CST, the Holding Company has two Subsidiary Companies – CST Commercial Ltd and the National Teacher Accreditation (NTA) – which are also covered under this Policy and will be referred to collectively throughout this policy as CST.
The need for a policy
All CST’s information communication technology (ICT) facilities and information resources remain the property of CST and not of particular individuals, teams or departments. By following this policy we will help ensure that ICT facilities are used:
The policy relates to all ICT facilities and services provided by CST, although special emphasis is placed on email and the internet. All employees, trustees and any other users of our IT are expected to adhere to the policy.
1. Disciplinary measures
1.1. Deliberate and serious breach of the policy statements in this section may lead to CST taking disciplinary measures in accordance with the CST Disciplinary Policy. CST accepts that ICT – especially the internet and email system – is a valuable business tool. However, misuse of this facility can have a negative impact upon employees’ and trustees’ effectiveness and productivity and the reputation of the organisation.
1.2. In addition, all of CST’s phone, internet and email related resources are provided for business purposes. Therefore, the organisation maintains the right to monitor the volume of internet and network traffic, together with the email systems. The specific content of any transactions will not be monitored unless there is a suspicion of improper use.
2.1. As a user of CST’s equipment and services, you are responsible for your activity.
2.2. Do not disclose personal system passwords or other security details to other employees, trustees or external agents, and do not use anyone else’s log-in; this compromises the security of CST. If someone else gets to know your password, ensure that you change it or get the Executive Officer to help you.
2.3. If you intend to leave your PC or workstation unattended for any reason, you should lock the screen to prevent unauthorised access. If you fail to do this, you will be responsible for any misuse of it while you are away. Logging off is especially important where members of the public have access to the screen in your absence.
2.4. Any pen drives or other storage devices used on CST’s network should be secure and only those that are the property of CST should be used. Please see paragraph 7 for more detail.
2.5. If you are recording or obtaining information about individuals, make sure you are not breaking data protection legislation, and are compliant at all times with CST’s Data Protection Policy. When you are on the internet and using email, make sure your actions are in the interest (and spirit) of CST and do not leave CST open to legal action (for example libel) or reputational damage. Avoid trading insults over the internet.
2.6. Do not attempt to gain unauthorised access to information or facilities. The Computer Misuse Act 1990 makes it a criminal offence to obtain unauthorised access to any computer (including workstations and PCs) or to modify its contents. If you do not have access to information or resources you feel you need, contact the Executive Officer.
3. Use of Email
3.1. When to use email
3.1.1. Use email in preference to paper to reach people quickly (saving time on photocopying / distribution) and to help reduce paper use.
3.1.2. Use the phone for urgent messages (email is a good backup in such instances). Use of email by employees and trustees of CST is permitted and encouraged where such use supports the goals and objectives of CST.
3.1.3. However, CST has a policy for the use of email whereby employees and trustees must ensure that they:
126.96.36.199. comply with current legislation;
188.8.131.52. use email in an acceptable way;
184.108.40.206. do not create unnecessary business risk to CST by their misuse of the internet.
3.2. Unacceptable behaviour
3.2.1. Sending confidential information to external locations without appropriate safeguards in place. See paragraph 5 of this document for more details.
3.2.2. Distributing, disseminating or storing images, text or materials that might be considered indecent, pornographic, obscene or illegal.
3.2.3. Distributing, disseminating or storing images, text or materials that might be considered discriminatory, offensive or abusive, constitutes a personal attack, is sexist or racist, or might be considered as harassment or bullying.
3.2.4. Using copyrighted information in a way that violates the copyright.
3.2.5. Breaking into CST’s or another organisation’s system, or unauthorised use of a password / mailbox.
3.2.6. Broadcasting unsolicited personal views on social, political, religious or other non-business related matters.
3.2.7. Transmitting unsolicited commercial or advertising material.
3.2.8. Undertaking deliberate activities that waste employees’ or volunteers’ effort or networked resources.
3.2.9. Deliberately or recklessly introducing any form of computer virus or malware into the corporate network.
3.3.1. Always exercise caution when committing confidential information to email since the confidentiality of such material cannot be guaranteed. CST reserves the right to monitor electronic communications in accordance with applicable laws and policies. The right to monitor communications includes messages sent or received by system users (employees, trustees, contractors and temporary employees) within and outside the system as well as deleted messages. See paragraph 5 for more detail.
