Internal and external communications policy

Excellent communications are vital for the success of the business. This includes being polite, courteous and respectful to anyone that you deal with on our behalf.

In light of the fact that all communications reflect upon the Company and are capable of having a number of commercial, professional and legal implications, this policy is intended to clarify what we expect from you and your responsibilities when using our communications facilities, which include telephone, email, Internet and social media, and any other communication device or network used in the course of your work.

Whilst the communications equipment and systems provided are made available for the purposes of the business, a certain amount of limited personal use is permitted insofar as such personal use is consistent with this Communications Policy.

Internal Communications

We will make every reasonable effort to keep all employees informed on all matters, which are important to their roles and their employment. We encourage two-way communication and opportunities are available to ask questions and receive answers from the person providing the information, usually a manager.

External and Media Communications

Any statements to reporters from newspapers, radio, television, etc. in relation to our business and our clients, are very sensitive and any such requests must be referred to your line manager. You should not speak to the media or make any statements.

We encourage all staff to be aware of developments in our industry, and those of our clients, and to feel empowered to contribute to discussions online using personal profiles.

These might take place on social media, at conferences or with the media.

It is your personal responsibility to remain civil and engage appropriately with companies and their employees.

You should seek permission to participate in a conversation by exception. We would expect you to seek permission when the discussion falls within any of these scenarios:

Internet

These guidelines set out the responsibilities of those people who have access to the Internet; they should be read in conjunction with existing Company policies on Software and electronic communications.

Access to the Internet is provided to a user as a business resource and must be used for legitimate business purposes at work although occasional private use is allowed. All internet use is monitored by the IT Support Company in accordance with principles described in this Playbook. The Company does ban its use for private or freelance business, gambling, visiting pornographic sites or conducting political activities. Anyone found using the Internet for these purposes will have disciplinary action taken against them. Users who misuse this resource will have their access revoked and are subject to disciplinary action, which could include dismissal. Access to certain sites is blocked electronically.

The Internet is an important communication facility providing contact with external sources throughout the world. Where appropriate and duly authorised, you are encouraged to make use of the Internet as part of your official professional activities. Attention must be paid to ensuring that published information has relevance to normal professional activities before material is released in the Company's name. Where personal views are expressed, a disclaimer stating that this is the case should be clearly added to all correspondence. Intellectual Property Rights and Copyright must not be compromised or infringed when publishing on the Internet.

When a website is visited, devices such as cookies, tags or web beacons may be employed to enable the site owner to identify and monitor visitors. If the website is of an inappropriate nature, such a marker could be a source of embarrassment to the visitor and us, especially if inappropriate material has been accessed, downloaded, stored or forwarded from the website. Such actions may also, in certain circumstances, amount to a criminal offence if, for example, the material is pornographic in nature.

You should therefore not access any web page or any files (whether documents, images or other) downloaded from the Internet that could, in any way, be regarded as illegal, offensive, in bad taste or immoral. While content may be legal in the UK, it may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of our Communications Policy. Employees should not under any circumstances use our systems to participate in any Internet chat room, post messages on any Internet message board or set up or log text or information on a blog or wiki, even in your own time, unless it forms a part of your job role.

Email

E-mail is a vital business tool, but an informal means of communication, and should be used with great care and discipline. Employees should always consider if e-mail is the appropriate means for a particular communication and correspondence sent by e-mail should be written as professionally as a letter. Messages should be concise and directed only to relevant individuals.

To protect client privacy, Blind Copy (BCC) should be used when emailing multiple clients.

You should not send abusive, obscene, discriminatory, racist, harassing, derogatory or defamatory e-mails. If you feel that you have been harassed or bullied, or are offended by material received from a colleague via e-mail, you should inform your manager.

Care must be taken with the content of e-mail messages, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract.

If the e-mail system is used, particular attention should be paid to the following points:

In general, you should not:

If you receive a wrongly delivered e-mail, you should return it to the sender. If the e-mail contains confidential information or inappropriate material (as described above) it should not be disclosed or used in any way.

Computer Software, Games and Viruses

It is the policy of The Company to respect computer software licences that are issued by the developers of the software used in many respects of its business activities to support the work of its employees.

We are required by law to own a valid licence for each piece of software. The Company does not and will not condone the use of any software that is not covered by a licence. If you are found to be using unlicensed software or to have installed unlicensed software onto the hard disc of their workstation could face disciplinary action that may result in dismissal. To ensure the Company’s continued adherence to the terms of these licences the Managing Director will, from time to time, perform or commission an audit of all computer equipment in use on its premises.

You may not duplicate any software or related documents without the expressed authorisation of the licensor. Unauthorised duplication of software may subject you and the Company to prosecution under the Copyright, Designs and Patent Act 1998. Without exception you may not give or loan software to any unauthorised persons. Any doubts or questions regarding licensing issues should be addressed to the Managing Director. The Company’s computers are Company assets and must be kept both ‘software legal’ and virus free. Only approved software may be used on Company machines. No software of any type may be installed on Company machines without the written permission of the Managing Director. You are not permitted to bring software from home or any other external source. Similarly, software that is owned by the Company cannot be installed onto your home computer unless both the Managing Director and licence agreement specifically allows this. No software should leave the premises without the approval of the Managing Director. Any software that does leave the premises after approval should be recorded.

