MPES – Electronic communications and Wi-Fi policy
Last revised April 2022
1. Introduction
Electronic Communication is an integral part of the work that we do here at MPES, and how we communicate reflects on MPES itself and on us, as individuals.
This policy sets out rules for communication using MPES’ information systems.
1.1. Purpose
· to ensure that users of MPES’ information systems are aware of their responsibilities
· to ensure that MPES complies with relevant legislation
· to ensure that the commercial interests of MPES stakeholders are not adversely affected.
1.2. Scope
This policy sets out acceptable use (business and personal) of all MPES information systems, which includes but is not limited to telephones, mobile devices, email, internet access including student/guest wi-fi, printer/copiers, instant messages and MPES’ desktop and virtual desktop environment - together these are referred to in this policy as ‘MPES systems’.
The policy applies to all MPES employees and all those who have the right to use MPES systems in any capacity.
1.3. Responsibilities
It is important that everyone with access to MPES systems reads, understands and complies with this policy.
Non-MPES employees and/or organisations with access to MPES systems should confirm their acceptance of this policy.
Access to MPES’ systems will not be granted until the MPES Systems Terms of Use, or another appropriate contract which explicitly refers to data management (confidentiality, data protection, freedom of information) has been signed. It is the responsibility of the person commissioning a contract from a third party to ensure the procedure is followed.
2 Electronic communications as records
2.1 Information must be shared
All electronic communications, in any media or format, that record business activity must be saved into MPES systems. Your colleagues need information to be shared in order to do their jobs effectively and MPES needs a complete record of its activity to produce as evidence in legal action.
To comply with MPES policies you are required to give colleagues access to your email as and when required, based on an assessment of operational need, and to make your calendar available to all staff and keep it up to date.
2.2 Electronic business communications
When you use the MPES systems to correspond externally (whatever you write whether via letter, fax, email, on a web forum or using social media) you are corresponding on behalf of MPES.
All MPES’ business correspondence, including email, must declare our registered office and company number. MPES external email messages require particular care because they contain our registered office and company numbers, therefore you should not put anything in an external email that you would not put on MPES headed note paper.
2.3 Data Protection and electronic communications
Under the Data Protection Act, people can ask for access to their personal information. Data in any format that identifies a living person may be made available to that person should they make a subject access request. This includes email, instant messages which have been saved or emailed, and voicemail messages.
2.4 Freedom of Information and electronic communications
It is essential that employees are aware that any communication using an MPES address may be disclosed to an enquirer under MPES’ commitment to meet the standards of openness and accountability of the Freedom of Information Act.
3. Acceptable and unacceptable use
You are expected to use electronic communications for business purposes in the best interests of MPES. However MPES also permits employees limited use of MPES systems for personal reasons.
Whether you are using MPES systems for business or personal reasons do not use, communicate, download, upload or access anything that could damage MPES’ reputation or your own, or result in any unauthorised loss, damage or expense to MPES.
If you misuse MPES systems or violate this policy, you may face disciplinary action. This may include action up to and including dismissal.
Acceptable use is subject to:
· not interfering with the performance of your duties
· not incurring unwarranted expense for MPES
· not engaging in illegal activity
· not carrying out personal business transactions.
Acceptable use allows limited use of MPES systems for personal interest, recreation, research and studies.
3.1 Access to the Internet
When accessing an internet site, always read and comply with the terms and conditions governing its use.
MPES may block access to websites completely and/or at specific times of the day
3.2 Social media
The use of social media in a personal capacity is permitted as long as it does not impact on MPES work. Personal use of social media is covered by acceptable use detailed above.
MPES’ social media activity is managed by the Managing Director and staff must follow the Guidance on the use of social media and Community guidelines and information when using social media on MPES’ behalf.
3.3 Electronic communications and information security
MPES’ Information Security Policy requires you to safeguard MPES’ systems and information assets and to report any suspected breach of security to your line manager immediately.
3.4 Viruses and Phishing emails
Be aware of the potential threat and impact of viruses. Do not remove, disable or restrict any MPES-installed antivirus or firewalling software.
Do not pass on or carry out any action contained in an emailed virus warning, without taking advice from MPES’ IT Support.
