Security Guidance
RSS feed
Table of contents

Acceptable Use Policy

Classification: OFFICIAL

Scope: All Ministry of Justice (MoJ) staff, contractors, and suppliers.

Expiry: When rescinded or replaced.

Review: Annual review from date of publication, or when required by legislative or departmental changes.

Authors: Security Policy, Awareness, Culture, and Education team (SPACE)

Policy owner: MoJ Information Security Team (MIST)

Authorised by: MoJ Chief Information Security Officer (CISO)

Date of publication: 19/12/2025

Document version: 2.0

This document is the Ministry of Justice (MoJ) Acceptable Use Policy. It provides the core set of security principles and expectations on the acceptable use of MoJ IT systems.

1. Introduction

MoJ IT systems and services are provided to support the delivery of the MoJ’s business services. To achieve this, users are granted access to general-purpose computing environments and communication tools such as email and the Internet.

This policy outlines acceptable use and expectations for staff using MoJ IT systems or services.

2. Scope

This policy applies to all MoJ employees, contractors, and agency staff using MoJ IT systems.

  • All users must be made aware of this policy and receive appropriate security awareness training.
  • Annual refresher training is mandatory.

3. Breaches of Policy or Security

All MoJ employees, contractors, and agency staff have a responsibility to safeguard MoJ assets (including information assets) and enable the MoJ to maintain business continuity and public confidence.

3.1 Policy Violations

Violations include, but are not limited to:

  • Unauthorised data disclosure
  • Inadequate data protection
  • Sharing passwords
  • Breaching the Clear Screen policy
  • Failing to report data breaches
  • Defacing MoJ websites
  • Public disclosure of MoJ vulnerabilities or other sensitive information or data
  • Accessing sensitive information without legitimate reason

3.2 Consequences

Contravening or attempting to contravene this policy, breaching or attempting to breach security, or attempts to access inappropriate information may result in:

  • Immedaite suspension of MoJ systems and services
  • Termination of contracts
  • Formal disciplinary action

Refer to the Security Breach Policy for more information.

4. Sanctions and Escalation

Non-compliance is addressed under disciplinary procedures. This process applies to all staff, including agency workers, consultants, contractors, and interim personnel.

4.1 Misconduct Classification

  • Minor Misconduct: Includes Includes genuine errors where reasonable care was exercised, and where the incident caused no criminal offence, no distress or harm, and no reputational or financial damage to the MoJ.
  • Serious Misconduct: Includes repeated failures to follow policy, or any breach results in the loss or unauthorised release of significant amounts of personal information.
  • Gross Misconduct: Includes serious breaches of the Acceptable Use Policy or deliberate and significant misuse of MoJ assets (including information). Gross misconduct typically leads to dismissal.

Please note: The above examples are illustrative and not exhaustive. Other behaviours may also constitute minor, serious, or gross misconduct depending on the circumstances.

Refer to the Discipline Policy and Guidance for further details.

5. Redress

Employees subject to disciplinary action have a statutory right of appeal under section 6 of the Discipline Policy. Appeals must, wherever possible, be heard by a manager senior to the original decision-maker.

  • In cases involving formal warnings, a peer-level manager may hear the appeal if necessary. Appeals related to dismissal must always be handled by a more senior manager.
  • The appeal manager must be impartial and independent of the employee’s line management chain.
  • Any grievance raised during a disciplinary process will be managed separately under the Grievance Policy and will not substitute the formal appeal process.

6. Security Operating Procedures (SyOPs)

To protect the confidentiality of MoJ, SyOPs are created to contain secure working procedures and regulatory requirements for MoJ IT systems and services.

  • All users of an MoJ IT system shall read and acknowledge their understanding of relevant SyOPs before using a system or being granted access to a system, and must be provided with appropriate training.
  • Users shall be aware that non-compliance with an MoJ IT system’s SyOP is a breach of the MoJ IT Security Policy and may result in disciplinary action.
  • Users shall seek the approval of the Security Team before taking any action that contravenes the SyOP of an MoJ IT system.

7. Devices, Systems, and Networks

  • Users shall comply with all operating procedures when using MoJ-owned devices, systems, and networks.
  • Users shall use only software, devices and systems that have been approved by the MoJ.
  • Users shall not attempt to circumvent the security controls of any MoJ device, system, or network.
  • Users shall comply with all relevant legal and regulatory frameworks when accessing MoJ devices, systems, and networks.
  • Users shall be aware that the MoJ routinely monitors device activity, including telephone usage, network, email, and Internet traffic data, including sender, receiver, subject, attachments to an email, numbers called, duration of calls, the domain names of websites visited, the duration of visits, and files uploaded or downloaded from the Internet, at a network level.
  • Users shall receive approval of an authorised user or system administrator before changing the configuration of any MoJ device, system, or network that may affect the integrity of the device, system, network, or of shared data.
  • Users shall submit all MoJ IT system or equipment change requests to the IT Service Desk.
  • Users shall receive approval from MoJ Security before using any removable media device (USBs, external hard drives, etc.)
  • Users shall ensure that the type of removable media device, and its use, complies with all relevant SyOPs.
  • Users shall ensure that data stored or transferred using removable media complies with all relevant SyOPs.

