IT Acceptable Use Policy

1. Purpose

All of us at the British Business Bank (the “Bank”) need to use our IT systems, telephony, email and internet in a responsible way. This policy explains to all Bank colleagues what is deemed acceptable use and what is not.

This is a Level 2 policy and forms part of the Bank’s Information Security Policy.

This policy supports the Bank’s compliance with the following legal and regulatory obligations:

  • UK General Data Protection Regulation
  • Data Protection Act (2018)
  • Copyright, Designs and Patents Act (1988)
  • Computer Misuse Act (1990)
  • Regulation of Investigatory Powers Act 2000
  • Freedom of Information Act 2000
  • Intellectual Property Act 2014
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

In addition to meeting its legal obligations, the Bank as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards where applicable. Obligations relating to Government Functional Standard (GFS005) – Digital, Data and Technology and (GFS007) Security activity elements are contained and prescribed through this policy and associated standards.

This policy should be read in conjunction with the Bank’s Data Protection Policy, Bank Social Media Standards and the Bank’s Information Classification and Handling Procedure.

1.2 Alignment to Risk Appetite

Risk appetite is the type and level of risk the Bank’s Board is willing to take to deliver its strategy and public policy objectives. This policy forms part of the Bank’s Risk Management Framework (RMF).

This policy sits under the Level One Risk category, Operational and Resilience Risk.

It aligns to the Level Two Risk Category, Information Management, which is defined as ‘The risk of failing to treat information as a strategic asset, appropriately manage and maintain the organisation’s information across its lifecycle to support its necessary use, resilience, integrity and availability.’

The Bank’s risk appetite in relation to Information Management is set at Medium.

2. Scope

Who does this Policy Apply To?

This Policy applies to all Bank entities, operations, subsidiaries and Colleagues.

What IT Use is Covered by this Policy?

The policy outlines actions for Bank colleagues to follow in relation to the IT systems and devices provided by the Bank. We all need to be aware of these policy statements and the obligations they place on us to use IT appropriately.

The Bank may amend this policy at any time.

3. Key Requirements

The Bank supplies colleagues with IT devices and access to IT systems for business use. Some personal use is also acceptable. This section identifies the dos and don’ts when using the Bank’s IT systems and devices.

3.1 Internet

The Bank provides you with access to the internet by setting up an account and providing log in details.

Do:

  • use the internet in a responsible way, for business-related purposes.
  • exercise vigilance for malicious files or code when downloading any files or attachments.

Don’t:

  • copy, retrieve, forward or send copyrighted materials unless you have the author's written permission or are accessing a single copy only for your own reference.
  • sign "guest books" on websites or post messages to internet newsgroups or discussion groups on websites. These actions will generate junk electronic mail and may expose the Bank to liability or unwanted attention.
  • interfere with the normal operation of the Bank network, for example through propagation of computer viruses and sustained high volume network traffic that hinders the use of the network by others.
  • use the internet for any illegal purpose, or for personal or pecuniary gain.
  • violate any Bank policy, or act in a manner contrary to the best interests of the Bank.
  • disclose confidential or proprietary information of the Bank or third parties.
  • import material such as personal documents, personal photographs or images, pornography or illegal material to be stored on the Bank’s computer systems, network devices, authorised personal computers or other devices.

The Bank blocks access to sites that fall within a blocked category such as:

  • gross, indecent or sexually oriented materials.
  • gambling sites.
  • games, inappropriate humour, trading sites.
  • chat rooms.
  • illegal drug-oriented sites.
  • non-work-related video, audio downloads.
  • live streaming services.

The Bank may monitor both the amount of time spent using online services and the sites visited by Bank colleagues and may limit or revoke access if appropriate.

3.2 Personal Use of the Internet on Bank Devices

Access to the internet for personal use is allowed, providing your use is reasonable and acceptable and you follow the principles below.

Do:

  • keep your use of personal webmail accounts and/or cloud accounts to a reasonable level, that does not disrupt your ability to work.
  • if required, use ‘Guest Wi-Fi’ from personal devices providing you follow the principles established in this policy regarding use.
  • consult your line manager for guidance on acceptable use.

Don’t:

  • use personal webmail or cloud accounts for Bank business unless you have prior written authorisation from the Chief Operating Officer/MD, IT Infrastructure and Operations or an appropriate delegate.
  • allow personal internet use to interfere with any Bank colleague’s duties while working for the Bank.
  • download or upload information when using personal webmail or cloud accounts.