Cyber Security

Protecting devices and data:

It is your responsibility to prevent unauthorised access to all devices that access Company data or services, regardless of whether they are owned privately or by the Company. Device use and access must comply with the relevant policies - notably by never leaving them unattended without locking access, following malware prevention guidelines and never attempting to circumvent security policies or restrictions. Likewise, guidelines must be followed to protect Company software and services - notably by following password strength and storage guidelines.

If you believe someone has gained access to a device or service temporarily (e.g: by being left unattended and unlocked) or permanently (e.g: a password has been revealed, or a device has been lost/stolen) it should be reported immediately so appropriate actions can be taken to protect Company data.

Security updates

One of the main sources of defence against electronic threats is keeping software up to date, both operating systems and individual applications. Company devices are configured to notify users of available updates, and these must be applied at the earliest safe opportunity. Updates listed as security fixes in particular should be installed within 24 hours; if this is not possible extra care should be taken until it can be completed.

Both Company and personal devices (if used for accessing Company data) are monitored for compliance with this policy and non-compliance may lead to that device no longer being able to access Company resources.

Maintaining privacy and accessing data securely

Employees are responsible for ensuring Company data is not exposed when accessing it. Care must be taken to prevent unauthorised users viewing data on their devices while they are accessing it. Where possible, sensitive data or documents with protective marking should not be accessed around unauthorised users; when unavoidable, ‘privacy screens’ should be used to reduce the risk of accidental disclosure.

When accessing Company data or services from outside Company networks care must be taken to protect data in transit and wherever possible no sensitive data should be accessed / sent. Even when not accessing sensitive data, if unavoidable, the employee must utilise

Malware and phishing

Malware (an overarching term for malicious software that encompasses viruses, worms, ransomware and much more) and phishing (pretending to be someone else to extract sensitive information such as bank account details or passwords - when conducted over the phone it is often called ‘vishing’) are a constant threat. Most attacks are opportunistic and not targeted at an individual - this means that every employee must be vigilant against them, not just those with privileged access.

If a device is acting strangely or you otherwise have reason to suspect it may have been exposed, e.g.: after opening an attachment to an email from an unrecognised sender, it must be reported immediately.

Password management

You must follow current Company policy for the generation, storage and sharing of passwords. At the time of writing, they are managed with Lastpass and segmented with a minimum viable access model. This means that when storing a new password, you should allow Lastpass to generate it for you (or otherwise generate a complex password, ideally of ~32 characters - length is more important than “complexity”) and then store it in the appropriate sub-folder so that only relevant employees have access.

Sharing: if a password needs to be shared, it must be done using the sharing tools within Lastpass. This ensures that access can be controlled to prevent copying of the password, and also allows revocation of access.

If it is ever suspected or known that a password has been compromised - either through a breach of a Company or 3rd party system, improper sharing or other means, then it should be reset immediately and the entry in Lastpass updated.

Social Media Guidelines

These guidelines deal with the use of all forms of social media, including Facebook, LinkedIn, Twitter, Google+, Wikipedia, Whisper, Instagram, Vine, Tumblr and all other social networking sites, internet postings and blogs. They apply to use of social media for business purposes as well as personal use that may affect our business in any way.

Occasional personal use of social media during working hours is permitted so long as it does not involve unprofessional or inappropriate content, does not interfere with your employment responsibilities or productivity and complies with this policy.

Where applicable, online activity follows the same standards of conduct as offline activity. Before participating in any social media activity, you must adhere to the standards of conduct expected in maintaining honesty, integrity, confidentiality, respect, responsibility and trust.

No derogatory comments should ever be made on social media about the Company, or your employment, clients, or fellow employees or suppliers.

You should be aware that even when using social media for personal use, information that is shared with friends online or information posted about employees or the Company, may be accessible to a much wider audience. Even when not connected with clients via social media, your presence on social media channels and comments posted should be handled with care, ensuring that your professional reputation, colleague or client confidentiality, or rights to privacy, are not compromised.

We reserve the right to monitor employees' use of social media on the Company's equipment. The Company considers that valid reasons for checking an employee's internet usage include suspicions that the employee has:

Monitoring will be conducted in accordance with the principles contained in this Playbook.

Private Telephone Calls / Correspondence

The Company mobiles are primarily for business use. Private telephone calls should be kept to a minimum.

Interception and Monitoring

It is important that you are aware that interception or monitoring of e-mails, other messaging systems, telephone calls or voicemail may take place for business reasons. This will be carried out through spot checks or audit and not through continuous monitoring. Use of Company IT and communication systems may also be subject to logging for compliance with regulation and certification standards. Logging, monitoring or keeping a record of communications will only be carried out for a legitimate business reason.

Instances where monitoring or intercepting electronic communications may be carried out:

The Company respects the rights of individuals to privacy and will only monitor, intercept, or keep a record of communications where this is strictly necessary for business reasons. Technical support or other personnel may not review the content of an individual employee’s communications out of personal curiosity or at the behest of individuals who have not received permission from a board member.

When monitoring is necessary, we will apply the following principles:

In addition, where it would not compromise the investigation, we will avoid opening emails that are clearly private or personal.

What you can do

There are a number of things that you can do to help maintain respect for your privacy whilst taking action under this policy, and these include: