Skip to main content
What's on Watch Parliament TV
Main navigation
Loading…

Employee handbook

Acceptable use of IT policy

Section 1: Purpose and scope

Introduction

This policy sets out the Scottish Parliamentary Corporate Body’s (SPCB) position on the use of the Information and Technology (IT) provided by the SPCB.

This includes:

  • the data and files you have access to, and
  • the equipment you use to access them
  • wherever the information is accessed, and whatever equipment is used.

It is the responsibility of all users of the SPCB’s IT systems and resources to read, understand and comply with this policy. This policy may be updated from time to time and is reviewed in accordance with Digital Services Governance Framework Policy Review schedule, and any changes will be communicated to IT systems users. 

What are the aims of the policy?

The aims for this policy are:

  • to help keep the equipment and software – and the data we access via that equipment and software – as secure as possible.
  • to ensure equipment and software purchased by the Parliament is used for legitimate purposes.
  • to be clear on the circumstances and boundaries around when Parliament equipment and software can be used for non-Parliament purposes.

Who is this policy for? 

This policy applies to anyone:

  • who has been authorised, and given credentials, to log on to the Parliament network or any IT system and resources used by the Parliament. 
  • who has been issued IT equipment, including PCs, laptops, tablet devices and mobile phones, to help them carry out parliamentary business and duties. 

This includes Members, their staff, SPCB staff and colleagues engaged by the SPCB i.e. contractors, secondees, etc.

Why is it important?

The SPCB provides Information and Technology systems and resources to support the efficient and effective delivery of Parliamentary business and duties. We need a policy so that everyone understands what is, and what is not, permissible when accessing and using information and technologies to help in carrying out their role at the Parliament. This is to avoid inadvertent and/or accidental misuse of information, or equipment. It also outlines the consequences if that misuse is not accidental.

The Parliament’s Digital Services team strives to ensure that the information and technology used at the Parliament is available when needed and kept as safe as possible. 

It is the responsibility of everyone to maintain the security and integrity of that information. We do this by treating it with respect and not sharing it with those who are not permitted to see that information, even if they also have a role at the Parliament.

What equipment and systems are covered by the policy?

Any equipment issued by the Parliament should be used for the purpose of carrying out parliamentary business and duties, during and outside of the typical working hours for your role. This applies to:

  • any IT hardware (PCs, laptops, mobile phones, devices etc.) or software made available to you by the SPCB.
  • any information and data you have access to as part of your role. This can be e-mails, documents, financial information, reports, and any other information that you may be able to access on Parliament systems.
  • use of the internet - including access to tools and software provided by third parties that you access via the internet 

Section 2: Key requirements

Inappropriate use of equipment and systems

The SPCB’s Information and Technology systems and equipment-must not be used for the creation, transmission, downloading, browsing, viewing, reproduction or accessing of any image, material or other data of any kind which is illegal or otherwise unacceptable to the SPCB.

Unless there is a clear business justification, this includes, but is not limited to:

  • material in breach of copyright, online gambling, a false statement about any person or organisation, chain letters etc.
  • material of a sexually explicit nature including messages, images, cartoons or jokes (including nude or partially dressed people).
  • anything which may harass, bully, or discriminate against any individual or group.
  • sharing personal data of an individual which breaches any reasonable expectation that the personal data is received in confidence or that contravenes data protection- legislation.
  • material which is, or is potentially, defamatory and/or material which is likely to cause embarrassment to the Parliament.
  • material which is likely to introduce viruses or other unauthorised software into the SPCB’s, or anyone else’s, IT systems.
  • material which is concerned with your own commercial enterprise or which conflicts with the interests of the SPCB.
  • material which unnecessarily disrupts the work of colleagues.

You are not permitted to:

