you understand and adhere to this. If you contravene the Data Protection Act, not only will MPAL’ reputation be damaged but we could be subject to a fine of up to £500,000, enforcement action and a criminal offence may have been committed, by you or by MPAL. This may also lead to disciplinary action.

 

When sending electronic communications you must use contact data stored in an MPAL content management database.  Use of personal data stored elsewhere risks breaching the Data Protection Act by using non-current addresses, or contacting someone who has opted out of further contact with MPAL.

 

You must not:

· obtain, handle or disclose personal information without ensuring you are complying with the law or with the MPAL’ Data Protection Policy

· use external email for communicating confidential or sensitive matters relating to individuals, unless other means of communication have been considered and rejected and the individual has been made aware of the risks and agreed the transmission

 · use internal email for communicating confidential personal data unless you are sure the mailbox is not shared inappropriately.

· allow third parties to read or access personal data in emails or attachments by leaving your computer screen logged on and unlocked.

 

You will be held responsible for all inappropriate email activity generated through your account.

 

5 Privacy and monitoring of electronic data

Whilst respecting privacy as far as possible, all information on MPAL systems is company property. If a business need arises, it may be necessary to check any information transmitted or stored.

 

5.1 What we monitor

To provide MPAL with a secure, authentic and unalterable record of its activity, a copy of all email created or received on MPAL systems is retained for a set period of time (currently 5 years) in an email backup.  The email backup can be searched in response to information requests, subject access requests under the Data Protection Act, appeals, complaints and legal challenges.

 

MPAL has the right to monitor electronic communications and will carry out regular monitoring. This includes, but is not limited to, the email journal; all telephone calls (mobile and landline); use of the internet and all documents printed to networked printers.

 

Staff answering calls to MPAL’s landline will be made aware when these calls are monitored to assist MPAL in maintaining and improving the standards of our customer service and for staff training purposes.

 

Content sent via MS messenger is not monitored but the chat transcript can be saved as a document or an email by any party to the communication should they choose.

 

MPAL will also monitor the IP address of the desktop or laptop PC you are logged into.

 

5.2 How we monitor

 

MPAL’ IT Support uses third party software to continually monitor and record the following:

 

· the amount of time spent by you accessing the Internet

· the type of websites visited by you to ensure that the sites do not contain any material which you are prohibited to access as set out in this policy (attempts to access prohibited websites are also recorded)

· emails sent to and from MPAL for use of inappropriate and/or prohibited content.

 

Occasionally staff may need to access prohibited sites to carry out investigative work on behalf of MPAL. The same staff may be asked to investigate the use and contents of electronic communications, for example email and voicemail may be searched in response to subject access requests under the Data Protection Act or relating to a complaint or grievance which requires investigation under MPAL’ Disciplinary policy and procedure. In this case, the written permission of either the Managing Director or Office Manager must be obtained beforehand.

5.3 Why we monitor

If there is suspected abuse or misuse of the MPAL systems, MPAL will check the monitoring information as described above and information stored on your computer(s) for evidence.

 

Any such evidence will be used to decide whether abuse and/or misuse has taken place. It will also be used to decide whether to counsel or retrain staff and/or whether disciplinary or criminal proceedings will be taken. You will normally be advised that this is taking place unless it is considered that to do so will make it prejudicial to the prevention or detection of abuse, misuse or criminal activity. You will be required to provide the password for any password protected files or folders on your computer(s);

 

Purposes of monitoring include:

· to ensure the effective operation of our information and telecommunications systems

· to maintain system security and a complete view of MPAL business records

· to investigate and detect unauthorised use of the systems, such as personal use outside that allowed in this policy, accessing and distributing inappropriate material, or use that may expose MPAL to legal liabilities, or accessing inappropriate content that may lead to a loss of productivity

· to check whether any matters need to be dealt with in your absence

· to investigate allegations of misconduct, breach of contract, a criminal offence or fraud by the user or a third party

· to pursue any other legitimate reason relating to the operation of the business.

 

The information will be given only to those who need to see it in accordance with these purposes. If you have concerns about privacy it may be in your best interests not to use MPAL systems for personal use.

 

Where possible, MPAL will avoid opening emails clearly marked as private or personal. Personal emails should be marked as such, and those who send them should be encouraged to do the same. This includes emails relating to trade union business.

 

You give your consent to monitoring when you accept your terms and conditions of employment. Where monitoring produces evidence of a breach of MPAL policy or procedure this will be dealt with via the disciplinary procedure.

 

5.4 Forensic readiness procedure

When a serious incident or suspected incident has occurred involving illegal activity including but not limited to

· theft and financial crime

· telecommunications crime and hacking

· the access or storage of illegal content

 

MPAL’ forensic readiness procedure will be followed to protect digital evidence against accidental or malicious destruction, damage, modification or disclosure and to maintain appropriate levels of confidentiality, integrity and availability of the digital evidence.

 

Annex 1 - Acceptable Use of MPAL’ Systems

The term MPAL systems includes MPAL laptops and other devices accessing the internet outside MPAL systems, and personal devices accessing the internet on MPAL and student/guest wi-fi.

Users of MPAL systems must:

 

• comply with all MPAL policy and procedure

• be aware that when they communicate using MPAL systems they are representing MPAL.

 

MPAL Systems must not be used to:
 

· store, view, download or distribute material that is obscene, offensive, homophobic, pornographic, contains violent images, incites criminal behaviour or racial hatred

· access web-sites with illegal content

· send emails, texts, posts or messages, download or publish anything on a web-site, social networking site or blog, which is:

  • critical of MPAL
  • contains specific or implied comments you would not say in person
  • defamatory, sexist, racist, pornographic or offensive on grounds of disability, age, religion or sexual orientation or are otherwise unlawful
  • designed to annoy, harass or bully as detailed in the Dignity at Work policy

· gamble

· undertake political lobbying which might imply MPAL involvement or approval

· promote or run a commercial business

· download or distribute games, music or pictures from the Internet for personal use, download any material which is copyright protected unless you have obtained the necessary permissions

· forward chain letters, jokes and spam

· impersonate another person

· spend work time on personal matters (for example, arranging a holiday, shopping, looking at personal interest web-sites).

· store personal information on the MPAL network that uses up capacity and slows down the systems (for example, personal photos, screensavers or wallpaper)

· download or copy software (excluding software updates) or use the email system to transmit any documents or software without checking copyright or licence agreements

· install software licensed to MPAL on a personal computer unless permission to do so is explicitly authorised by the IT Support.

· do anything which brings MPAL into disrepute.