Personal use of the Bank’s IT systems and devices is at your own risk. The Bank will not accept responsibility for any loss of information, damages or liability arising from any Bank colleague’s personal use of the Bank’s IT systems and devices, including any corruption or misuse of emailed content.

3.3 Social Media

Access to social media sites is allowed where there is a business need.

Do:

  • request access to social media via the IT Service Desk portal.

Don’t:

  • disclose sensitive or potentially sensitive material, Intellectual Property or similar material on social media.
  • use social media or messaging applications not provided by the Bank for work-related purposes on either a Bank issued or personal device as this will fall under any Freedom of Information request, Data Subject Access Request or other legal, regulatory, or internal investigation.

For further guidance on appropriate use of social media, refer to the Bank’s Social Media Standards.

3.4 Email Use

Email is an important business communication tool. You need to use this tool in a responsible, professional, effective and lawful manner.

Although email can seem to be less formal than other written communication, the same laws apply. Be aware of the legal risks of these communications and the potential need to disclose emails in response to investigations and Freedom of Information requests.

The Bank may monitor email communication. Emails are archived and all messages distributed via the Bank’s email system are the Bank’s property.

Do:

  • clearly indicate and respect the information classification on emails. See the Bank’s Information Classification and Handling Standard.
  • clearly mark personal email as reflecting the views/opinions of the sender, and explicitly not reflecting the views of the Bank.
  • only use a colleague’s personal email address if you are sending them Bank official material that relates to the colleague personally, such as their payslips or contracts.

Don’t:

  • use the Bank’s email system for anything other than legitimate business purposes.
  • send Bank information or attachments to personal email accounts without the prior written approval of the Chief Risk Officer (CRO). The CRO has given approval for using the personal email accounts of certain non-executive directors, but for any other case you need to request written approval.
  • send chain letters, junk mail, jokes, executable files or emails with attachments or links with potential malware.

3.5 MS-Teams

Microsoft Teams is also an important business communication tool. You need to use this tool in a responsible, professional, effective and lawful manner.

Although Teams chat messages can seem to be less formal than other written communication, the same laws apply. Be aware of the legal risks of these communications and the potential need to disclose emails in response to investigations and Freedom of Information requests.

The Bank may monitor MS-Teams communication. Chat content is archived, and all messages distributed via the Bank’s MS Teams system are the Bank’s property.

Do:

  • clearly indicate and respect the information classification of data if sharing in MS-Teams. See the Bank’s Information Classification and Handling Standard.
  • Set your camera background to ‘blur’ when in the office to avoid any risk of sensitive information being seen on screens behind you.

Don’t:

  • use the Bank’s MS-Teams system for anything other than legitimate business purposes.
  • send Bank information or attachments to personal MS-Teams chat without the prior written approval of the Chief Risk Officer (CRO).
  • send jokes, executable files or attachments or links with potential malware.

3.6 Telephony and Messaging

The Bank provides authorised software for making telephone calls and sending messages through applications such as Microsoft Teams. All calls made from and to a given telephone extension may be logged, recorded and monitored and colleagues should presume no privacy at any time. Although voicemail is password protected, an authorised administrator can reset the password and listen to voicemail messages if required to do so.

Do:

  • only use authorised audio-conferencing tools such as Microsoft Teams to arrange meetings. For meetings with external parties, always use a meeting password.
  • join external meetings via their conferencing tools in the normal way. If you need additional support, contact the IT Service Desk.
  • only give out information if you are certain about who you are giving it to, and that they are entitled to the information and ready to accept it.

Don’t:

  • leave voicemail messages containing personal information without first considering security and confidentiality risks.

3.7 Bank Devices

Do not remove or alter the tags on Bank equipment as these tags uniquely identify it. Report any damaged tags to the IT Service Desk.

3.8 Travelling Outside the UK with Bank Devices

You may occasionally need to take Bank-owned devices outside of the UK so you can access the Bank’s network for work while on official work trips overseas or where you’re wanting to use a device on holiday. This must be requested via the IT Service Desk portal so that IT can ensure that the device is appropriately protected whilst abroad.

For other situations where an employee wishes to work remotely from outside the UK (not including the situations above) you should refer to the Temporarily Working Outside the UK Policy via the Intranet.

