Skip to main content
Book a call — £89
Menu

IT, Email & Internet Policy UK: Employer Guide 2026

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Employment Law Guide for Employers (2025)

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Most UK workplaces now run on laptops, email, cloud platforms and constant internet access. That creates real productivity, but it also creates real risk: data leaks, harassment claims, malware, wasted time, and disputes over what staff were allowed to do with company kit. A written Computer, Email and Internet Policy sets the ground rules so everyone knows where the line sits. It protects the business, protects employees, and gives managers something concrete to point to when something goes wrong. In this guide I walk through what a sensible policy covers in an England and Wales workplace, how to think about monitoring under UK data protection law, and the practical points employers often miss. I am Brad Askew, Legal Tech Founder at LegalDocuments.co.uk, writing from a civil and commercial background rather than as a law firm.

What this document is

A Computer, Email and Internet Policy is an internal document that tells staff how they can, and cannot, use the employer's IT systems. It usually covers company-issued laptops, desktops, mobile phones, email accounts, internet browsing, instant messaging, cloud storage, and increasingly things like personal devices used for work and generative AI tools.

The policy is not normally a contract in itself, but it is typically incorporated into the employment relationship through the contract or staff handbook, which means a serious breach can justify disciplinary action. The policy sits alongside other workplace rules such as the data protection policy, social media policy, disciplinary procedure and bring-your-own-device policy.

For small employers it can be a single short document. For larger organisations it tends to split into several connected policies. The key point is that it must be written down, communicated, and applied consistently, otherwise it will not hold up if you need to rely on it later.

How to use this document

  1. Work out what you actually need to cover. Before drafting, map out how your people use technology day to day. Think about remote working, personal devices, shared inboxes, messaging apps, file sharing platforms, and whether staff handle personal data or confidential client information. This shapes the scope and stops you producing a generic document that does not reflect how your business really operates. 2. Set clear rules on acceptable and unacceptable use. Spell out what is allowed, what is banned outright, and where reasonable personal use is tolerated. Typical prohibitions include accessing offensive or unlawful material, installing unapproved software, sharing login details, using company systems to run a side business, and sending confidential information to personal email accounts. Be specific enough that a reasonable employee knows where the line is. 3. Address monitoring and privacy properly. UK data protection law allows employers to monitor IT use, but only where it is lawful, necessary and proportionate, and staff must be told what is happening. Explain what you monitor, why, how long logs are kept, and who has access. A data protection impact assessment is often sensible before introducing more intrusive monitoring such as keystroke logging or screen capture. 4. Cover confidentiality, security and data protection. Remind staff about their duty to protect company and client information, use strong passwords, lock screens, report phishing, and follow rules on encryption and removable media. Link the policy to your wider information security and data protection framework so employees see how email and internet use fits into the bigger picture of keeping data safe. 5. Communicate, train and enforce consistently. A policy sitting on a shared drive that nobody has read will not protect you. Issue it to all staff, ideally with a signed or electronic acknowledgement, cover it during induction, refresh training periodically, and apply it even-handedly through the disciplinary procedure. Review the document regularly as technology, case law and working patterns change.

Common questions

If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Common questions

Q Is a Computer, Email and Internet Policy legally required in the UK?
There is no single law that forces every employer to have one, but in practice it is close to essential. UK data protection rules, health and safety duties and employment case law all push employers towards written rules on IT use. Without a policy it becomes much harder to justify monitoring, enforce discipline, or defend claims arising from misuse of company systems.
Q Can we monitor employees' emails and internet activity?
Yes, within limits. Employers can monitor workplace communications where there is a lawful basis, the monitoring is proportionate to a genuine business need, and staff have been told it takes place. The UK GDPR and Data Protection Act 2018 apply, and the Information Commissioner's Office publishes guidance on monitoring at work that is worth reading before rolling anything out.
Q Should we allow personal use of company computers and email?
Many UK employers permit limited, reasonable personal use because a total ban is often unrealistic and can damage morale. If you allow it, set clear boundaries: no excessive use during working time, no unlawful or offensive content, no use that consumes significant bandwidth, and an explicit reminder that personal use may still be visible to the employer through normal monitoring.
Q What happens if an employee breaches the policy?
Breaches are normally dealt with under the employer's disciplinary procedure. Minor issues might lead to an informal conversation or warning, while serious misconduct, for example leaking confidential data or viewing unlawful content, can justify dismissal. Consistency matters: treating similar breaches very differently across the workforce is a common reason tribunals find dismissals unfair.
Q Does the policy need to cover remote and hybrid workers?
Yes. The rules should apply in the same way whether staff are in the office, at home, or working from another location. You may want to add specific points about home Wi-Fi security, using company devices in shared spaces, not allowing family members to use work kit, and how to store and dispose of confidential documents when printing at home.
Q How often should the policy be reviewed?
A yearly review is a sensible baseline, with earlier updates whenever there is a significant change, for example new technology such as AI tools, a shift to hybrid working, a data breach, or changes in UK data protection guidance. Record when the policy was last reviewed and reissued, so you can show it has been kept current if it is ever challenged.
Q Does this policy cover social media use?
It can, but many employers prefer a separate social media policy that sits alongside it. The IT policy typically deals with access to social platforms from company systems and during working time, while a dedicated social media policy covers wider issues like posting about the employer, confidentiality online, and personal accounts that identify the workplace.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.