A formal contract that lays out practices and restrictions on the usage of the internet and other related technologies is an internet usage policy. It specifies the limits on the employee when accessing company computers, networks, platforms, or programs. In today’s article, we will guide you on what is internet usage policy, why it’s important, and how to create it in detail. Follow and learn how to create an effective internet access policy within companies.
Internet Policy for Employees
An internet policy for employees provides rules and instructions on the proper use of company equipment, network, and internet access.
It is also referred to as:
- Internet usage policy
- Information security policy
- Fair use policy
- Acceptable use policy
Importance of Internet Usage Policy
In practical terms, an internet usage policy can help ensure that employees make more effective use of it without wasting time on social networks and other entertainment sites that add nothing to their work. The concern should be about the compromised productivity of employees and other issues, such as safety. Your Internet usage policy should include steps to minimize the risks caused by viruses, such as allowing only authorized employees to download and install the software.
This internet access control should be created to give employees a greater sense of responsibility when using the work network. However, it should not be surrounded by authoritarianism and prohibitions, as they can be easily circumvented. It is not difficult to find tutorials that teach you how to access blocked websites; also, using your smartphone, employees can access their social networks at any time. The internet use policy must be more of an educational tool than a punitive one.
The Implementation of the Internet Access Policy
Your internet usage policy should be a practical document so that your people can understand you easily and use it as a guide to know how to act. Once created, it must be presented to all employees. It is interesting to hold a meeting to illustrate each point and address possible questions from employees. Make it clear that these are preventive measures to avoid problems, and there is no intention of creating a climate of prohibitions. Employees must not feel that there is no trust on the part of the manager.
The policy should be regularly reviewed to remove or add items that no longer match the company’s current situation. Most organizations do this every two years, which is considered a reasonable deadline. When presenting the rules, offer a copy to read all the items carefully and ask them to sign to prove they are aware.
Accepted Internet usage
Internet use is encouraged if it results in growing efficiency, and it is done responsibly.
Following are the cases in which internet usage is accepted and encouraged in the workplace:
- Internet use is encouraged if it results in growing efficiency, and it is done responsibly.
- All the data shared, posted, and obtained via the business, and the equipment belongs to the company.
- It should be appropriately handled and under the legal policy of the company.
- The equipment available for workers at the working place belongs to the organization, and its management has all the rights to track the Internet operation of all workers.
- The data sent, generated, and received by the company’s equipment can be tracked as well.
The organization can track any website and downloadable material. They can be outlawed and blocked by the corporation if deemed detrimental to competitiveness and industry.
Unacceptable Internet Usage
Internet use is discouraged and unacceptable if it is used in illegal activities or results in decrease in productivity.
Following are the cases in which internet usage is accepted and encouraged:
- Distributing harassing, aggressive, discriminating, or hateful communications and images using business equipment.
- Using the internet and computers at the workplace to conduct some criminal activity, including downloading of songs, movies, and other content.
- Appropriating someone’s login credentials by using them without permission.
- Illegally copying, handling, or publishing copyrighted content through the business computers.
- Distributing classified business knowledge outside the company.
- Posting unfavorable details about the organization, its owners, or other employees.
- Installing improper applications that may be detrimental to the equipment and network at the workplace.
- Distributing spam emails and posts through the business equipment and the internet.
- Posting knowledge based on your views and portraying it as those held by the entire organization.
Each employee may check with their HR manager or supervisor if not knowing or uncertain about which behavior and details are deemed inappropriate.
What is GDPR?
The General Data Protection Regulation (EU) No. 2016/679 was published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May of the same year, becoming operational from 25 May 2018. GDPR has replaced the contents of the data protection directive (Directive 95/46 / EC) and has repealed the articles that have become incompatible with the code to protect personal data (Legislative Decree No. 196/2003).
The Regulation n. 2016/679 / EU, in art. 88, establishes that the Member States may provide, by law or through collective agreements, more specific rules to ensure the protection of rights and freedoms about the processing of personal data of employees in the context of employment relationships, in particular for purposes of employment, execution of the employment contract, including the fulfillment of obligations established by law or collective agreements. These standards include appropriate and specific measures to safeguard human dignity, legitimate interests, and fundamental rights of data subjects, particularly the transparency of processing, the transfer of personal data within an entrepreneurial group or group of companies carrying out a joint economic activity, and workplace monitoring systems.
It is necessary to reflect that the requirements that make a “data” a “personal data” is the possibility of identifying the person concerned.
There are also some categories of personal data that enjoy superior protection: they are those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, as well as treat genetic data, biometric data intended to identify a natural person uniquely, data relating to the person’s health or sexual life or sexual orientation. The processing of this data is prohibited, with the exclusion of a series of carefully identified cases.
Situations for Monitoring the Employees
With such generic definitions and such a wide field of application, the activities related to the management of safety at work can necessarily be heavily affected by the constraints and guarantees provided by the standard, whose general criteria can be summarized as follow:
- When you are required by law to hold and use the information for health and safety reasons.
- To make sure you are not discriminating on the grounds of race, religion, sex, or sexuality.
- To keep records of Statutory Sick Pay.
- When you have been given explicit permission to do so for a specified and lawful process, knowing fully what is involved.
Some company tools used by the employer for entirely legitimate purposes may involve the indirect monitoring of the presence and activity of workers in the workplace (think, for example, of the installation of a system for detecting the data of workers, aimed at monitoring their access to areas containing highly confidential information, but able to allow the employer to verify the actual performance of the work). These data treatments, according to law, are based on the legitimate interest of the owner aimed at protecting the loss and/or theft of confidential company information ( customer data) but, to be carried out in compliance with current legislation, they must be preceded by timely information provided to workers.
