Acceptable Use Policy

Classification: OFFICIAL

Scope: All Ministry of Justice (MoJ) staff, contractors, and suppliers.

Expiry: When rescinded or replaced.

Review: Annual review from date of publication, or when required by legislative or departmental changes.

Authors: Security Policy, Awareness, Culture, and Education team (SPACE)

Policy owner: MoJ Information Security Team (MIST)

Authorised by: MoJ Chief Information Security Officer (CISO)

Date of publication: 22/07/2025

Document version: 1.1

This document is the Ministry of Justice (MoJ) Acceptable Use Policy. It provides the core set of security principles and expectations on the acceptable use of MoJ IT systems.

1. Introduction

MoJ IT systems and services are provided to support the delivery of the MoJ’s business services. To achieve this, users are granted access to general-purpose computing environments and communication tools such as email and the Internet.

This policy outlines acceptable use and expectations for staff using MoJ IT systems or services.

2. Scope

This policy applies to all MoJ employees, contractors, and agency staff using MoJ IT systems.

• All users must be made aware of this policy and receive appropriate security awareness training.
• Annual refresher training is mandatory.

3. Breaches of Policy or Security

All MoJ employees, contractors, and agency staff have a responsibility to safeguard MoJ assets (including information assets) and enable the MoJ to maintain business continuity and public confidence.

3.1 Policy Violations

Violations include, but are not limited to:

• Unauthorised data disclosure
• Inadequate data protection
• Sharing passwords
• Breaching the Clear Screen policy
• Failing to report data breaches
• Defacing MoJ websites
• Public disclosure of MoJ vulnerabilities or other sensitive information or data
• Accessing sensitive information without legitimate reason

3.2 Consequences

Contravening or attempting to contravene this policy, breaching or attempting to breach security, or attempts to access inappropriate information may result in:

• Immedaite suspension of MoJ systems and services
• Termination of contracts
• Formal disciplinary action

Refer to the Security Breach Policy for more information.

4. Sanctions and Escalation

Non-compliance is addressed under disciplinary procedures. This process applies to all staff, including agency workers, consultants, contractors, and interim personnel.

4.1 Misconduct Classification

• Minor Misconduct: Includes Includes genuine errors where reasonable care was exercised, and where the incident caused no criminal offence, no distress or harm, and no reputational or financial damage to the MoJ.
• Serious Misconduct: Includes repeated failures to follow policy, or any breach results in the loss or unauthorised release of significant amounts of personal information.
• Gross Misconduct: Includes serious breaches of the Acceptable Use Policy or deliberate and significant misuse of MoJ assets (including information). Gross misconduct typically leads to dismissal.

Please note: The above examples are illustrative and not exhaustive. Other behaviours may also constitute minor, serious, or gross misconduct depending on the circumstances.

Refer to the Discipline Policy and Guidance for further details.

5. Redress

Employees subject to disciplinary action have a statutory right of appeal under section 6 of the Discipline Policy. Appeals must, wherever possible, be heard by a manager senior to the original decision-maker.

• In cases involving formal warnings, a peer-level manager may hear the appeal if necessary. Appeals related to dismissal must always be handled by a more senior manager.
• The appeal manager must be impartial and independent of the employee’s line management chain.
• Any grievance raised during a disciplinary process will be managed separately under the Grievance Policy and will not substitute the formal appeal process.

6. Protection of assets

It is paramount that all Users protect the confidentiality of information held on, processed, and transmitted by MoJ IT systems. All Users have a role in protecting the information assets which are under their control, or that they have access to.

MoJ IT systems have been designed to protect the confidentiality of the data held on them. However, maintaining this requires the application of, and adherence to, a clear set of operating procedures by all Users. These are collectively known as Security Operating Procedures (SyOPs).

It is important that all Users of an IT system, including support and system administrative Users, are familiar with these SyOPs, and are provided with the appropriate training.

• All IT systems shall have, and maintain, a set of Security Operating Procedures (SyOPs). For systems undergoing an assurance process, these SyOPs shall be included as part of the assurance.