3.4. General points on email use
3.4.1. When publishing or transmitting information externally be aware that you are representing CST and could be seen as speaking on CST’s behalf. Make it clear when opinions are personal. If in doubt, consult your line manager;
3.4.2. Check your inbox at regular intervals during the working day. Keep your inbox fairly empty so that it just contains items requiring your action. Try to decide what to do with each email as you read it (e.g. delete it, reply to it, save the whole email in a folder, or extract just the useful information and save it somewhere logical);
3.4.3. Keep electronic files of electronic correspondence, only retaining what you need to. Do not print it off and keep paper files unless absolutely necessary;
3.4.4. Treat others with respect and in a way in which you would expect to be treated yourself (e.g. do not send unconstructive feedback, argue, or invite colleagues to make public their displeasure at the actions / decisions of a colleague);
3.4.5. Do not forward emails warning about viruses (they are invariably hoaxes and the Executive Officer will probably already be aware of genuine viruses – if in doubt, contact them for advice);
3.4.6. Do not open an email unless you have a reasonably good expectation of what it contains, and do not download files unless they are from a trusted source. For example, do open report.doc from a colleague you know but do not open explore.zip sent from an address you have never heard of, however tempting. Alert IT Support if you are sent anything like this unexpectedly; this is one of the most effective means of protecting CST against email virus attacks.
3.5. Email signatures
3.5.1. Keep these short and include your name, title, phone / fax number(s) and website address.
4. Use of the Internet
4.1. Use of the Internet by employees and trustees is permitted and encouraged where such use supports the goals and objectives of CST.
4.2. However, when using the Internet, employees and trustees must ensure that they:
4.2.1. comply with current legislation;
4.2.2. use the internet in an acceptable way;
4.2.3. do not create unnecessary business risk to the organisation by their misuse of the internet.
4.3. Unacceptable behaviour
4.3.1. In particular the following is deemed unacceptable use or behaviour by employees and trustees (this list is non-exhaustive):
220.127.116.11. Visiting internet sites that contain obscene, hateful, pornographic or other illegal material;
18.104.22.168. Using the computer to perpetrate any form of fraud, or software, film or music piracy;
22.214.171.124. Using the internet to send offensive or harassing material to other users or to send material that may be regarded as party political campaigning;
126.96.36.199. Downloading commercial software or any copyrighted materials belonging to third parties, unless this download is covered or permitted under a commercial agreement or other such licence;
188.8.131.52. Hacking into unauthorised areas;
184.108.40.206. Creating or transmitting defamatory material;
220.127.116.11. Undertaking deliberate activities that waste employees’ effort or networked resources;
18.104.22.168. Deliberately or recklessly introducing any form of computer virus into CST’s network.
4.4. Chat rooms / instant messaging (IM)
4.4.1. The use of chat rooms and instant messaging is permitted for business use only. This use must have been agreed with your line manager.
4.5.1. Do not write, publish, look for, bookmark, access or download material that might be regarded as obscene or pornographic.
4.6.1. Take care to use software legally and in accordance with both the letter and spirit of relevant licensing and copyright agreements. Copying software for use outside these agreements is illegal and may result in criminal charges.
4.6.2. Be aware of copyright law when using content you have found on other organisations’ websites. The law is the same as it is for printed materials.
5.1. If you are dealing with personal, sensitive and/or confidential information, then you must ensure that extra care is taken to protect the information.
5.2. If sending personal, sensitive and/or confidential information via email, then the following protocols should be used. If there is any doubt as to the information being sent or the appropriate level of protection required, please check with the Executive Officer.