3.9 Personal Data on Bank Devices

When using Bank devices, colleagues are likely to have access to personal data in relation to other individuals including other colleagues. The Bank has a separate Data Protection Policy relating to the use of personal data.

Do:

Don’t:

  • allow anyone else to have any access to your Bank devices.

3.10 Personal Devices

The Bank does not support a full Bring Your Own Device (BYOD) policy – that is, the Bank does not allow you to use personal devices for Bank work except in exceptional circumstances where this has been specifically configured. When you are using a personal device for other purposes, apply the following principles.

Do:

  • access ‘Guest Wi-Fi’ when on Bank premises.
  • access web services for which you have your own login credentials (for example, Diligent).

Don’t:

  • use ‘BBB Corp – Wi-Fi’ from personal devices.
  • connect any personal device to the Bank network using your Bank login credentials (username and password).
  • download (or allow anyone else to download) any Bank information, emails or documents onto a personal device.

3.11 Use of Bluetooth Connected Devices

Do not use Bluetooth data sharing functionality to transfer files, either from their paired equipment onto the Bank network or device, or from the Bank network or device to the paired equipment.

3.12 Storage

Bank laptops are issued with mapped drives on the Bank network for storing files. Only files saved to the dedicated network drives are backed up.

Do:

  • call the Service Desk for advice if you are unable to connect to the Bank network or need to work offline.

Don’t:

  • store any files or information on your Bank laptop’s local hard disk (the C: drive, Documents folder or the Desktop), as they are not backed up and may be irretrievable if the device is lost or stolen.

3.13 Removable Media

Authorised encrypted removable media (USB sticks) are available via the IT Service Desk. The IT Service Desk logs serial number, content, date issued, issued to and date returned.

Do:

  • submit a request to the IT Service Desk if you need to use removable media.

Don’t:

  • use personal removable media, unless you have obtained specific authorisation from the Chief Operating Officer/MD, IT Infrastructure and Operations (or an appropriate delegate) via a request to the IT Service Desk.

3.14 Use of Software

Software installed on Bank devices

The Bank will provide legally acquired and licensed software to meet all legitimate needs. Backup copies of such software are made in accordance with the licensing agreements and Bank policies. The use of software obtained from any other source is strictly prohibited.

The Bank reserves the right to protect its reputation and its investment in computer software by enforcing strong internal controls to prevent the making or use of unauthorised copies of software. These controls may include periodic assessments of software use, announced and unannounced audits of Bank computers, and the removal of any software found on Bank property for which a valid license or proof of license cannot be determined.

Cloud services

Some of the software that you use in your work at the Bank is hosted in the ‘cloud.’ Cloud services are a range of different IT services provided over the internet. The Bank will provide access to cloud computing services to meet all legitimate needs. The Bank supplier management processes ensure that security, privacy and all other IT management requirements are adequately addressed by the cloud computing vendor.

This policy applies to all external cloud services, including cloud-based storage such as Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) including hypervisors, Platform-as-a-Service (PaaS) such as Amazon AWS.

Do:

  • only use the software and services supplied by the Bank.
  • if you need software or services for your work, submit a request to the IT Service Desk.
  • if you need a copy of software to be loaded on two Bank devices that you use, submit a request to the IT Service Desk. If the software license agreement allows this and there are valid business reasons, approval will be granted.
  • ensure that your use of software and cloud services complies with all applicable laws and regulations governing the handling of personally identifiable information, corporate financial data or any other data owned or collected by the Bank.
  • Use the Bank’s software assets for business use. The IT Acceptable Use Policy is published for Bank colleagues to follow to ensure that we are both legally and ethically using our software assets.
  • Occasional use of third-party tools such as WhatsApp for social messages with colleagues or emergencies is permitted, however any messages created for work-related purposes on either a Bank issued or personal device will fall under any Freedom of Information request, Data Subject Access requests or other legal, regulatory, or internal investigation.

Don’t:

  • install any software on your Bank devices.
  • make any other copies of software or software licences. The unauthorised duplication of copyrighted software or use of licences is a violation of the law and is contrary to the standards of conduct for Bank colleagues. If you make, acquire or use unauthorised copies of computer software or licences, you are in breach of this policy, which may lead to disciplinary action and could result in dismissal.
  • open third-party service accounts or enter into cloud service contracts for the storage, manipulation or exchange of Bank-related communications or Bank-owned data.
  • use personal cloud services accounts for the storage, manipulation or exchange of Bank communications or Bank-owned data.
  • share log-in credentials.
  • use cloud services that require you to agree to terms of service. Such agreements must be reviewed and approved via the IT Service Desk and aligned to our IT Outsourcing Standards before any use.
  • use third-party tools such as WhatsApp (or other messaging applications) for work-related purposes on either a Bank issued or personal device as this will fall under any Freedom of Information request, Data Subject Access Request or other legal, regulatory, or internal investigation.