• All Users of an IT system, including support and system administrative staff, shall read the applicable SyOPs, and shall acknowledge that they have both read and understood the SyOPs before being granted access. A record shall be kept of a User being granted access, and made available for review during assurance, or upon authorised request.

• All Users shall be made aware that non-conformance to the system SyOPs constitutes a breach of the MoJ IT Security Policy, and might result in disciplinary action.

• Any change to an IT system’s SyOPs shall be approved through an assured change control process, before the change is made.

• Any request to perform an action on an IT system which contravenes its SyOPs shall be approved by the Security team before the action is taken.

For most Users, access to MoJ IT systems and information held on them is through a desktop device, a laptop, or a mobile or remote device. These devices have the capacity to store large amounts of potentially sensitive information assets. It is important that Users follow Information Management processes and handling guidelines to ensure information is stored and accessed appropriately. Further information on information handling is provided in the Information Classification and Handling Policy.

7. General Security Operating Procedures (SyOPs)

Standard SyOps include:

• Privileged User Guide.
• System Users and Application Administrators.
• Remote Working.

To minimise the number of SyOPs in circulation and standardise procedures, the SyOPs listed previously act as the primary set, which individual IT systems are expected to conform to, in terms of their own SyOPs. Any deviations or additions are dependent upon approval through the assurance process and must be recorded as an addendum to one of the primary SyOps listed in this policy.

8. Removable Media

Use of removable storage media such as USB drives, writeable CDs or DVDs, and external drives is strictly controlled by MoJ due to the potential sensitivity of the data involved. These devices can store large volumes of protectively marked data and therefore pose a significant confidentiality risk.

• Use of removable media must be approved by MoJ Security.
• The type of device and its use must align with the applicable Security Operating Procedures (SyOPs).
• Users must ensure data stored or transferred using these devices complies with SyOPs.
• Any bulk transfer of protectively marked data must be authorised using a Data Movement Form and adhere to encryption and handling procedures as advised by MoJ Security. Use must be approved by MoJ Security.
• Data transfers must comply with SyOPs.
• Bulk transfers require prior authorisation.

9. Passwords

A username and password combination is the primary access credential used for authenticating a User to MoJ systems, and authorising User access to information assets and services provided by that system. It is therefore important that Users keep their access credentials safe and secure.

• Passwords must not be shared or reused across systems.
• Do not attempt unauthorised access or misuse credentials.

10. Legal and regulatory requirements

There are a number of legal and regulatory requirements that the MoJ must comply with. These obligations are in addition to HMG security policy, as expressed in the HMG Security Policy Framework.

• All Users shall be made aware of legal and regulatory requirements that they shall adhere to when accessing MoJ systems. These requirements shall be included as part of the SyOPs.

11. MoJ Corporate Image

Communications sent from MoJ systems, or products developed using them, such as MoJ branded documents or presentations, might damage the public image of the MoJ if they are for purposes not in the interest of the MoJ, or they are abusive, offensive, defamatory, obscene, or indecent, or of such a nature as to bring the MoJ or any its employees into disrepute.

• All Users shall ensure that MoJ systems are not used in an abusive, offensive, defamatory, obscene, or indecent way, or are of such a nature as to bring the MoJ or any its employees into disrepute.

12. Conduct and Respect

The MoJ has a duty of care to all staff, and to provide a positive working environment. Part of this duty involves ensuring all staff maintain a high standard of behaviour and conduct.

MoJ systems shall not be used for any activity that causes offence to MoJ employees, customers, suppliers, partners, or visitors, or used in a way that violates the MoJ Code of Conduct.

13. Personal use

The MoJ permits limited personal use of its IT systems, provided this use does not conflict or interfere with normal business activities. The MoJ monitors the use of its IT systems. Any personal use is subject to monitoring and auditing, and might also be retained in backup format, even after deletion from live systems.

The MoJ reserves the right to restrict personal use of its IT systems. The main methods employed are:

• Filtering of Internet and email traffic. All Internet and email traffic is filtered and analysed.

