East Bergholt Parish Council
Information Technology, Communications and
Acceptable Use Policy
Policy Owner Parish Clerk
Approved By East Bergholt Parish Council
Approval Date [Insert date]
Next Review Date [Insert date]
Version 1.0
Related Policies Data Protection Policy, Privacy Notice,
Records Retention Policy
Applicable Guidance NALC guidance, UK GDPR, Data
Protection Act 2018, NCSC cyber
guidance
1. Purpose
This policy establishes the rules governing the use of council information
technology systems, equipment and digital services.
The objectives are to:
• protect council information and data
• ensure appropriate and responsible use of technology
• reduce cyber security risks
• comply with legal and regulatory obligations
• support efficient council operations.
2. Scope
This policy applies to all councillors, employees, contractors, volunteers and
authorised users who access council IT systems, devices or digital services.
It applies whether equipment is used:
• within council premises

• at home
• while travelling
• through personal devices authorised for council work.
3. Acceptable Use Principles
Council IT resources are provided primarily for council business.
Users must:
• act responsibly when using council systems
• protect confidential council information
• comply with all relevant legislation including data protection law
• avoid accessing inappropriate, illegal or offensive content
• use systems in a way that does not damage the council’s reputation.
Limited personal use may be permitted where it does not interfere with council
work or compromise security.
4. Hardware and Equipment
All council IT equipment must be treated with care and used only for authorised
purposes.
Users must:
• lock computers when leaving desks or workstations
• avoid installing unauthorised software
• report faults or damage immediately
• ensure equipment is not dismantled without authorisation
• keep equipment clean and protected from damage.
Council equipment may be asset-tagged and recorded to maintain an inventory.
5. Portable Equipment
Portable devices such as laptops, tablets and smartphones must be handled
securely.
Users must:

• keep devices under personal supervision when travelling
• avoid leaving devices unattended in public places
• avoid leaving devices in parked vehicles wherever possible
• store devices securely when not in use.
Devices containing council information must be protected using passwords, PINs
or biometric authentication.
6. Use of Personal Devices (BYOD)
Personal devices may access council systems only where authorised.
Users must ensure:
• devices are protected with strong passwords or PINs
• operating systems and applications are regularly updated
• secure Wi‑Fi networks are used
• council data is separated from personal data where possible.
Council data should not be permanently stored on personal devices and should
be transferred to council systems as soon as practicable.
7. Password and Authentication Standards
All accounts used for council business must be protected by strong passwords.
The council follows National Cyber Security Centre guidance recommending
passphrases consisting of three random words.
Where possible:
• multi‑factor authentication (MFA) should be enabled
• passwords must not be shared
• passwords should be changed immediately if compromise is suspected.
8. Monitoring and Logging
The council reserves the right to monitor use of its IT systems where necessary
and proportionate.
Monitoring may occur for:
• cyber security protection

• investigating misuse
• system maintenance
• ensuring compliance with council policies.
Monitoring will comply with relevant legislation including data protection law.
9. Remote Working
Users accessing council systems remotely must ensure:
• screens cannot be viewed by unauthorised persons
• devices are password protected
• sensitive information is handled securely
• confidential documents are not left unattended.
Public or shared computers should not be used for council work unless
absolutely necessary.
10. Email Use
Council email accounts should primarily be used for official council
communication.
Users must:
• check recipients carefully before sending emails
• avoid sending sensitive data unnecessarily
• report suspicious emails or phishing attempts
• avoid excessive personal use during working hours.
11. Internet Use
Users must comply with copyright law when accessing or downloading material
from the internet.
Accessing illegal, offensive or inappropriate material using council systems is
prohibited.
12. Social Media
Councillors and staff must not disclose confidential council information on social
media platforms.

Personal opinions must not be presented as official council positions.
Users should remain aware that online behaviour may affect the council’s
reputation.
13. Cyber Security Controls
The council will implement appropriate cyber security controls including:
• strong authentication mechanisms
• regular software updates and patching
• secure backups of important data
• antivirus and security software where appropriate
• incident response procedures.
Users must report any suspected security concerns immediately.
14. Incident Reporting
Any suspected cyber incident, data breach or security concern must be reported
immediately to the Parish Clerk.
Early reporting allows the council to investigate and take appropriate action to
protect systems and data.
15. Misuse of Systems
Misuse of council IT systems may result in disciplinary action or withdrawal of
system access.
Serious misuse may result in formal investigation and further action in
accordance with council procedures.
16. Policy Review
This policy will be reviewed periodically to ensure it remains effective and aligned
with current legislation, cyber security guidance and council governance
practices.