If you receive an email asking you to verify sensitive information or passwords, you should simply delete it and under no circumstances click on any links in the email. These “phishing” emails often look genuine but will direct you to fake web-sites. Never open a suspect email - even clicking on a link, or downloading pictures might be enough for the attacker to get control of your computer. If you do need to check the contents of the email (if it purports to come from an important contact for instance) then the MPES IT Support can help you access it securely.
3.5 Working remotely
When you are working remotely you must:
· ensure that you take reasonable precautions to prevent theft, disclosure of or tampering with any MPES equipment, data or media in your possession
· inform the MPES IT Support of any breach of security or theft of equipment as soon as possible
· ensure that any work which you do remotely is saved to MPES’ network as soon as reasonably practicable.
Extra caution is required when using MPES equipment on external wi-fi networks – they can be insecure (think before you click!).
3.6 Mobile phones
You are permitted to use MPES mobile phones for personal calls in line with the usage tariff that you signed up to when the phone was issued to you. When you receive your mobile phone you commit to keeping them secure and reporting any loss to the Office Manager.
4 Confidentiality of electronic communications
Information relating to MPES’ contacts and our own business operations can be confidential and/or commercially sensitive. Treat all information with care. Passing on personal data, confidential or commercially sensitive information to third parties without authorisation will be viewed as gross misconduct.
4.1 Email
Email is rarely an appropriate media to transmit sensitive personal data or commercially confidential data. Un-encrypted email is not secure, no matter what email system is used.
You should also be aware that other colleagues may have access to either your or the recipient's emails and therefore their content (e.g. delegated mailbox access).
When sending email relating to a confidential or sensitive matter it is good practice to limit the amount of information in the subject line so that other staff who routinely access your inbox are not given information they do not need. It is also good practice to mark these emails as confidential or sensitive.
You should never open or read an email marked confidential or sensitive that is not addressed to you, without the prior arrangement of the addressee, unless there is a clear business need.
Never leave your computer screen logged on and unlocked. You will be held responsible for all inappropriate email activity generated through your account.
Line managers:
To enable communication between HR and line managers, line managers should not give team members access to their mailbox. To provide cover, the line managers may give mailbox access to other line managers.
4.2 Voicemail
You should not open and listen to another staff member’s voicemail messages without their prior arrangement, unless there is a clear business need.
4.3 Data protection and electronic communications
In using electronic communications MPES systems you must comply with MPES’ Data Protection Policy. You have a responsibility to ensure you understand and adhere to this. If you contravene the Data Protection Act, not only will MPES’ reputation be damaged but we could be subject to a fine of up to £500,000, enforcement action and a criminal offence may have been committed, by you or by MPES. This may also lead to disciplinary action.
When sending electronic communications you must use contact data stored in an MPES content management database. Use of personal data stored elsewhere risks breaching the Data Protection Act by using non-current addresses, or contacting someone who has opted out of further contact with MPES.
You must not:
· obtain, handle or disclose personal information without ensuring you are complying with the law or with the MPES’ Data Protection Policy
· use external email for communicating confidential or sensitive matters relating to individuals, unless other means of communication have been considered and rejected and the individual has been made aware of the risks and agreed the transmission
· use internal email for communicating confidential personal data unless you are sure the mailbox is not shared inappropriately.
· allow third parties to read or access personal data in emails or attachments by leaving your computer screen logged on and unlocked.
You will be held responsible for all inappropriate email activity generated through your account.
5 Privacy and monitoring of electronic data
Whilst respecting privacy as far as possible, all information on MPES systems is company property. If a business need arises, it may be necessary to check any information transmitted or stored.
5.1 What we monitor
To provide MPES with a secure, authentic and unalterable record of its activity, a copy of all email created or received on MPES systems is retained for a set period of time (currently 5 years) in an email backup. The email backup can be searched in response to information requests, subject access requests under the Data Protection Act, appeals, complaints and legal challenges.
MPES has the right to monitor electronic communications and will carry out regular monitoring. This includes, but is not limited to, the email journal; all telephone calls (mobile and landline); use of the internet and all documents printed to networked printers.
Staff answering calls to MPES’s landline will be made aware when these calls are monitored to assist MPES in maintaining and improving the standards of our customer service and for staff training purposes.
Content sent via MS messenger is not monitored but the chat transcript can be saved as a document or an email by any party to the communication should they choose.
MPES will also monitor the IP address of the desktop or laptop PC you are logged into.