• Policy and procedures. This policy and associated SyOPs set out the restrictions placed on the use of MoJ systems.

• Users shall ensure that any personal use of MoJ systems does not conflict or interfere with normal business activities. Any conflict shall be reported to the User’s line manager.
• Users shall ensure that any personal use of MoJ systems is consistent with any applicable SyOPs, and with this acceptable use policy.
• Users shall be aware that any personal use of MoJ systems which contravenes any applicable SyOPs, or this acceptable use policy, constitutes a breach of the IT Security Policy and might result in disciplinary action.

14. Maintaining system and data integrity

Users shall comply with all applicable operating procedures and ensure that they do not circumvent any security controls in place. Changes to the configuration of an IT system which affect either the integrity of that system or the integrity of shared data shall be undertaken or supervised by an authorised User or system Administrator.

• All system or equipment changes must be requested via the IT Service Desk
• Further details are provided in the System Users and Application Administrators guidance.

15. Internet and Email Usage

Due to the risks associated with electronic communications such as email and the Internet, the MoJ controls and monitors usage of MoJ systems in accordance with applicable legal and regulatory requirements.

• Usage is filtered and monitored
• Inappropriate use may lead to disciplinary action
• Access to high-bandwidth sites may be restricted due to capacity issues, causing poor performance affecting MoJ services. Therefore, the MoJ restricts access to the Internet, based on job role. Amendments can be made on the submissions of a business case for approval by the MoJ Security team.
• All Users shall use the Internet, email, and other electronic communication systems only in accordance with this acceptable use policy document.

External email and the Internet are, in general, insecure services where it is possible for external entities to intercept, monitor, change, ‘spoof’, or otherwise interfere with legitimate content. The MoJ deploys a number of security controls to protect its Users from Internet- and email-borne attacks. However, these controls are reliant on Users remaining vigilant, following any applicable SyOPs, and reporting any suspicious behaviour.

16. Email Management

Users are responsible for ensuring that all information is handled in line with the protective marking of that information, in accordance with the Information Classification and Handling Policy.

The MoJ is connected to the Government network, which provides a secure environment for sending or receiving emails between Government departments. This allows Users with an MoJ email account (normally with the suffix ‘@justice.gov.uk’) to send Official emails with handling caveats such as Sensitive to another MoJ or government User, where their email suffix ends in ‘gov.uk’.

All Users shall ensure that information contained within or attached to an email is handled in accordance with the Information Classification and Handling Policy.

Email is a major source of malware, and a route into the MoJ for criminal organisations. It might be used to defraud staff, or to exfiltrate information. All Users shall exercise care when handling emails, and report any suspicious activity as an IT security incident.

All Users shall ensure that they do not:

• Open any attachments to an email where the source is untrusted, unknown, or unsolicited.
• Click on any links within an email, where the source is untrusted, unknown, or unsolicited.

Where a User suspects that an email received is from an untrusted, unknown, or unsolicited source, they shall report it as an IT security incident.

17. Remote Access

Remote access is provided to MoJ systems and services, allowing Users access from offsite and home locations to connect in. The main methods of access are either via a laptop or other mobile device. Normally, remote access is to a protected MoJ IT system. Users should be aware of the security controls and procedures of the devices and systems being used, as well as any applicable general physical security considerations. This includes any restriction on the carriage of such devices, as they might contain HMG protectively marked data, or HMG cryptographic material.

MoJ security maintains a list of countries where carriage and use of remote access devices is permitted.

Further details can be found in the Remote Working guidance.

• All Users shall be aware of the Remote Working guidance, and shall confirm that they have read and understood it before being provided with any remote access devices or equipment, such as an encryption or access control token. Approval is required for overseas device use
• Any User wishing to take a remote access device out of the UK shall consult the Remote Working guidance before doing so, and the applicable device IT Security Operating Procedures document.

