Information Technology Policy

4. Key Requirements - IT Acceptable Use

Use of IT Devices and Systems

The Bank provides colleagues with IT devices and access to IT systems for business purposes. 

The Bank will monitor the use of and access to its systems, including personal use and internet access.

This includes the use of Bank email and messaging platforms. Some personal use is acceptable.

Monitoring and Privacy

All Bank electronic documentation and communication, including deleted messages and documents, are subject to the Freedom of Information Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. 

Colleagues should assume no right to privacy when using the Bank’s systems, subject to proportionate and justified actions.

4.1    Protecting Systems and Data

Colleagues are expected to take all reasonable steps to protect the confidentiality, availability, and integrity of our systems and data. 

This includes the following behaviours:

Do: 

• Keep Authentication Data Confidential: Keep passwords, tokens, PINs, and other authentication data confidential. Ensure they meet our requirements as defined in the Access and Authentication standard. These do not imply any right of privacy; they prevent unauthorised access.
• Lock Your Screen: Lock your screen when your device is unattended.
• Manage Encryption Keys: Ensure the right people have access to encryption keys for encrypted documents. Make sure access will continue if you leave the Bank.
• Support IT Maintenance: Support the IT Service Desk by responding to reboot requests and reporting unusual activity promptly.

Don’t:

• Use IT Inappropriately: Do not use the Bank’s property to transmit, receive, or store any information that is discriminatory, harassing, or defamatory.
• Use unauthorised devices: Do not access or attempt to access the Bank’s systems or data using an unauthorised device.
• Unauthorised Access: Do not access Bank systems without authorisation from the system owner.
• Make Insecure Data Transfers: Do not transfer the Bank’s data to unauthorised personnel or systems

4.2    Reporting Issues and Making Requests

Do:

• Use the IT Service Desk Portal to report Issues or Incidents or to make Requests. 
• Follow up with a request via the portal after verbally requesting something from IT.

4.3    Use of Software

Software and Application Requests:

• Approved Requests Only: Software or applications must not be used or deployed without an approved request. Unauthorised use increases the risk of Cyber Security and Information Governance incidents and leads to inefficient use of Bank resources.
• Centralised Approval: IT reviews and approves software requests so that our standards are adhered to and that exceptions are granted within our risk appetite. We aim to balance tailoring services to our needs while avoiding duplication and minimising the number of applications in use across the Bank.

Software Installed on Bank Devices

• Legally Acquired Software: The Bank will provide all necessary software that is legally acquired and licensed. Backup copies of this software are made according to licensing agreements and Bank policies. Using software from any other source is strictly prohibited.
• Software Checks: To protect its reputation and investment in software, the Bank may perform periodic assessments of software use, announced and unannounced audits of Bank computers, and the removal of any software found on Bank property without a valid license.

Do:

• Use Bank-Supplied Software and Services: Only use the software and services provided by the Bank.
• Request Software or Services: If you need software or services for your work, submit a request to the IT Service Desk Portal.
• Document Requirements: Before requesting new software or applications, colleagues must document their requirements. You can suggest specific software that meets these requirements and explain how it will fulfil them.
• Request Additional Copies: If you need a copy of software for two Bank devices, submit a request to the IT Service Desk. Approval will be granted if the software license agreement allows it and there are valid business reasons.
• Comply with Laws and Regulations: Ensure your use of software and cloud services complies with all applicable laws and regulations regarding personally identifiable information, corporate financial data, or any other data owned or collected by the Bank.
• Use Software for Business Purposes: Use the Bank’s software assets for business purposes only.

Don’t:

• Install Unauthorised Software: Do not install any software on your Bank devices.
• Duplicate Software or Licences: Do not make any copies of software or software licences. Unauthorised duplication is illegal and against Bank standards. Breaching this policy may lead to disciplinary action, including dismissal.
• Open Third-Party Service Accounts: Do not open third-party service accounts or enter into cloud service contracts for Bank-related communications or data.
• Use Personal Cloud Accounts: Do not use personal cloud service accounts for Bank communications or data.
• Share Log-In Credentials: Do not share your log-in credentials with anyone.
• Agree to Unapproved Terms of Service: Do not use cloud services that require agreeing to terms of service without review and approval from the IT Service Desk, ensuring alignment with IT Outsourcing Standards.
• Pay for Software Personally: Do not pay for software as a service (SaaS) or other applications personally and claim expenses without approval from the Chief Operating Officer (COO).

4.4    Internet Access and Personal Use of Bank Devices and Network

Internet Access: The Bank provides you with access to the internet by setting up an account and providing log in details. The Bank will block access to sites that fall within categories deemed inappropriate. Exceptions will be agreed with HR, and if appropriate Colleague Forum.