  • download or use any software or applications from the internet or install or use any software, applications or hardware from home on Parliament IT systems and equipment, unless such activity has been approved by Digital Services  If you require any business-related software or require to access internet systems for business use, please raise an IT Work Request via the intranet.
  • access or attempt to access anyone else’s e-mail account without their permission. In emergency cases, the appropriate manager may request access to a staff member’s mailbox for business reasons.
  • create or transmit junk mail or unsolicited commercial e-mails.
  • browse, access or use any internet site in any manner which breaches its published terms and conditions.
  • download or store any material without reading and complying with any copyright or license restrictions.
  • store any copyright material (e.g. audio or video files, installation files) on the SPCB’s IT systems if it is not directly related to the business of the Parliament.
  • use removable media (e.g. USB memory sticks) without permission from Digital Services. If you think the use of removable media is essential, then please seek advice and guidance on the safe and secure use of removable media and how best to securely transfer files from the IT Helpdesk.
  • attempt in any way to subvert restrictions or security controls on SPCB systems or gain access to information you are not authorised to access. It is important to be aware that knowingly or recklessly obtaining, retaining or disclosing personal data could amount to a criminal offence.
  • attempt to connect any unauthorised device to the Parliamentary network.
  • use a non-parliament VPN, proxy avoidance or anonymization software or connect to what is commonly referred to as the “dark web.”
  • attempt to monitor, intercept, divert, copy, modify or delete any data on the SPCB’s IT systems except through the use of authorised software in the normal conduct of your duties and in accordance with SPCB policy and applicable law. It is important to be aware that the alteration or deletion of information containing personal data could amount to a personal data breach resulting in action being taken against the data controller (i.e. SPCB, or individual Members) by the Information Commissioner’s Office (ICO).
  • in accordance with existing policy on Use of Parliamentary Resources, it is not acceptable to use our IT systems and IT equipment for any party-political purposes.
  • you must take all reasonable steps to ensure that you do not knowingly allow a virus or malware to affect the SPCB’s IT systems and that no viruses are transmitted by you to any third parties.

If you have any doubt as to whether a particular activity is/or is not permissible, you should consult the IT Helpdesk on 0131 34 (86100) or by e-mail to [email protected] before acting. 

Equipment and passwords

You are responsible for any action carried out when logged into a device or system using your Parliament-issued IT account. We all must take reasonable steps to ensure we do not unnecessarily compromise the security of the Scottish Parliament's information, technology  and associated assets.

To avoid misuse, it is important to do the following:

  • lock your device(s) so that it requires a password, PIN or biometric authentication to resume operation.
  • comply with the SPCB’s Password Policy.
  • never divulge your password, PIN or other credentials to anyone else (including Digital Services staff).
  • never attempt to log on to or use an IT account that has not been assigned to you.
  • ensure your screen is not overlooked if working in a public area (ask the IT Helpdesk about a screen privacy filter if required).
  • protect IT equipment issued to you from theft by ensuring it is physically secured in your absence.
  • if you have been issued with a mobile device to help fulfil your parliamentary duties then you must comply with the SPCB’s Mobile Device Policy.
  • return equipment issued by the SPCB promptly when required for operational reasons or when your working relationship with the Parliament ends.

Can I use mobile messaging services other than Teams?

The primary corporate communication channels provided centrally by the SPCB are Microsoft Teams and email. These channels are managed to ensure that they are secure, maintain appropriate privacy requirements, are trustworthy, meet our records management requirements and have taken into account relevant data protection and freedom of information legislation. Parliament Staff must not use other channels for corporate communication without seeking approval from Digital Services. 

E-mail etiquette and content

E-mail is not necessarily a secure means of transmitting information. There are risks that it may be intercepted, copied and widely distributed and/or inadvertently sent to the wrong recipient(s).

The commercial and legal effects of sending and receiving e-mails are the same as any other form of written communication. The style, tone and content of e-mails have a direct effect on the way the SPCB, and indeed the Parliament itself, is perceived by others. E-mails can contractually bind the SPCB, and any commercial advice, opinion, guarantee, representation or other statement contained in an e-mail may be relied upon by third parties.

You are not permitted to:

  • send e-mails which make representations, contractual commitments or any form of legally binding statement concerning the SPCB unless you have specific authority to do so.
  • conduct Parliamentary business using a personal e-mail account or messaging service.
  • use the Parliament email system to contact any organisations (including the SPCB and Members) in a personal capacity as this may be misinterpreted as a formal contact from the Parliament.

It is your responsibility to ensure that appropriate records are retained in accordance with the SPCB records retention schedule, including records of any commercial or legally binding e-mails which are sent during SPCB business.

For SPCB staff and colleagues employed by the SPCB, such e-mails must be captured in the document and records management system.

Problem e-mails

All e-mail transmitted via the SPCB network is automatically scanned for viruses and malicious software. However, no security software can be guaranteed to be 100% effective. Therefore, please beware of all unsolicited e-mails and e-mails from unknown sources.