8. Usernames and Passwords

Usernames and passwords are the primary access credentials for authenticating a user to MoJ IT systems and authorising access to information.

  • Users shall keep their access credentials safe and secure.
  • Users shall create strong passwords using the MoJ password guidance.
  • Users shall not share or reuse access credentials across MoJ IT systems.
  • Users shall not attempt unauthorised access or misuse credentials.
  • Users shall not use the credentials of any other user, or share their own access credentials with another user.

9. Conduct and Respect

The MoJ has a duty of care to all staff, and to provide a positive working environment. Part of this duty involves ensuring all staff maintain a high standard of behaviour and conduct.

  • Users shall not use MoJ devices, systems, or networks for any activity that causes offence to MoJ employees, customers, suppliers, partners, or visitors, or in any way that violates the MoJ Code of Conduct.
  • Users shall ensure that MoJ devices, systems, and networks, are not used in an abusive, offensive, defamatory, obscene, or indecent way, or are of such a nature as to bring the MoJ or any of its employees into disrepute.

10. Personal Use of MoJ Devices

The MoJ permits users limited personal use of its devices, IT systems, and networks:

  • Users shall not use MoJ devices, IT systems, and networks for personal use in any way that conflicts or interferes with normal business activities.
  • Users shall ensure that personal use of MoJ devices, IT systems, and networks, are not used in an abusive, offensive, defamatory, obscene, or indecent way, or are of such a nature as to bring the MoJ or any of its employees into disrepute.
  • Users shall be aware that any personal use of MoJ devices, IT systems, and networks is controlled, monitored, and audited. This includes filtering internet and email traffic, and implementing SyOPs and policy and procedure controls.
  • Users shall ensure that any personal use of MoJ IT systems does not conflict or interfere with normal business activities. Any conflict shall be reported to the user’s line manager.
  • Users shall ensure that any personal use of MoJ IT systems is consistent with any applicable SyOPs, and with this acceptable use policy.
  • Users shall be aware that any personal use of MoJ IT systems which contravenes any applicable SyOPs, or this acceptable use policy, constitutes a breach of the IT Security Policy and might result in disciplinary action.
  • Users shall be aware that the MoJ may process sensitive personal data, which may be revealed during routine monitoring, such as regular visits to a set of websites, as per the employee privacy notice.

11. Email and Communications

  • Users shall use the Internet, email, and other electronic communication systems only in accordance with this acceptable use policy document.
  • Users shall ensure that all information is handled in line with the protective marking of that information, in accordance with the Information Classification and Handling Policy.
  • Users shall be aware that their electronic communications are being monitored on a continual basis in accordance with this acceptable use policy.
  • Users shall be aware that business communication such as email mailboxes may be accessed if they are absent from work. This access is normally requested through, and authorised by, the user’s line manager. The MoJ CISO and MoJ HR are normally consulted as well, before access is granted.
  • Users shall be aware that inappropriate use of email, the internet, or other electronic communications may result in disciplinary action.
  • Users shall exercise care when handling emails, and report any suspicious activity as an IT security incident.
  • Users shall not open any attachments or click on any links in an email where the source is unknown, untrusted, or unsolicited.

12. Remote Working

The MoJ provides remote access to MoJ IT systems, services, and networks, allowing users to connect from offsite and home locations.

  • Users shall be aware of the security controls and procedures of the MoJ devices and IT systems being used. This includes any restriction on the carriage of such devices, as they might contain HMG protectively marked data, or HMG cryptographic material.
  • Users shall be aware of the Remote Working guidance, and shall confirm that they have read and understood it before being provided with any remote access.
  • Users shall seek approval and consult any applicable SyOPs and the Remote Working guidance before taking an MoJ device out of the UK.

13. Data Protection, Storage, and Transfer

  • Users shall comply with all applicable SyOPs when transferring data.
  • Users shall seek approval before any bulk transfer of data.
  • Users shall complete a Data Movement Form before any bulk transfer of protectively marked data and shall adhere to encryption and handling procedures.
  • When storing personal or sensitive data, users shall first consider suppliers based in the UK, European Economic Area (EEA), or an Adequacy Decision Country (ADC).
  • If users cannot source a supplier based in the UK, EEA, or an ADC, a Standard Contractual Clause (SCC) and a Transfer Impact Assessment (TIA) shall be completed for review by the Data Protection Team.

The Data Protection Team has produced a number of Acceptable Use protocol documents, providing specific data protection guidance.

The documents are available on the MoJ Intranet, or by contacting the Data Protection Team.

The documents are as follows:

There are also a number of Standard Operating Procedures (SOPs), including:

For more information on these protocols and procedures, contact the Data Protection Team.

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.