1 Policy Statement
[Your Company Name] (hereinafter referred to as the “Company”) utilises and makes available corporate email for our employees in the functioning of our business activities but recognise the risks to security and personal data posed by such use.
This policy should be read in conjunction with our other information security policies and data protection protocols and measures for a complete approach to securing and protecting personal information.
The Company recognises that email is a necessary and standard way to communicate in business and makes up an essential part of the Company’s communication with other employees, third parties and our customers.
Like all forms of technology used by the Company, email can pose security or business risks if used or set-up incorrectly or inappropriately. This email policy sets out our approach and expectations for safe and secure use of email throughout the Company and provides guidelines on good email etiquette for those using and accessing email.
2 Purpose
The purpose of this policy is to provide the Company’s statement of intent on how it sets-up, secures, uses and monitors email use within the business. It provides employees with their obligations and expectations when using email and helps to reduce the risk associated with corporate email use.
A portion of the information sent and received by email in the Company constitutes personal information and as such, this policy should be read in conjunction with our other information security and data protection policies.
3 Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). The policy applies within the Company premises and outside where employees are using or accessing corporate email whilst working at home or travelling. This policy is applicable to any device where email is accessed, including smartphones, tablets, other mobile devices, laptops and desktop computers. Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
4 Email Use and Guidelines
The Company has set out guidance for employees on how to use email for best practice, acceptable use and any actions deemed unacceptable when using or accessing the Company email.
4.1 Acceptable Use
The Company have adopted the below set of acceptable use guidelines for employees to follow when using the Company email: –
- Email must be used in accordance with current legislation and regulations
- Employees must adhere to this policy at all times when using corporate email
- The Company email should only be accessed outside of the business premises or hours with the explicit authorisation of a manager or the IT department
- Employees must only access their own business email and must not share or disclose logins or passwords
- Employees must report any unusual or flagged email messages to the [IT Department] immediately
- The Company email should only be used for legitimate business use
4.2 Prohibited Use
In addition to the acceptable use of the Company email system, the below actions and forms of use are unacceptable and must be adhered to by all employees. The Company email must not be used: –
- To send or receive inappropriate content or attachments, including distributing, disseminating or storing images, text or materials that might be considered indecent, racist, sexist, abusive, offensive, pornographic, obscene or illegal
- For personal use, to disseminate personal views or opinions or to access personal emails
- For sending confidential messages to any unauthorised person or location
- To sign-up to personal, inappropriate or non-business internet sites
- For sending or forwarding ‘chain letters’ or social content
- forwarding of company confidential messages to external locations
- To send, receive or access any copyrighted information in a way that violates or breaches that copyright
- To send unsolicited corporate, marketing or advertising material
- In a way that restricts the sending or receive of files by other employees (i.e. sending large files without pre-authorisation) or for undertaking deliberate activities that waste any networked resources
- In a way that could introduce any form of computer virus or malware into the Company network
- [Add/delete as applicable]
4.3 Best Practice
As email is used so often to communicate with other people, the Company have set out email etiquette that should be followed by all employees or third parties using the Company email. Appropriate use of the email system and message structure is essential to the Company’s reputation and for best practice when contacting customers or other entities.
The Company suggests that when using corporate email, employees should: –
- Ensure that the ‘to’ field is correctly populated before sending the email
- Turn off ‘Contact Auto-Fill’ for the recipient field so that the email system does not ‘suggest’ the name of the person you are sending the email to
- Not use ‘BCC’ for hiding email recipients as a ‘reply to all’ from the intended recipient will continue to copy the ‘BCC’ in unknowingly – instead send a separate copy of the email to other users
- Not use the email system for sending personal employee content, discussions or opinions such as jokes, outside work events etc
- Always ensure that the ‘Subject’ line is meaningful and appropriate
- Keep the email content brief and to the point – do not clog other employees email system up with length emails if a meeting or phone call would serve better
- Only use the ‘flag’ or ‘urgent’ options when the message is urgent or needs a time sensitive response
- Not add a ‘read receipt’ request onto email as they can become overwhelming when someone receives a lot of email and some servers do not support them
- Do not type in all ‘CAPS’ to get a message across or in the subject lines as in email terms it is seem as shouting and is not polite
5 Personal Email
[If you do not allow use/access to personal email during business hours or on corporate devices, state that here and remove the below paragraph.]