5.2.1. Personal, sensitive and/or confidential information should be contained in an attachment;
5.2.2. In appropriate cases the attachment should be encrypted, and/or password protected;
5.2.3. Any password or key must be sent separately;
5.2.4. Before sending the email, verify the recipient by checking the address, and if appropriate, telephoning the recipient to check and inform them that the email will be sent;
5.2.5. Do not refer to the information in the subject of the email.
6. CST’s network
6.1. Keep master copies of important data on CST’s network server and not solely on your PC’s local C: drive or portable disks. Not storing data on CST’s network server means it will not be backed up and is therefore at risk.
6.2. Ask for advice from the Executive Officer if you need to store, transmit or handle large quantities of data, particularly images or audio and video. These large files use up disk space very quickly and can bring the network to a standstill.
6.3. Be considerate about storing personal (non-CST) files on CST’s network.
6.4. Do not copy files that are accessible centrally into your personal directory unless you have good reason (i.e. you intend to amend them or you need to reference them and the central copies are to be changed or deleted) since this uses up disk space unnecessarily.
7. Removable media
7.1. If storing or transferring personal, sensitive, confidential or classified information using Removable Media you must first contact your Line Manager for permission, but
7.1.1. Always consider if an alternative solution already exists;
7.1.2. Only use recommended removable media;
7.1.3. Encrypt and password protect;
7.1.4. Store all removable media securely;
7.1.5. Removable media must be disposed of securely (refer to the Executive Officer)
8. Personal use of ICT facilities
8.1. Social media
For the purposes of this policy, social media websites are web-based and mobile technologies which allow parties to communicate instantly with each other or to share data in a public forum. They include websites such as Facebook, Twitter, Google+ and LinkedIn. They also cover blogs and image sharing websites such as YouTube and Flickr. This is not an exhaustive list and you should be aware that this is a constantly changing area.
8.1.1. Use of Social Media at work
22.214.171.124. Employees and trustees are permitted to make reasonable and appropriate use of social media websites from CST’s IT equipment. You should ensure that usage is not excessive and does not interfere with work duties. Use should be restricted to your non-working hours, unless this forms part of your work responsibilities.
126.96.36.199. Access to particular social media websites may be withdrawn in the case of misuse.
188.8.131.52. Inappropriate comments on social media websites can cause damage to the reputation of the organisation if a person is recognised as being an employee or trustee. It is, therefore, imperative that you are respectful of the organisation’s service as a whole including service users, members, supporters, colleagues, partners and competitors.
184.108.40.206. Employees and trustees should not give the impression that they are representing, giving opinions or otherwise making statements on behalf of CST unless appropriately authorised to do so. Personal opinions must be acknowledged as such, and should not be represented in any way that might make them appear to be those of the organisation. Where appropriate, an explicit disclaimer should be included, for example: ‘These statements and opinions are my own and not those of CST.’
220.127.116.11. Any communications that employees or trustees make in a personal capacity must not:
18.104.22.168.1. bring CST into disrepute, for example by criticising clients, colleagues or partner organisations;
22.214.171.124.2. breach CST’s policy on confidentiality or any other relevant policy;
126.96.36.199.3. breach copyright, for example by using someone else’s images or written content without permission;
188.8.131.52.4. do anything which might be viewed as discriminatory against, or harassment towards, any individual, for example, by making offensive or derogatory comments relating to: age, disability, gender reassignment, race, religion or belief, sex, or sexual orientation;
184.108.40.206.5. use social media to bully another individual;
220.127.116.11.6. post images that are discriminatory or offensive (or links to such content).
8.1.2. CST maintains the right to monitor usage of social media sites where there is suspicion of improper use.
8.2. Other personal use
8.2.1. Use of facilities for leisure or personal purposes (e.g. sending and receiving personal email, personal phone calls, playing computer games and browsing the internet) is permitted so long as such use does not:
18.104.22.168. incur specific expenditure for CST;
22.214.171.124. impact on the performance of your job or role (this is a matter between each employee and their line manager);
126.96.36.199. break the law;
188.8.131.52. bring CST into disrepute;
184.108.40.206. detrimentally affect the network performance by using large amounts of bandwidth (for instance by downloading / streaming of music or videos);
220.127.116.11. impact on the availability of resources needed (physical or network) for business use.
