EFA Model Acceptable Use Policy for Employee Use of the Internet

Version 0.5, 24 November 2000

Comments about this document are welcome and may be sent to <aup@efa.org.au>.


As provision of Internet access by employers to employees becomes increasingly common, issues arise as to acceptable use of the Internet in workplaces. Frequently employees find themselves subject to reprimand and/or dismissal in relation to employer policies that have not been previously advised to them, resulting in disharmony and unnecessary confrontation in the workplace. In some cases this situation arises because implementation of Internet access has been delegated to technical staff without due consideration being given by management to the "people issues" inherent in providing employee access to the Internet.

EFA is of the view that less problems would arise if employers developed and disseminated to employees an "Acceptable Use Policy for Employee Use of the Internet". Ideally such a policy would be developed in conjunction with employee representatives with a view to achieving shared ownership and agreement to the policy.

Whether employers wish to involve workforce representatives in policy development or not, for many employers, the primary problem is where to start in developing a policy.

To assist towards that end, EFA has developed a model "Acceptable Use Policy for Employee Use of the Internet" (AUP) and makes it freely available to anyone to copy and adjust for their own workplace needs. The model AUP does not necessarily signify EFA's views about what ought to be "acceptable use" in workplaces; it simply addresses a range of aspects that should be considered in developing an AUP suitable for a particular workplace.


To modify this document for your organisation, you should:

  • Read it carefully to ensure that you agree with it. This policy is an example only and may not conform to the requirements of your particular organisation.
  • Replace "Widgets Ltd" with the name of your organisation.
  • If there are particular applications of the Internet that your organisation cannot provide for employees' personal use due to bandwidth restrictions, such as mailing lists or streaming media, add these to the paragraph about "What is not acceptable use".
  • Perhaps consider quantifying the volume of use that is not acceptable, ie. replace "will use a greater amount of network bandwidth than is appropriate" with e.g. "are greater than 1Mb in size".
  • Consider whether 30 days notice (as provided in the model document) or some other period of notice is required for changes to be made.
  • If you do not keep and monitor logs of Internet usage, remove the sentence that states otherwise (under "Consequences of unacceptable use").
  • If your organisation has implemented, or intends to implement, filtering technologies to restrict employee access to the Internet, you may wish to include a statement to that effect in this document. Prior notice to employees may assist in identifying whether the cause of non-receipt of email messages from clients, or inability to access sites believed to contain non-contentious material, is due to the common tendency of filtering technology to incorrectly block material and if so assist in rectifying the problem, particularly where it interferes with work related use.
  • If your organisation does not already have a separate privacy policy, strongly consider implementing one. This document is not a privacy policy.
  • Remove these instructions and the introduction section at the beginning of this document, that is, cut at the line below.



This policy sets out guidelines for acceptable use of the Internet by employees of Widgets Ltd. The primary purpose for which access to the Internet is provided by Widgets Ltd to its employees is to assist them in carrying out the duties of their employment. They may also use the Internet for reasonable private purposes which are consistent with this Acceptable Use Policy. They may not use the Internet access provided by Widgets Ltd in such a way as to significantly interfere with the duties of their employment or to expose Widgets Ltd to significant cost or risk of liability. Widgets Ltd may modify this policy upon 30 days notice in writing to its employees.


Subject to the balance of this policy, employees may use the Internet access provided by Widgets Ltd for:

  • Work-related purposes;
  • Sending and receiving personal email messages, provided that if email messages are sent with a Widgets Ltd email address in the From: or Reply-To: header, a disclaimer shall accompany the email to the effect that the views of the sender may not represent those of Widgets Ltd;
  • Reading and posting personal Usenet messages on the same condition specified above;
  • Using instant messaging software for personal purposes;
  • Accessing the World Wide Web for personal purposes; and
  • Utilising any other Internet service or protocol for personal purposes after obtaining permission to do so from Widgets Ltd;

provided in each case that the personal use is moderate in time, does not incur significant cost for Widgets Ltd and does not interfere with the employment duties of the employee or his or her colleagues.


Except in the course of an employee's duties or with the express permission of Widgets Ltd, the Internet access provided by the company may not be used for:

  • personal commercial purposes;
  • sending unsolicited bulk email;
  • disseminating confidential information of Widgets Ltd;
  • any illegal purpose;
  • knowingly causing interference with or disruption to any network, information service, equipment or any user thereof;
  • disseminating personal contact information of officers or employees of Widgets Ltd without their consent;
  • knowingly causing any other person to view content which could render the company liable pursuant to equal opportunity or sex discriminaton legislation at the suit of that person; or
  • knowingly downloading or requesting software or media files or data streams that the employee has reason to believe will use a greater amount of network bandwidth than is appropriate.


Widgets Ltd keeps and may monitor logs of Internet usage which may reveal information such as which Internet servers (including World Wide Web sites) have been accessed by employees, and the email addresses of those with whom they have communicated. Widgets Ltd will not, however, engage in real-time surveillance of Internet usage, will not monitor the content of email messages sent or received by its employees unless a copy of such message is sent or forwarded to the company by its recipient or sender in the ordinary way, and will not disclose any of the logged, or otherwise collected, information to a third party except under compulsion of law.

Responsibility for use of the Internet that does not comply with this policy lies with the employee so using it, and such employee must indemnify Widgets Ltd for any direct loss and reasonably foreseeable consequential losses suffered by the company by reason of the breach of policy.

Widgets Ltd will review any alleged breach of this Acceptable Use Policy on an individual basis. If the alleged breach is of a very serious nature which breaches the employee's duty of fidelity to the company (for example, emailing confidential information of the company to a competitor), the employee shall be given an opportunity to be heard in relation to the alleged breach and if it is admitted or clearly established to the satisfaction of the company the breach may be treated as grounds for dismissal.

Otherwise, an alleged breach shall be dealt with as follows:

  • Initially, the employee shall be informed of the alleged breach, given an opportunity to respond to the allegation, and if it is not satisfactorily explained, be asked to desist from or where applicable to remedy the breach.
  • If the breach is not desisted from or remedied, Widgets Ltd may either withdraw the employee's access to the Internet or provide a first warning to the employee, to which the employee shall have an opportunity to respond.
  • If the infringing conduct continues the employee may be given a second and a third warning, to each of which he or she shall have an opportunity to respond.
  • If a breach is committed after the third warning the employee may be dismissed.

Version No: ...... Date: ......