East Bergholt Parish Council
Information Technology, Communications and Acceptable Use Policy
Policy Owner Parish Clerk
Approved By East Bergholt Parish Council
Approval Date [Insert date]
Next Review Date [Insert date]
Version 1.0
Related Policies Data Protection Policy, Privacy Notice,
Records Retention Policy
Applicable Guidance NALC guidance, UK GDPR, Data Protection
Act 2018, NCSC cyber guidance
1. Purpose
This policy establishes the rules governing the use of council information technology
systems, equipment and digital services.
The objectives are to:
• protect council information and data
• ensure appropriate and responsible use of technology
• reduce cyber security risks
• comply with legal and regulatory obligations
• support efficient council operations.
2. Scope
This policy applies to all councillors, employees, contractors, volunteers and authorised
users who access council IT systems, devices or digital services.
It applies whether equipment is used:
• within council premises
• at home
• while travelling

• through personal devices authorised for council work.
3. Acceptable Use Principles
Council IT resources are provided primarily for council business.
Users must:
• act responsibly when using council systems
• protect confidential council information
• comply with all relevant legislation including data protection law
• avoid accessing inappropriate, illegal or offensive content
• use systems in a way that does not damage the council’s reputation.
Limited personal use may be permitted where it does not interfere with council work or
compromise security.
4. Hardware and Equipment
All council IT equipment must be treated with care and used only for authorised purposes.
Users must:
• lock computers when leaving desks or workstations
• avoid installing unauthorised software
• report faults or damage immediately
• ensure equipment is not dismantled without authorisation
• keep equipment clean and protected from damage.
Council equipment may be asset-tagged and recorded to maintain an inventory.
5. Portable Equipment
Portable devices such as laptops, tablets and smartphones must be handled securely.
Users must:
• keep devices under personal supervision when travelling
• avoid leaving devices unattended in public places
• avoid leaving devices in parked vehicles wherever possible
• store devices securely when not in use.

Devices containing council information must be protected using passwords, PINs or
biometric authentication.
6. Use of Personal Devices (BYOD)
Personal devices may access council systems only where authorised. The Council is moving
towards a .gov.uk email system. When this is in place, users must ensure:
• devices are protected with strong passwords or PINs
• operating systems and applications are regularly updated
• secure Wi‑Fi networks are used
• council data is separated from personal data where possible.
Council data should not be permanently stored on personal devices and should be
transferred to council systems as soon as practicable.
7. Password and Authentication Standards
All accounts used for council business must be protected by strong passwords.
The council follows National Cyber Security Centre guidance recommending passphrases
consisting of three random words.
Where possible:
• multi‑factor authentication (MFA) should be enabled
• passwords must not be shared
• passwords should be changed immediately if compromise is suspected.
8. Monitoring and Logging
The council reserves the right to monitor use of its IT systems where necessary and
proportionate.
Monitoring may occur for:
• cyber security protection
• investigating misuse
• system maintenance
• ensuring compliance with council policies.
Monitoring will comply with relevant legislation including data protection law.

9. Remote Working
Users accessing council systems remotely must ensure:
• screens cannot be viewed by unauthorised persons
• devices are password protected
• sensitive information is handled securely
• confidential documents are not left unattended.
Public or shared computers should not be used for council work unless absolutely
necessary.
10. Email Use
Council email accounts should primarily be used for official council communication.
Users must:
• check recipients carefully before sending emails
• avoid sending sensitive data unnecessarily
• report suspicious emails or phishing attempts
• avoid excessive personal use during working hours.
11. Internet Use
Users must comply with copyright law when accessing or downloading material from the
internet.
Accessing illegal, offensive or inappropriate material using council systems is prohibited.
12. Social Media
Councillors and staff must not disclose confidential council information on social media
platforms.
Personal opinions must not be presented as official council positions.
Users should remain aware that online behaviour may affect the council’s reputation.
13. Cyber Security Controls
The council will implement appropriate cyber security controls including:
• strong authentication mechanisms
• regular software updates and patching
• secure backups of important data

• antivirus and security software where appropriate
• incident response procedures.
Users must report any suspected security concerns immediately.
14. Incident Reporting
Any suspected cyber incident, data breach or security concern must be reported
immediately to the Parish Clerk.
Early reporting allows the council to investigate and take appropriate action to protect
systems and data.
15. Misuse of Systems
Misuse of council IT systems may result in disciplinary action or withdrawal of system
access.
Serious misuse may result in formal investigation and further action in accordance with
council procedures.
16. Policy Review
This policy will be reviewed periodically to ensure it remains effective and aligned with
current legislation, cyber security guidance and council governance practices.