The standard identifies a “Data Controller” in the person or body that defines, within an organization, the methods of personal processing data and the tools used for this purpose, including precautions and security measures. Under certain conditions, the identification of a “Data Protection Officer, “also known as Data Protection Officer or DPO, is required when, for example, sensitive data is processed within the organization, which is a prevalent condition. Security, or data relating to criminal convictions. The DPO aims to assist organizations in managing personal data to verify compliance with the regulation’s principles.
Rights of employees
The GDPR has been specifically developed to protect people’s rights to have personal information.
As a result of this, all people are eligible:
- To be initially informed of the collection of personal data.
- Reject the monitoring of data while being aware of possible implications.
- Reducing the processing of their data.
- Having access to the data collected.
- To request the removal or rectification of data.
An employee has the right to control data portability by articles 13-14 of the GDPR. It means that, without the permission of the employee, personal information cannot be processed or transmitted to other recipients. Also, all workers are entitled, at any time, to withdraw their consent to the collection of personal data.
An employee has the right to make an official complaint to local authorities if an employer violates the laws or regulations of the GDPR. For example, when an employer monitors, processes, stores, or transmits your personal information without your permission, it is permissible to appeal to data protection authorities.
Penalty for GDPR violation
According to article 4 (12) of the GDPR, the breach of personal data consists of a security breach that has the effect of unauthorized destruction, loss, alteration, disclosure, or access, to personal data transmitted, kept, or subjected to any other type of treatment, whether accidentally or illegally.
Consequently, both unauthorized access and unauthorized disclosure of data such as name, address, email, personal and tax identification numbers, bank information, login, password, user identity, health-related information, religious preference, politics, in addition to other sensitive and non-sensitive data, can be classified as a personal data breach. It should be noted that data breach is a genus, while unauthorized disclosure and access are some of its species.
If there is a violation of personal data, depending on the circumstances related to the event and according to the GDPR’s precepts’ offenses, the supervisory authority can apply sanctions, including the imposition of fines, which must, in each case, be useful, proportionate, and dissuasive. Penalties are measured as the degree of the violation and its impacts, measures adopted to mitigate the damage suffered by individuals, the conduct, and the controller’s degree of responsibility under the circumstances. It is important to note that fines related to personal data breaches can amount to 10 million euros or 2% of annual turnover, whichever is greater.
Violation of the Internet Policy on Company Issued Equipment
The technology and communication resources made available to employees are an integral part of the company’s business. They are the result of constant financial and human investment. It is everyone’s duty and responsibility to ensure the safety and integrity of information and perform their activities accordingly with the interests defined by the company, focused primarily on its professional objectives.
This policy aims to guide an employer with its employees regarding using these resources and warn them that their work environment is not private. All available resources are the sole and exclusive property of the company, civil liability, criminal and labor law for any violation.
Prohibited use of IT resources
As a manager, you should strictly prohibit and claim unacceptable unacceptable to use IT resources during working hours to:
- Access a personal electronic address (email) and social networks such as Facebook, Twitter, LinkedIn, Skype, Snapchat, Reddit, consultations with banking institutions, University websites, blogs, news portals, among others for private purposes.
- Use email or corporate communicator (Skype, Messenger, etc.) for personal purposes, except in urgent situations for quick messages; It is worth remembering that there is no guarantee of privacy in messages exchanged by these means.
- The sending of any note with defamatory, offensive, racist, speculative, obscene, bullying, SPAMs, current, or similar nature content, whether between company or external users.
- Use of video or audio streaming services, such as YouTube, Vimeo, Spotify, Deezer, etc., without ends directly related to your professional activity.
- Use of the company’s telephony resources for personal purposes, except for critical and urgent situations, always with the consent of the coordination or management of the area.
- Use of the company’s WIFI wireless network with personal equipment, except those that have authorization from the area management.
- Use of the computer to perform any type of fraud. It is forbidden to download and store, on a local computer or network drives, commercial software, music, photos, films, or any other material whose rights belong to third parties (copyright), without having a license, purchase, or different agreement license types.
- Carry out activities that waste the efforts of the technical team or network resources.
- Use pen drives, external drives, or other storage devices without prior authorization from the company.
- Share confidential company intellectual property information with third parties.
- Use of cell phones, except for those who have authorization from the management of the area.
- It is strictly forbidden to print private documents of any kind, using equipment and other company resources.
- Employees who have access to restricted content through a password always remember that their identification (username and password) is personal and non-transferable. It is your responsibility to maintain confidentiality about it, and when necessary, request changes to avoid incidents.
- The ICT department makes this policy, as well as other procedures and recommendations on the use of ICT resources, available on all desktops of the company (computer desktop), such as opening tickets, backup rules, procedures for requesting file restoration, password default recommendation, among others. Try to keep up to date with these recommendations and guidelines.
- The employee must protect all information he processes or uses within the company against abuse, improper manipulation, destruction, or loss.
Now that you know what internet usage policy is, its elements, and how it is implemented, you can download our free template to start implementing internet usage policy in your workplace.
No, GDPR applies within European Union but other countries are also trying to incorporate similar laws.
Businesses implement email and internet use policies to avoid legal complications and penalties.
Yes, strict legal actions can be taken if you are found violating the internet policy.
The company states in the internet usage policy that using the internet, email, telephony, and all other computer resources are valuable tools for its business; however, their misuse can hurt area expenses, employee productivity, and the company’s business reputation. All technological resources of the company exist for the exclusive purpose of its business. Therefore, the company gives itself the right to monitor all its users to identify any disagreement with its rules and current legislation.