The Company understands that email forms a large part of individuals daily life and is an integral communication tool used by most people. As such, we allow the accessing of personal email, with the below stipulations: –
- Personal email can only be used or accessed on personal devices such as smartphones and must never be accessed via corporate computers or devices
- Use and access to personal email is restricted to non-working periods such a prior to, and after work and lunch, break times
- Employees must never use personal email to send or receive material or information relating to or owned by the Company or for business purposes
- Personal email can only be accessed via an employee’s own 4G/5G or Hotspot Wi-Fi access and must not use or access the Company’s internet connection for personal use
- Personal email must never be used to send or receive inappropriate content, whether for personal or business purposes
6 Email Security
The [IT Department] are responsible for ensuring that the network and email system is adequately protected from viruses and malware (please refer to our Firewall Policy and Malware Policy for further information). However, employees and users can also help to avoid security issues by complying with the below responsibilities. Users of the email system must not: –
- Send or open any attachment that is not recognised, authorised or has come from an unknown source
- Disable or change any of the security settings applied by default to the Company email system and network
- Alter any of the security settings on the device being used to access the email system
- Submit any personal devices being used to access the Company email system to the [IT Department] for security software installation and checks
- Send any personal or confidential information by standard software. Speak to the [IT Department] who will advise on the correct secure transfer tool or system for the file type
- Disclose your email login or password or attempt to access another user’s email system
- Leave email systems open, unattended and unlocked when leaving a desk or the room
[You should document here the encryption measures and security protocols that you have on your network and emails or link to the policy where these controls are detailed.]
7 Email Archiving & Retention
Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA18), all personal data, including that stored as a message or in an email system is subject to the GDPR’s/DPA18’s data minimisation and storage limitation principles, which the Company strictly adheres to.
Our general retention periods and destruction and archiving methods are detailed in our Retention & Erasure Policy, to which all emails and archives messages are subject. To ensure that the Company is prepared for a compliant with the new data protection legislation, we have: –
- Reviewed this email policy to ensure that security and confidentiality are paramount when accessing, sending and receiving messages containing personal information
- Assessed our existing archives message and email database for all devices, documenting any messages or attachments relating to personal information
- Utilised our Information Audit to identify the legal basis for storing or processing personal information emails and applying our retention and destruction processes to any that are no longer required or where we do not have a legal obligation to retain the message
- Created parameters for filtering, categorising and the destruction of emails that we are not obligated or lawfully allowed to retain
Emails that we have a lawful obligation or basis to retain are archived and become the responsibility of the [IT Department/DPO] for review on retention periods and setting accurate destruction dates.
Where any email contains personal information in the form of an attachment (i.e. medical invoices, passports copies, birth certificates etc), these attachments are removed from the email and stored in accordance with our personal information protocols as detailed in our data protection and information security policies.
8 Monitoring Email
The email system and software are provided to employees and relevant third parties for legitimate business use and as such will be subject to being monitored at all times. The [IT Department] can access corporate emails, including sent, received and archived messages and have the right to remove messages or access to email as they deem appropriate.
In compliance with our legal business obligations, any emails sent or received through the corporate email system forms part of our business records and must be retained in accordance with our Retention Periods schedule.
9 Responsibilities
All email users within the Company are responsible for adhering to this policy and for the correct and proper use of email and ensuring the security of the information sent and received. Where any employee has or is believed to have breached the standards or requirements set out in this policy, they may face disciplinary action.
The disciplinary penalty will be proportionate to the level of misuse of email but can range from a verbal warning through to dismissal, dependant on the factors involved in the policy breach. Knowingly using email in a manner that does not comply with legal obligations or this policy is a serious matter and the Company will monitor and review all email use to ensure the correct procedures are being followed and adhered to.