Appropriate Use Monitoring: The Bank may monitor both the amount of time spent using online services and the sites visited by Bank colleagues and may limit or revoke access if necessary.

Personal Use: When using the Bank’s IT systems and devices for personal purposes, you do so at your own risk. The Bank will not be responsible for any loss of information, damages, or liability resulting from personal use, including any corruption or misuse of emailed content. Access to the internet for personal use is allowed, provided your use is reasonable and acceptable, and you follow the principles below.

Do:

• Be vigilant: Watch out for malicious files or code when downloading any files or attachments.
• Use the internet responsibly: Ensure your usage is for business-related purposes.
• Limit Personal Use: Keep your use of the Bank’s internet connectivity, personal webmail and cloud accounts to a reasonable level that does not disrupt your work.
• Limit tethering and mobile data use: Use the Bank’s mobile data responsibly. It should primarily be used when traveling or working away from home and the office, and only for work-related purposes.
• Use Guest Wi-Fi: If needed, use ‘Guest Wi-Fi’ from personal devices, following the principles established in this policy.
• Seek Guidance: Consult your line manager for guidance on acceptable use.

Don’t:

• Use Personal Accounts for Bank Business: Do not use personal webmail or cloud accounts for Bank business unless you have prior written authorisation from the Chief Operating Officer (COO).
• Interfere with Work: Do not allow personal internet use to interfere with any Bank colleague’s duties.
• Violate Data Protection or Privacy: Avoid uploading Bank information to personal webmail or cloud accounts, and do not download personal information onto your Bank laptop.
• Copy or share copyrighted materials: Only do so with the author’s written permission or if accessing a single copy for your own reference.
• Use your work email like a personal account: Only use it to support your duties.
• Interfere with the Bank network: Avoid actions like spreading computer viruses or generating high-volume network traffic that hinders others.
• Engage in illegal activities: Do not use the internet for illegal purposes or personal gain.
• Violate Bank policies: Always act in the best interests of the Bank when using our systems.
• Disclose confidential information: Keep the Bank’s and third parties’ information private.
• Use Bank assets as personal devices: Do not import personal documents, photographs, pornography, or illegal material onto the Bank’s systems or devices.

4.5    Social Media

Access to social media sites is allowed where there is a business need.

Do:

• Request Access: Use the IT Service Desk Portal to request access to social media.

Don’t:

• Disclose Sensitive Information: Do not share sensitive or potentially sensitive material, intellectual property, or similar content on social media.
• Use Unapproved Platforms: Avoid using social media or messaging applications not provided by the Bank for work-related purposes on either Bank-issued or personal devices. This usage may be subject to Freedom of Information requests, Data Subject Access Requests, or other legal, regulatory, or internal investigations.

For further guidance on appropriate use of social media, refer to the Bank’s Social Media Standards

4.6    Email Use

Email is an important business communication tool. 

Use it responsibly, professionally, effectively, and lawfully.

Key Points:

• Legal Risks: Emails are subject to the same laws as other written communications and may need to be disclosed in investigations and Freedom of Information requests.
• Monitoring: The Bank may monitor email communication. All Bank emails, including deleted ones, are archived subject to our retention policies and remain the Bank’s property.

Do:

• Indicate Information Classification: Clearly mark and respect the information classification on emails. See the Bank’s Information Classification and Handling Standard.
• Mark Personal Emails: Clearly mark personal emails as reflecting the sender’s views, not the Bank’s.
• Use Personal Emails Appropriately: Only use a colleague’s personal email address for official material that relates to them personally, such as payslips or contracts.

Don’t:

• Misuse the Email System: Only use the Bank’s email system for legitimate business purposes.
• Send Bank Information to Personal Accounts: Do not send Official Bank information or attachments to personal email accounts without prior written approval from the Chief Operating Officer (COO). Approval has been given for certain non-executive directors, but any other case requires written approval.
• Send Inappropriate Content: Avoid sending chain letters, junk mail, jokes, executable files, or emails with attachments or links that may contain malware.

 
4.7    Collaboration Software

Microsoft Teams (Teams) is our preferred collaboration tool. 

You need to use this tool in a responsible, professional, effective and lawful manner.

Key Points:

• Legal Risks: Teams chat messages are subject to the same laws as other written communications. Be aware of the legal risks and the potential need to disclose messages in response to investigations, Freedom of Information requests and in meeting data subject rights.
• Teams Recording: Colleagues may only record or transcribe Teams calls if granted permission for a specific call or series of calls following a formal request submitted per the Bank’s call recording guidance. Requests that do not comply (e.g., those outside the guidance's scope or submitted on short notice) will be rejected. The guidance covers request procedures, submission timelines, data protection, and recording management. The requesting colleague is responsible for compliance and violations may result in disciplinary action and pose legal, commercial, or reputational risks to the Bank. Only native Teams recording is permitted; third-party software and personal device recordings are strictly prohibited.
• Monitoring: The Bank may monitor Teams communication. Chat content is archived, and all messages distributed via the Bank’s Teams system are the Bank’s property.
• Collaboration with Third Parties: IT can provide federated access to partner organisations on request, typically where the Bank has a contractual relationship with the third party. 
• Third Party Collaboration Tools: Other tools, such as Slack, can be approved for collaborating with third parties where Teams is not an option. For example, IT and Data colleagues have access to the Cross Government Slack Workspace. 
• WhatsApp: Can be approved by Business Resilience for use on work mobiles during a major incident. 

