Acceptable Use Policy

1. Purpose and Scope

This Acceptable Use Policy (“Policy”) sets out the standards for acceptable use of information systems, devices, networks, and data owned or managed by Coaley Peak Limited (“Coaley Peak”, “we”, “us”).

This Policy applies to all employees, contractors, consultants, temporary workers, volunteers, and any other individual granted access to Coaley Peak systems or data, regardless of whether access is from company-owned or personal equipment, on-site or remotely. Compliance with this Policy is a condition of access to Coaley Peak systems.

This Policy must be read alongside the Information Security Management System (ISMS) Policy, the Data Protection and Privacy Policy, and all other applicable Coaley Peak policies.

2. Systems and Assets Covered

This Policy applies to, but is not limited to, the following systems and assets:

• Devices — laptops, desktop computers, tablets, smartphones, and any other computing hardware issued by Coaley Peak or approved for use under the BYOD provisions in section 7.
• Email and messaging — corporate email accounts, instant messaging platforms, and any communication tool provisioned by Coaley Peak.
• Internet and web access — all internet connections provided or facilitated by Coaley Peak, including Wi-Fi provided at company premises.
• Cloud storage and services — all cloud platforms and software-as-a-service (SaaS) tools authorised and provisioned by Coaley Peak.
• Collaboration tools — project management, document sharing, and video conferencing tools authorised by Coaley Peak.
• Network infrastructure — internal networks, VPNs, servers, firewalls, and related infrastructure.
• Data — all information created, stored, transmitted, or processed using Coaley Peak systems, including client data, business data, and personal data.

3. Permitted Uses

Coaley Peak systems and assets are provided primarily for legitimate business purposes. Authorised users may use these systems to:

• Carry out their assigned duties and responsibilities in an efficient and professional manner.
• Communicate with colleagues, clients, suppliers, and other business contacts on matters relating to Coaley Peak business.
• Access, create, and share information necessary for the performance of their role, subject to appropriate data classification and access controls.
• Undertake work-related learning, training, and development activities.
• Access publicly available information relevant to their role via the internet.

Incidental personal use of company systems is tolerated provided it is minimal, does not interfere with duties, does not compromise security, and complies with all provisions of this Policy.

4. Prohibited Uses

The following activities are strictly prohibited on Coaley Peak systems at all times:

4.1 Illegal and Harmful Content

• Accessing, downloading, storing, creating, or transmitting any material that is illegal, obscene, defamatory, threatening, harassing, discriminatory, or offensive.
• Any activity that constitutes or facilitates a criminal offence under UK or applicable international law, including but not limited to fraud, data theft, or intellectual property infringement.
• Accessing or distributing material that infringes copyright, trademarks, patents, or other intellectual property rights.

4.2 Security and Access Controls

• Attempting to circumvent, disable, or bypass any security control, authentication mechanism, access restriction, firewall, or monitoring system.
• Attempting to gain unauthorised access to any system, account, network, or data, whether belonging to Coaley Peak or any third party.
• Introducing malware, viruses, spyware, ransomware, or any other malicious software into Coaley Peak systems or networks.
• Using vulnerability scanning, port scanning, packet sniffing, or other network probing tools without explicit written authorisation from senior management.

4.3 Credentials and Access

• Sharing login credentials, passwords, or authentication tokens with any other person, including colleagues.
• Using another person’s credentials to access any system or account.
• Creating or using shared, generic, or group accounts unless specifically authorised and managed under a documented exception.
• Failing to lock a device or session when unattended.

4.4 Unauthorised Software and Devices

• Installing, downloading, or executing any software, application, browser extension, or plugin on a Coaley Peak device without prior written authorisation from the IT function or senior management.
• Connecting any unapproved personal device, USB storage medium, removable media, or peripheral to a Coaley Peak device or network.
• Using unapproved cloud storage or file-sharing services to store or transmit Coaley Peak data.

4.5 Excessive Personal Use

• Using Coaley Peak systems for personal commercial activities, running a personal business, or any activity that generates personal revenue.
• Streaming, downloading, or uploading large volumes of personal content (audio, video, or other media) in a manner that consumes excessive bandwidth or system resources.
• Engaging in online gaming, gambling, or activities unrelated to Coaley Peak business during working hours.

5. Data Handling

All users must handle data in accordance with the Coaley Peak ISMS Policy, the Data Protection and Privacy Policy, and all applicable requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

5.1 Data Classification

All data held by Coaley Peak is classified according to the data classification scheme defined in the ISMS Policy. Users must handle data in accordance with the controls applicable to its classification level. Where there is any doubt as to the classification of data, users must treat it as Confidential until clarification is obtained.

5.2 Storage

Data must be stored only in locations authorised by Coaley Peak. Sensitive and confidential data must not be stored on personal devices, personal cloud accounts, or unapproved removable media. All data stored on company devices must comply with the encryption requirements set out in the ISMS Policy.

5.3 Transmission

Sensitive and confidential data must be transmitted only via encrypted and approved channels. Data must not be sent to personal email accounts or via unapproved messaging platforms. When transmitting personal data externally, users must ensure an appropriate legal basis exists and that transmission is necessary and proportionate.

5.4 Deletion and Disposal

Data must be retained only for as long as required for the purposes for which it was collected, and in accordance with Coaley Peak’s data retention schedule. Data that is no longer required must be securely deleted or destroyed in accordance with the ISMS Policy and UK GDPR obligations. Physical media must be disposed of using an approved secure disposal method.

