IT Acceptable Use Policy
Template — South Africa

Defines all IT systems covered by the policy — hardware (desktops, laptops, tablets, smartphones, servers), software (operating systems, applications, cloud services), networks (LAN, WAN, Wi-Fi, VPN), communication systems (email, instant messaging, video conferencing), and data storage (on-premise, cloud, removable media). Establishes the categories of users subject to the policy and defines key terms such as "authorised use," "personal use," "IT resources," and "system controller" as referenced in RICA.

Comprehensive rules for professional email conduct, the extent of permitted personal email use on company systems, email retention and archiving requirements aligned with ECTA section 15 evidence provisions, prohibition on forwarding confidential information to personal email accounts, auto-signature standards, prohibition on mass unsolicited emails, and the handling of suspicious emails and phishing attempts. Addresses the legal admissibility of email communications as evidence under ECTA.

Defines permitted and prohibited website categories during work hours, streaming and bandwidth restrictions, download rules and file size limits, the employer's right to filter, block, or restrict access to certain content categories, the prohibition on accessing illegal content (including child exploitation material, which must be reported to the Film and Publication Board), and the logging of internet activity for security and compliance purposes.

Comprehensive requirements for personal devices used for work purposes including minimum operating system and security standards, mandatory mobile device management (MDM) enrolment, remote wipe consent for company data, separation of personal and company data through containerisation, liability for device loss or theft, the process for de-provisioning when the employee leaves, and the employer's limitation to managing only company data and applications on personal devices.

Establishes the employer as "system controller" under RICA section 6, defines the scope and purpose of monitoring (email, internet, file access, device usage), provides the required transparency notice under POPIA Condition 6, addresses the employee's limited expectation of privacy on company-owned systems, sets out the lawful basis for monitoring under POPIA section 11, and establishes the protocol for accessing monitoring data in disciplinary proceedings. Addresses the prohibition on covert monitoring except where serious misconduct is suspected.

Establishes four data classification levels — Public (freely distributable), Internal (not for external distribution), Confidential (restricted access, business-critical), and Restricted (highest sensitivity, legally protected) — with specific handling requirements for each level including storage locations, encryption requirements, transmission methods, access controls, and disposal procedures. Addresses POPIA classification of personal information and special personal information.

Password complexity requirements (minimum 12 characters, mixed case, numbers, symbols), prohibition on password reuse and sharing, multi-factor authentication mandates for sensitive systems, session timeout settings, the employee's duty to report compromised credentials immediately, privileged access management for IT administrators, and account lockout policies after failed authentication attempts.

Absolute prohibition on installing unauthorised software (including cracked or pirated software, which constitutes a criminal offence under the Copyright Act 98 of 1978), software licence compliance obligations, the process for requesting and approving new software, rules for connecting personal peripherals to company networks, and the prohibition on modifying company hardware without IT authorisation.

Restrictions on the use of USB drives, external hard drives, and other removable media — including mandatory encryption and approval for any data transfer to removable devices. Rules for approved and prohibited cloud storage services, the prohibition on storing Confidential or Restricted data on personal cloud accounts, and the requirement for approved cloud services to meet POPIA security standards.

Mandatory obligation to report suspected security incidents, phishing attempts, malware infections, ransomware attacks, and data breaches immediately to the IT department. Links to the organisation's incident response plan, POPIA section 22 breach notification obligations (72-hour notification to the Information Regulator), and Cybercrimes Act section 54 reporting obligations for electronic communications service providers and financial institutions.

Guidelines for the use of AI tools including ChatGPT, Claude, Copilot, and other generative AI platforms. Prohibition on inputting Confidential or Restricted company data into public AI tools, requirements for approved AI tools, intellectual property considerations for AI-generated content, and the obligation to verify AI outputs before relying on them for business decisions.

Progressive disciplinary framework aligned with LRA Schedule 8 for IT policy violations, ranging from verbal warnings for minor infractions (excessive personal browsing) to summary dismissal for serious offences (unauthorised access to systems, data theft, installation of malicious software). Addresses the employer's obligation to report criminal IT conduct to the South African Police Service under the Cybercrimes Act.