Do:

• Indicate Information Classification: Clearly mark and respect the information classification of data shared in Teams. Refer to the Bank’s Information Classification and Handling Standard
• Blur Your Background:  Whilst on a call do set your camera background to ‘blur’ to prevent any sensitive information from being seen and maintain privacy whilst working from home. Think about who may be around that could hear your discussions and take the necessary steps to work in a private space or use a headset. 
• Use Discretion with social use: Colleagues can use third-party communication tools on their personal devices at their own discretion but be aware that these communications might be included in an investigation or response to third party request.

Don’t:

• Misuse Teams: Only use Teams for legitimate business purposes.
• Send Bank Information to Personal Teams Chats: As with email, do not send Bank information or attachments to personal MS Teams chats.
• Send Inappropriate Content: Avoid sending jokes, executable files, or attachments or links that may contain malware.
• Disclose Sensitive Information on Slack: Do not share sensitive or potentially sensitive material, intellectual property, or similar content via Slack or other third-party tools.
• Join Unapproved Slack Workspaces: Do not join unapproved Workspaces on Slack.
• Misuse third-party tools:  Work-related messages on either a Bank-issued or personal device are subject to Freedom of Information requests, Data Subject Access requests, or other legal, regulatory, or internal investigations. Do not use third-party tools such as Slack and WhatsApp for work-related purposes without written approval from the Chief Operating Officer (COO). 

 
4.8    Telephony and Messaging

The Bank provides authorised software for making telephone calls and sending messages through applications such as Teams. 

All calls made from and to a given telephone extension may be logged, recorded and monitored and colleagues should presume no privacy at any time. 

Although voicemail is password protected, an authorised administrator can reset the password and listen to voicemail messages if required to do so.

Do:

• Use Authorised Tools: Always use approved audio-conferencing tools like Teams to arrange meetings. 
• Join External Meetings Properly: When joining meetings hosted by external parties, use their conferencing tools as usual. If you need help, contact the IT Service Desk.
• Share Information Carefully: Only share information if you are certain about the recipient's identity, their entitlement to the information, and their readiness to receive it.
• Validate identities: Modern tools allow attackers to convincingly impersonate others, for example during remote job interviews. If you have doubts, verify the identity of the person you are speaking to. IT can provide guidance on the best practices for doing this.

Don’t:

• Avoid Voicemail Risks: Do not leave voicemail messages containing personal information without first considering the potential security and confidentiality risks.
• Record calls other than in compliance with the Bank’s call recording guidance.

4.9    Bank Devices

Do not remove or alter the tags on Bank equipment as these tags uniquely identify it. 

Report any damaged tags to the IT Service Desk.

4.10    Travelling Outside the UK with Bank Devices

You may occasionally need to take Bank-owned devices outside of the UK so you can access the Bank’s network for work while on official work trips overseas or where you’re wanting to use a device on holiday. 

This must be requested via the IT Service Desk Portal so that IT can ensure that the device is appropriately protected whilst abroad.

Information Security maintain a Veto List based on guidance from the Foreign Office Travel Advisories and the National Cyber Security Centre. 

Working outside the UK requests to these destinations will be rejected. Devices seen in these countries during monitoring will be isolated from the corporate network, and accounts will be disabled without warning. 

Devices that have been to vetoed countries will require complete inspection, sanitisation, and potentially, destruction.

Do:

• Align with policy: Refer to the Temporarily Working Outside the UK Policy on the Intranet.
• Check Government advice: Check the foreign office travel advisory before travelling
   

Don’t:

• Bank assets: Take a Bank device or work materials out of the UK without permission

4.11    Use of Bluetooth Connected Devices

Do not use Bluetooth data sharing functionality to transfer files, either from their paired equipment onto the Bank network or device, or from the Bank network or device to the paired equipment. 

Colleagues can share the internet connection from their Bank phone for connectivity when travelling.

4.12    File and Document Storage

Bank laptops are configured to use Microsoft OneDrive to synchronise files stored on your Desktop and in your Documents folder to the Cloud. 

Documents stored in SharePoint or OneDrive are also accessible from Bank mobile phones. See Appendix 5 for guidance.  