18. Communication Monitoring

Communications can be monitored without notice, and on a continual basis, for a number of reasons. These include compliance with legal obligations, effective maintenance of IT systems, preventing or detecting unauthorised use or criminal activities such as cyber-intrusion, monitoring of service or performance standards, providing evidence of business transactions, and checking adherence to policies, procedures, and contracts.

The MoJ monitors telephone usage, network, email, and Internet traffic data, including sender, receiver, subject, attachments to an email, numbers called, duration of calls, the domain names of websites visited, the duration of visits, and files uploaded or downloaded from the Internet, at a network level.

The MoJ, so far as possible and appropriate, respects User privacy and autonomy whilst they are working, but in accordance with the personal use information, any personal use of MoJ systems is also subject to monitoring. By carrying out personal activities using MoJ systems, Users are consenting to the MoJ processing any sensitive personal data which might be revealed by such monitoring, such as regular visits to a set of websites.

For the purposes of business continuity, it might be necessary for the MoJ to access business communications, including within email mailboxes, while a User is absent from work, including for a holiday and because of illness. Access is only granted through submission of a formal request to the IT Service Desk, where approval is required from the relevant line manager. The MoJ Chief Information Security Officer (CISO) and MoJ HR are normally consulted as well, before access is granted.

• All Users shall be aware that their electronic communications are being monitored in accordance with this acceptable use policy.
• All Users shall be aware that business communication such as email mailboxes might be accessed if they are absent from work. This access is normally requested through, and authorised by, the User’s line manager. The MoJ CISO and MoJ HR are normally consulted as well, before access is granted.

19. Data Protection and Storage

Acceptable use considerations apply to the storage of personal data. This storage includes data hosting in ‘cloud’ environments, or within services or databases hosted or administered outside:

• The UK.
• The European Economic Area (EEA).
• Countries with an Adequacy Decision (an ‘Adequacy Decision Country’ or ADC).

This position also applies where a supplier uses cloud storage facilities in the UK, EEA, or an ADC, but their employees outside the UK, EEA, or the ADC are able to view the information for activities such as maintenance or trouble-shooting. The effect of this access is equivalent to the personal data being held outside the UK, EEA, or an ADC.

The reason for this position is that even with additional contractual clauses, the MoJ cannot ensure protection of its personal data stored outside the UK, EEA, or an ADC, due to some government surveillance laws.

• A supplier based in the UK, EEA, or an ADC, and which stores client data in the UK, EEA, or an ADC, should be considered first and preferred where possible.
• If an alternative supplier cannot be sourced, then a Standard Contractual Clause (SCC) and a Transfer Impact Assessment (TIA) shall be completed. These documents are reviewed by the Data Protection Team, after which the transfer might be approved. A template for these documents can be requested from DataProtection@justice.gov.uk
• If the outcome of the assessment does not support the transfer and storage of information outside the UK, EEA, or an ADC, the Information Security and Risk (ISR) Board shall review the case, and if appropriate, accept the risks in order for the supplier to be used.
• This acceptable use policy for MoJ personal data shall apply to:
  • An existing supplier changing the location of its servers, storage, or services outside the UK, EEA, or an ADC.
  • New suppliers.

20. Data protection acceptable use protocols and standard operating procedures

The Data Protection Team has produced a number of Acceptable Use protocol documents, providing specific data protection guidance.

The documents are available on the MoJ Intranet, or by contacting the Data Protection Team.

The documents are as follows:

• Commercial and Contract Management
• Subject Access Requests
• Acceptable Use Protocol Storage of Personal Data
• Acceptable Use Protocol Data Subjects’ Rights
• Acceptable Use Protocol Processing of People Data
• Acceptable Use Protocol Analytical Platform
• Acceptable Use Protocol Recording

There are also a number of Standard Operating Procedures (SOP)s, including:

• Personal Data Risk Management
• Data protection impact assessment guidance
• Data sharing agreement assessment

For more information on these protocols and procedures, contact the Data Protection Team.

Contact and Feedback

For any further questions or advice relating to security, or for any feedback or suggestions for improvement, contact: security@justice.gov.uk.