3.15 Use of ChatGPT or Generative AI

The term Artificial Intelligence (AI) has been used now for many years. More recently, the introduction of Generative Artificial Intelligence (GenAI) capabilities has accelerated with the most publicised being ChatGPT (Chat Generative Pre-trained Transformer). The IT team and Data Protection Officer (DPO) have reviewed ChatGPT and concluded colleagues may use the technology.

Do

  • Register for an account using your BBB email address.
  • Only use a Bank device, and ensure alignment with the Bank’s policies and the guidance.
  • Refer to The Government Security Group’s guidance ‘Official Sensitive’ guidance for ChatGPT use.
  • Raise a Risk Incident if you have concerns about disclosure that has already occurred.
  • Seek guidance from the Information Governance Team

Don’t

  • Attempt to use ChatGPT (or any other Generative AI tool) for any non-work-related activities or to generate inappropriate content for work Read footnote text 1
  • Input personally identifiable information and/or data classified at or above OFFICIAL level into ChatGPT or any other Generative AI tool.

3.16 Use of Music Streaming Services

Access to music streaming services via a Bank provided laptop is allowed, providing that your use is reasonable and you follow the principles below.

Do:

  • keep your use of personal music streaming to a reasonable level.
  • only sign up to music streaming services via a personal email address.
  • if using a Bank device, only use a browser-based version of the service.
  • consult your line manager for guidance on acceptable use.

Don’t:

  • play loud music in the offices or disturb colleagues.
  • allow music streaming services to interfere with any Bank colleague’s duties while working for the Bank.
  • download music streaming applications to a Bank device.
  • use your business email to sign up for music streaming services.
  • seek support from the IT Service Desk relating to your personal music streaming services.

Personal use of the Bank’s IT systems and devices is at your own risk. The Bank will not accept responsibility for any loss of information, damages or liability arising from any Bank colleague’s personal use of the Bank’s IT systems and devices.

3.17 Intellectual Property Rights

Intellectual Property (IP) refers to creative work, which can be treated as an intangible asset or physical property.

IP rights can be found in a wide range of work products, including research reports, inventions, improvements, discoveries, software design, software coding, charts, drawings, specifications, notebooks, tracings, photographs, negatives, draft or final reports, findings, recommendations, data and memoranda.

Any IP created by or for the Bank and created by Bank colleagues in carrying out their employment duty, is the property of the Bank.

In your use of the Bank’s IT systems and devices:

Do:

  • be careful to protect the Bank’s intellectual property, and that of our customers.

Don’t:

  • use or share intellectual property except where it is an authorised and necessary part of your job.
  • Return to footnote location 1

    ChatGPT includes built-in restrictions preventing it from creating violent content, encouraging illegal activity, or accessing up-to-date information. Certain queries can remove these safeguards, doing so is known as Jailbreaking and considered a breach of bank policy that could lead to disciplinary procedures.

4. Non-Compliance

This policy sets out what the Bank expects from all colleagues using IT systems and devices, to work effectively and to support the Bank’s reputation. Your compliance with this policy is mandatory. Any breach of this policy may lead to disciplinary action, which could result in dismissal.

The Bank actively monitors compliance with this policy. Breaches of this policy are reported via the Risk Incident Portal on the Bank Intranet and assessed by the Policy Owner to determine what action is required. This may include disciplinary action in accordance with the Bank’s Disciplinary Policy.

Failure to comply could expose the Bank and its partners to out-of-tolerance risk in the delivery of resilient IT services.

5. Supporting Standards and Procedures

  • Information Security Policy
  • Risk Management Framework
  • Data Protection Policy
  • Information Classification and Handling Standard
  • Social Media Standards
  • Supplier Management Policy
  • Disciplinary Policy
  • Working Outside the UK Policy

6. Policy Controls

Controls in place regarding this policy are visible here: IT Acceptable Use Policy controls - Power BI.