Do:

• File storage: Use OneDrive, SharePoint or the G:\ drive to securely share, store and collaborate on files and documents.
• Ask for assistance: Contact the Service Desk for advice if you have any issues with your files.

Don’t:

• Put information at risk: Store any files or information outside of SharePoint, OneDrive and G: as these are not backed up.

4.13    Personal Data on Bank Devices

When using Bank devices, colleagues are likely to have access to personal data in relation to other individuals including other colleagues. 

The Bank has a separate Data Protection Policy relating to the appropriate handling of personal data.

Do:

• Align with policy: Check the Bank’s Data Protection Policy before sharing any such personal data. Contact the Bank’s Data Protection Officer if you have any concerns or need further guidance. 
• Protect your data: Use your OneDrive for storing any personal data.

Don’t:

• Put information at risk: Allow anyone else to have any access to your Bank devices.

4.14    Personal Devices

The Bank does not support a full Bring Your Own Device (BYOD) policy – that is, the Bank does not allow you to use personal devices for Bank work except in exceptional circumstances where this has been specifically configured. 

When you are using a personal device for other purposes, apply the following principles.

Do:

• Use the correct network: Access ‘Guest Wi-Fi’ when on Bank premises.
• Access web services: Access web services for which you have your own login credentials (for example, Diligent).

Don’t:

• Use the incorrect network: Use ‘BBB Corp – Wi-Fi’ from personal devices.
• Compromise Banks security: Connect any personal device to the Bank network using your Bank login credentials (username and password).
• Put information at risk: download (or allow anyone else to download) any Bank information, emails or documents onto a personal device. 
• Record calls. Calls must only be recorded in your work Teams account and in compliance with the Bank’s call recording guidance.

4.15    Removable Media

Authorised encrypted removable media (USB sticks) are available via the IT Service Desk. 

The IT Service Desk logs serial number, content, date issued, issued to and date returned.

Do: 

• Ask permission: Submit a request to the IT Service Desk if you need to use removable media.

Don’t: 

• Ignore guidelines: Use personal removable media, unless you have obtained specific authorisation from the Chief Operating Officer (or an appropriate delegate) via a request to the IT Service Desk.

4.16    Use of Artificial Intelligence (AI)

Colleagues are permitted to use AI in alignment with the bank’s policies and guidance. 

Microsoft CoPilot is provided by our enterprise technology partner Microsoft and is our preferred choice; colleagues can leverage other tools if they follow the guidelines.

Do

• Only use a Bank device: If access is via the browser Microsoft Edge should be used.
• Follow Government guidance: The Government Security Group Guidance for ChatGPT use.
• Register with Bank Email: If using online Generative AI (GenAI) tools register for an account using your Bank email address.
• Validate outputs: Don't assume that what has been provided by AI tools is accurate. Always check the accuracy of the information provided.
• Report Concerns: Raise a Risk Incident if are concerned about any disclosure that have occurred.
• Seek guidance from the Data and Information Governance Team.

Don’t

• Avoid Personal and Sensitive Data: Do not input personal data or data classified above OFFICIAL level into any online Generative AI tool.
• Non-Work Use: Do not use CoPilot, ChatGPT (or any other GenAI tool) for non-work-related activities on a Bank device, or to generate inappropriate content for work.

4.17    Use of Music Streaming Services

Access to music streaming services via a Bank provided laptop is allowed, providing that your use is reasonable, and you follow the principles below.

Do:

• Be reasonable: Keep your use of personal music streaming to a reasonable level.
• Protect the Bank: if using a Bank device, only use a browser-based version of the service.
• Seek guidance: Consult your line manager for guidance on acceptable use.

Don’t:

• Impact your colleagues: Play loud music in the offices or disturb colleagues.
• Put the Bank at risk: Sign up to music streaming services with a Bank email address. 

Personal use of the Bank’s IT systems and devices is at your own risk. 

The Bank will not accept responsibility for any loss of information, damages or liability arising from any Bank colleague’s personal use of the Bank’s IT systems and devices.

4.18    Intellectual Property Rights

Intellectual Property (IP) refers to creative work, which can be treated as an intangible asset or physical property. 

IP rights can be found in a wide range of work products, including research reports, inventions, improvements, discoveries, software design, software coding, charts, drawings, specifications, notebooks, tracings, photographs, negatives, draft or final reports, findings, recommendations, data and memoranda. 

Any IP created by or for the Bank and created by Bank colleagues in carrying out their employment duty, is the property of the Bank.

In your use of the Bank’s IT systems and devices:

Do:

• Protect the Bank: Be careful to protect the Bank’s intellectual property, and do not misuse that of our customers.

Don’t:

• Put the Bank at risk: Use or share intellectual property except where it is an authorised and necessary part of your job.