Dated: 31 Oct 2017
POLICY TITLE: Acceptable Use Policy
OWNING DIRECTORATE: ICT
AUTHOR: Information Security Officer
CONTACT DETAILS: 101
EQUALITY IMPACT ASSESSMENT: Complete
AUTHORISED PROFESSIONAL PRACTICE (APP) NATIONAL GUIDANCE: Yes
AIM OF POLICY: To protect the confidentiality, integrity and availability of Northumbria Police information assets, whilst ensuring appropriate use of publicly funded services and staff work time.
BENEFIT OF POLICY: To safeguard confidential and sensitive information and protect the reputation of Northumbria Police. Prevent disruption to Northumbria Police ICT systems and protect Northumbria Police and its’ employees from potential legal liabilities.
REASON FOR POLICY: To ensure that all officers and staff understand and accept their personal responsibilities when using Northumbria Police ICT systems in order to protect Northumbria Police information assets. Ensure compliance with the Public Services Network Code of Connection and the Police Service Community Code of Connection.
This policy should be read in conjunction with the National Code of Ethics, the Standards of Professional Behaviour for Police Staff and the Northumbria Police Data Protection Policy.
Northumbria Police recognises the importance of Force information assets and the need for secure, effective management of information systems.
All users of the Northumbria Police ICT systems are bound by the provisions of its policies in addition to this Acceptable Use Policy. Northumbria Police seek to promote and facilitate the positive and extensive use of Information Technology to support the delivery of policing to the highest possible standards.
Security classification measures ensure that police information is stored and handled appropriately in order to protect individual rights in accordance with the law and with respect for the wider public interest.
General use of ICT Systems
Under no circumstances is an individual authorised to engage in activity that is illegal under UK law.
- An attempt to subvert or disable authentication processes, security controls or security systems;
- An attempt to install or reconfigure hardware or software;
- Use of any other individuals’ username, password or warrant / ID card either with or without their consent;
- Permitting the use of a personal username, password or warrant / ID card by another; and,
- Introduction of malicious programs onto Force ICT systems, including, but not limited to, viruses and malware.
The Computer Misuse Act
Contravention of this policy may constitute an offence under the Computer Misuse Act 1990 which introduced the following criminal offences:
- Unauthorised access to computer material, punishable by 6 months imprisonment or a fine "not exceeding level 5 on the standard scale";
- Unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction of 5 years/fine on indictment; and,
- Unauthorised modification of computer material, subject to the same sentences as section 2 offences.
The Data Protection Act 2018 explains that:
A person must not knowingly or recklessly, without the consent of the data controller:
- Obtain or disclose personal data or the information contained in personal data; or,
- Procure the disclosure to another person of the information contained in personal data.
All permanent locations, both Force owned and non-Force owned sites, where access to Northumbria Police ICT Systems is required will be risk assessed by the Force Information Security Officer.
Clear Desk and Clear Screen Policy
In order to reduce the risk of unauthorised access or loss of information, Northumbria Police enforces a clear desk and screen policy as follows:
- Personal or confidential information must be protected using security features provided for example secure print on printers;
- Computers must be logged off or locked when unattended;
- Care must be taken to not leave confidential material on printers or photocopiers; and,
- All Official-Sensitive printed matter must be disposed of using confidential waste bins or shredders.
Equipment and Removable Media
Users of ICT systems are not authorised to move or relocate any ICT equipment.
The use of personal equipment (commonly known as "Bring Your Own Device" or "BYOD") to store or process Force information assets is not permitted.
Users should not connect any non-Northumbria Police authorised device to the Northumbria Police network or IT systems without prior approval by the Information Security Officer or ICT Service Desk.
Only Northumbria Police authorised mobile storage devices with encryption enabled must be used, when transferring Official-Sensitive data.
Use of Email
Internal and external e-mail facilities are available to officers and staff as required, subject to approval of local management. Emails containing sensitive information will only be sent to secure email addresses. Further guidance is available from the Force Information Security Officer.
Force email services are restricted to business use only and automatic forwarding of emails to external email accounts is not permitted.
All emails will be stored electronically by the ICT Department for a period of time and may be inspected by the Force as per the Lawful Business Monitoring Policy. E-mail messages will be subject to disclosure in litigation.
Use of Microsoft Lync
Instant messages are a formal means of communication. Occasional and reasonable personal use of instant messaging is permitted as long as it does not interfere with the performance of duties. Use of instant messaging is subject to audit.
Use of the Internet
Northumbria Police will make internet access available for both business and personal use. Personal use of internet access facilities is limited to non-work time only. Internet access from Force networked PCs will be granted at either Standard or Unrestricted access levels. Area Commanders / Heads of Department are responsible for determining if the use of internet access by their staff is appropriate to the role and that personal use is limited to non-work time.
As use of the internet will be subject to normal Force monitoring any use cannot be assumed to be private. If you wish to conduct personal business, it is advised you use a personal device.
Desktop Internet use can be identified by websites visited as being related to Northumbria Police. All internet usage, including HTTPS traffic, is subject to security scanning to ensure that the Force is protected against the threat or spread of malware. These scans are automated and no records are held of the content of the scan, nor are these scans visible to ICT staff. Internet access is recorded by software that performs an audit function. Dip samples undertaken by Counter Corruption Unit will identify any potential breaches of policy regarding internet use.
Use of Social Media
Northumbria Police will communicate and engage with the general public and the communities it serves, via a range of social media.
At all times Northumbria Police will maximise the availability of on-line processes through which the public can engage with the Force, in line with the approach agreed by Strategic Corporate Communications.
Use of social media by officers and staff, whether in a work related or a personal capacity, must not cause any reputational risk to the Force, organisational activities, or operations, and must be in line with all related procedures and guidance.
Auditing of Access
Northumbria Police will record and monitor the use of all Force communication systems in order to ensure the highest standards of professionalism and integrity alongside the prevention, investigation and detection of criminal offences.
Northumbria Police recognises that the sharing of information is key to assisting operational policing.
Northumbria Police recognise the need to maintain the security of information and information assets when information and documentation is used remotely. This includes the use of laptops, tablets, USB memory sticks, CD/DVD discs, mobile telephone and Personal Digital Assistant (PDA) devices, as well as the use of personal home computers and paper based information.
Mobile Device Usage
The use of mobile devices is covered by the mobile device Security Operating Procedures (SyOps) which users must sign before being issued with their device.
Incident Management / Security Incident Management
Northumbria Police recognise the need for an effective security incident management process.
Where staff suspect there has been either an actual or potential security incident they should report this without delay.
- Data Protection Act 2018
- Computer Misuse Act 1990
- Official Secrets Act 1989
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
- The Communications Act 2003
- Wireless Telegraphy Act 1949
- Human Rights Act 1998.
CRITERIA: To be used when determining use of Force internet and email facilities and when consideration is to be given to possible breach of policy.
ACCESS AND DISCLOSURE RESTRICTIONS: None
FORMAL TRAINING REQUIREMENTS: None
IS A LOCAL PROCEDURE REQUIRED IN SUPPORT OF THIS DOCUMENT: No