6. Personal Devices (BYOD)

Coaley Peak permits the use of personal devices for work purposes only where explicitly authorised by management and subject to the following conditions.

• Enrolment — Personal devices used to access Coaley Peak systems or data must be enrolled in the Coaley Peak mobile device management (MDM) solution. Devices that cannot be enrolled may not be used to access Coaley Peak data.
• Security baseline — Personal devices must meet the minimum security requirements set by Coaley Peak, including operating system version, screen lock, encryption, and antivirus or endpoint protection.
• Approved applications — Only Coaley Peak-approved applications may be used to access or handle Coaley Peak data on a personal device. Storing Coaley Peak data in unapproved personal applications is prohibited.
• Remote wipe — Users consent to Coaley Peak remotely wiping company data from enrolled personal devices in the event of loss, theft, suspected compromise, or upon termination of the working relationship.
• Separation of data — Users must maintain a clear separation between personal and Coaley Peak data on personal devices and must not commingle the two.

7. Remote Working

Remote working introduces additional security risks. All users working remotely must observe the following requirements:

• VPN — When accessing Coaley Peak internal systems or sensitive data remotely, users must connect via the Coaley Peak approved virtual private network (VPN). Access via unsecured connections is prohibited.
• Secure Wi-Fi — Users must not use public or unsecured Wi-Fi networks to access Coaley Peak systems or data without a VPN connection. Home Wi-Fi networks must be secured with WPA2 or WPA3 encryption and a strong, unique password.
• Screen locking — Devices must be configured to lock automatically after a period of inactivity and must be locked manually whenever left unattended, even briefly.
• Physical security — Users are responsible for the physical security of Coaley Peak devices and data in their possession. Devices and documents must not be left unattended in public places or vehicles. Screens must not be visible to unauthorised persons.
• Loss or theft — Any loss or theft of a device used to access Coaley Peak systems must be reported to the IT function and senior management immediately.

8. Email and Communications

8.1 Professional Standards

All email and electronic communications sent from Coaley Peak systems or on behalf of Coaley Peak must be professional, accurate, and consistent with Coaley Peak’s values and reputation. Users must not use Coaley Peak communication systems to send abusive, offensive, discriminatory, harassing, or defamatory messages.

8.2 Confidentiality

Users must exercise care when sending emails containing confidential or sensitive information. Email is not inherently secure; sensitive data must be encrypted or shared via approved secure channels. Emails must not be forwarded to personal accounts or external parties without authorisation.

8.3 Phishing and Social Engineering

Users must remain vigilant against phishing, spear-phishing, smishing, vishing, and other social engineering attacks. Suspicious emails must not be clicked or responded to and must be reported to the IT function immediately. Users must not disclose passwords, access codes, or sensitive information in response to any unsolicited request, regardless of the apparent sender.

9. Internet Use

9.1 Acceptable Browsing

Internet access provided by Coaley Peak is intended primarily for business use. Reasonable incidental personal browsing is permitted provided it does not interfere with business activities, consume excessive resources, or breach any provision of this Policy.

9.2 Prohibited Sites and Content

Users must not use Coaley Peak internet access to visit websites or access content that is illegal, obscene, offensive, or otherwise prohibited by this Policy. Access to certain categories of website is blocked by Coaley Peak’s web filtering systems; attempts to circumvent these filters are prohibited.

9.3 Monitoring

Internet usage on Coaley Peak systems and networks is subject to monitoring as described in section 11 of this Policy.

10. Social Media

The use of social media on Coaley Peak systems and the representation of Coaley Peak on personal social media accounts are governed by the Coaley Peak Social Media & Communications Policy. Users must consult and comply with that Policy in relation to any social media activity that may involve or affect Coaley Peak, its clients, or its staff.

In particular, users must not disclose confidential business information, client data, or information about ongoing projects or matters on any social media platform without explicit written authorisation.

11. Monitoring

Coaley Peak reserves the right to monitor, record, audit, and review the use of its systems, networks, devices, email, internet access, and other communications, to the extent permitted by applicable law, including the UK GDPR and the Regulation of Investigatory Powers Act 2000.

Monitoring may be carried out for purposes including but not limited to: ensuring compliance with this Policy and applicable law; protecting the security of Coaley Peak systems and data; investigating suspected misconduct, security incidents, or breaches; and maintaining business continuity.

Users should have no expectation of privacy when using Coaley Peak systems. This applies to all devices and connections used to access Coaley Peak systems, including personal devices enrolled in the MDM solution.

12. Breaches and Consequences

Any breach of this Policy, whether deliberate or negligent, is a serious matter and will be investigated promptly. Depending on the nature and severity of the breach, consequences may include:

• Formal warning or disciplinary action in accordance with the Coaley Peak disciplinary procedure, up to and including summary dismissal for gross misconduct.
• Suspension or revocation of access to Coaley Peak systems.
• Civil or criminal proceedings where the breach constitutes an unlawful act.
• Reporting to the Information Commissioner’s Office (ICO) or other relevant regulatory authorities where a data breach or other regulatory violation has occurred.

Users who become aware of a suspected breach of this Policy, a security incident, or a data breach must report it to their line manager and the IT function without delay. Prompt reporting will be taken into account when assessing the response to an incident.

13. Review

This Policy is reviewed at least annually by senior management, or sooner in response to significant changes in technology, legislation, or the threat landscape. All users will be notified of material updates and will be required to acknowledge the revised Policy. Questions or concerns relating to this Policy should be directed to compliance@coaleypeak.co.uk.