8.2.2. Any information contained within CST in any form is for use by the employee for the duration of their period of work and should not be used in any way other than for proper business purposes, or transferred into any other format (e.g. loaded onto a memory stick / pen drive), unless necessary for business use, and with prior agreement of the Executive Officer.
9. Portable and Mobile ICT Equipment
9.1. This section covers items such as laptops, mobile devices and removable data storage devices provided by CST. Please refer to paragraph 7 of this document when considering storing or transferring personal or sensitive data.
9.2. Use of any portable and mobile ICT equipment must be authorised by the Executive Officer before use.
9.3. All activities carried out on CST’s systems and hardware will be monitored in accordance with the general policy.
9.4. Employees and trustees must ensure that all data belonging to CST is stored on the CST’s network and not kept solely on a laptop. Any equipment where personal data is likely to be stored must be encrypted.
9.5. Equipment must be kept physically secure in accordance with this policy to be covered for insurance purposes. When travelling by car, best practice is to place the laptop in the boot of the car before starting your journey.
9.6. Synchronise all locally stored data, including diary entries, with the central organisation network server on a frequent basis.
9.7. Ensure portable and mobile ICT equipment is made available as necessary for anti-virus updates and software installations, patches or upgrades.
9.8. The installation of any applications or software packages must be authorised by the Executive Officer and fully licensed.
9.9. In areas where there are likely to be members of the general public, portable or mobile ICT equipment must not be left unattended and, wherever possible, must be kept out of sight.
9.10. Portable equipment must be transported in a protective case if one is supplied.
10. Remote Access
10.1. If remote access is required, you must contact the Executive Officer to set this up.
10.2. You are responsible for all activity via your remote access facility.
10.3. Laptops and mobile devices must have appropriate access protection, i.e. passwords and encryption, and must not be left unattended in public places.
10.4. To prevent unauthorised access to the CST’s systems, keep all dial-up access information such as telephone numbers, logon IDs and PINs confidential and do not disclose them to anyone.
10.5. Select PINs that are not easily guessed, e.g. do not use your house or telephone number and do not choose consecutive or repeated numbers.
10.6. Avoid writing down or otherwise recording any network access information where possible. Any information that is written down must be kept in a secure place and disguised so that no other person is able to identify what it is.
10.7. Protect CST’s information and data at all times, including any printed material produced while using the remote access facility. [Take particular care when access is from a non-office environment].
10.8. Users of laptops and mobile devices are advised to check their car and home insurance policies for the level of cover in the event of equipment being stolen or damaged. Appropriate precautions should be taken to minimise risk of theft or damage.
10.9. Care should be taken when working on laptops in public places (e.g. trains) that any employee or client details are not visible to other people.
11. Electronic monitoring
11.1. You may find that you have access to electronic information about the activity of colleagues. Any such information must not be used by unauthorised individuals to monitor the activity of individual employees in any way (e.g. to monitor their working activity, working time, files accessed, internet sites accessed, reading of their email or private files etc.) without their prior knowledge. Exceptions are:
11.1.1. In the case of a specific allegation of misconduct, when the CEO or Chair can authorise accessing of such information when investigating the allegation;
11.1.2. When IT Department cannot avoid accessing such information while fixing a problem, but this will only be carried out with the consent of the individual concerned.
12. Online purchasing
12.1. Any users who place and pay for orders online using personal details do so at their own risk and CST accepts no liability if details are fraudulently obtained whilst the user is using CST’s equipment.
13. Care of equipment
13.1. Do not rearrange the way in which equipment is plugged in (computers, power supplies, phones, network cabling, modems etc.) without first contacting the Executive Officer.
All employees, trustees, contractors and temporary employees who have been granted the right to use CST’s ICT systems are required to sign this agreement confirming their understanding and acceptance of this policy.