5.2 How we monitor
MPES’ IT Support uses third party software to continually monitor and record the following:
· the amount of time spent by you accessing the Internet
· the type of websites visited by you to ensure that the sites do not contain any material which you are prohibited to access as set out in this policy (attempts to access prohibited websites are also recorded)
· emails sent to and from MPES for use of inappropriate and/or prohibited content.
Occasionally staff may need to access prohibited sites to carry out investigative work on behalf of MPES. The same staff may be asked to investigate the use and contents of electronic communications, for example email and voicemail may be searched in response to subject access requests under the Data Protection Act or relating to a complaint or grievance which requires investigation under MPES’ Disciplinary policy and procedure. In this case, the written permission of either the Managing Director or Office Manager must be obtained beforehand.
5.3 Why we monitor
If there is suspected abuse or misuse of the MPES systems, MPES will check the monitoring information as described above and information stored on your computer(s) for evidence.
Any such evidence will be used to decide whether abuse and/or misuse has taken place. It will also be used to decide whether to counsel or retrain staff and/or whether disciplinary or criminal proceedings will be taken. You will normally be advised that this is taking place unless it is considered that to do so will make it prejudicial to the prevention or detection of abuse, misuse or criminal activity. You will be required to provide the password for any password protected files or folders on your computer(s);
Purposes of monitoring include:
· to ensure the effective operation of our information and telecommunications systems
· to maintain system security and a complete view of MPES business records
· to investigate and detect unauthorised use of the systems, such as personal use outside that allowed in this policy, accessing and distributing inappropriate material, or use that may expose MPES to legal liabilities, or accessing inappropriate content that may lead to a loss of productivity
· to check whether any matters need to be dealt with in your absence
· to investigate allegations of misconduct, breach of contract, a criminal offence or fraud by the user or a third party
· to pursue any other legitimate reason relating to the operation of the business.
The information will be given only to those who need to see it in accordance with these purposes. If you have concerns about privacy it may be in your best interests not to use MPES systems for personal use.
Where possible, MPES will avoid opening emails clearly marked as private or personal. Personal emails should be marked as such, and those who send them should be encouraged to do the same. This includes emails relating to trade union business.
You give your consent to monitoring when you accept your terms and conditions of employment. Where monitoring produces evidence of a breach of MPES policy or procedure this will be dealt with via the disciplinary procedure.
5.4 Forensic readiness procedure
When a serious incident or suspected incident has occurred involving illegal activity including but not limited to
· theft and financial crime
· telecommunications crime and hacking
· the access or storage of illegal content
MPES’ forensic readiness procedure will be followed to protect digital evidence against accidental or malicious destruction, damage, modification or disclosure and to maintain appropriate levels of confidentiality, integrity and availability of the digital evidence.
Annex 1 - Acceptable Use of MPES’ Systems
The term MPES systems includes MPES laptops and other devices accessing the internet outside MPES systems, and personal devices accessing the internet on MPES and student/guest wi-fi.
Users of MPES systems must:
• comply with all MPES policy and procedure
• be aware that when they communicate using MPES systems they are representing MPES.
MPES Systems must not be used to:
· store, view, download or distribute material that is obscene, offensive, homophobic, pornographic, contains violent images, incites criminal behaviour or racial hatred
· access web-sites with illegal content
· send emails, texts, posts or messages, download or publish anything on a web-site, social networking site or blog, which is:
- critical of MPES
- contains specific or implied comments you would not say in person
- defamatory, sexist, racist, pornographic or offensive on grounds of disability, age, religion or sexual orientation or are otherwise unlawful
- designed to annoy, harass or bully as detailed in the Dignity at Work policy
· gamble
· undertake political lobbying which might imply MPES involvement or approval
· promote or run a commercial business
· download or distribute games, music or pictures from the Internet for personal use, download any material which is copyright protected unless you have obtained the necessary permissions
· forward chain letters, jokes and spam
· impersonate another person
· spend work time on personal matters (for example, arranging a holiday, shopping, looking at personal interest web-sites).
· store personal information on the MPES network that uses up capacity and slows down the systems (for example, personal photos, screensavers or wallpaper)
· download or copy software (excluding software updates) or use the email system to transmit any documents or software without checking copyright or licence agreements
· install software licensed to MPES on a personal computer unless permission to do so is explicitly authorised by the IT Support.
· do anything which brings MPES into disrepute.