If you are suspicious, do not open or run any attached file or forward any message. Instead, please contact IT Helpdesk on 0131 34 (86100) or by e-mail to [email protected] if you have any concerns.

The following provides advice on what to do if you encounter a problem e-mail:

  • receive an unacceptable e-mail from someone, you should speak with your line manager in the first instance if you are Members staff, SPCB staff or employed by the SPCB. 
  • receive a junk mail, unsolicited commercial or advertising materials, you should delete them immediately, without replying or forwarding these on. Do not click on any "unsubscribe" link as this may simply confirm to the sender that your e-mail account is active. 
  • access a website following a link in an e-mail which you subsequently realise takes you to a malicious or inappropriate website, you should immediately close your browser and report the matter to the IT Helpdesk 0131 34 (86100). Such access will not be considered a breach of this policy if you do this, and the incident will be registered to ensure no further action is taken. 

Personal use of information and technology systems and equipment 

All use of mobile devices is governed by the SPCB’s Mobile Devices Policy

The SPCB requires that use of its systems and equipment, by you, is primarily and predominantly to help you carry out your role in relation to Parliament. You may, however, use the systems and equipment for limited non-business use if you do so in your own time, for example, on your lunch break or before or after work. You may also use these systems to deal with brief, important, personal matters so long as this does not interfere with the completion of your work. 

It is recognised that there may be an occasional need to make short, important, personal calls using IT systems. 

In the case of SPCB staff this is allowed so long as this does not interfere with the completion of work or disturb colleagues. No one, however, may make personal use of international calls, unless: 

  • they are working abroad on official business.
  • have a business need to make an international call; or 
  • will make arrangements to reimburse any cost incurred for the calls. 

Can I use personal IT equipment to access parliamentary IT systems?

The SPCB provides equipment to access parliamentary IT systems, but personal equipment may be used in certain circumstances and users should contact the IT Helpdesk for advice.

Digital Services may require the installation of mobile device management or other security software where personal IT equipment is used in order to protect the confidentiality and integrity of our data. We may also require the use of particular software or applications to access our data in order to maintain security and to comply with licensing requirements.

Section 4: Monitoring use of Information and Technology systems

The SPCB’s IT systems can automatically record information regarding access and activity carried out using those systems. Such activity can be attributed to individual users. Monitoring of use is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes.

For legitimate business reasons, or in order to carry out their legal obligations in their role as an employer, Digital Services, on behalf of the SPCB, may review these records to ensure the SPCB’s practices, policies and procedures are being followed.

The SPCB reserve the right to review activity on Parliament systems, retrieve the contents of messages, or to check searches which have been made on the internet for the following purposes (this list is non-exhaustive):

  • to ensure the secure and effective operation of the SPCB’s IT systems.
  • to assist in the investigation of alleged wrongful acts and in accordance with the relevant disciplinary procedures.
  • to comply with any legal obligation. 

For SPCB staff, if you are absent from work, or in the event of an emergency, it may be necessary to check your e-mail inbox to ensure that business mail items are dealt with appropriately in your absence. This will only be done if authorised by your manager in writing to the IT Helpdesk. Members may request access to the mailbox of the staff they employ should they be absent from work or in an emergency to ensure the effective conduct of business.

Section 5: Breach of Policy

If it is suspected that the SPCB’s IT systems are being used for any illegal purpose, these concerns will be reported to Police Scotland or any other relevant authority without regard to the employment status of the person(s) involved or the nature of their role in relation to the Parliament.

Any misuse or abuse of SPCB’s systems and equipment or inappropriate use of the internet will be fully investigated and dealt with in accordance with the relevant Codes of Conduct and disciplinary procedures. 

Members and their staff:

  • for MSPs, the Code of Conduct for MSPs applies.
  • for MSP staff, your employer follows the terms of this policy. Any alleged breach will be investigated and dealt with in accordance with your employer's disciplinary procedures.

SPCB and contracted staff:

  • for SPCB, the Parliament’s disciplinary procedures applies.
  • if you are a contractor and you are found to be in breach of this policy, this will be reported to the contract manager and your services may be terminated under the terms of the contract.

Information we hold about identifiable individuals (“personal data”) is protected by data protection legislation currently contained within the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). Any use or transfer of personal data (externally or internally) must be in accordance with certain legal restrictions. Please refer to our Data Protection Policy for further details.

In accordance with existing policy on Data Breach, the SPCB understands that a data breach can include for example:

  • access by an unauthorised third party.
  • deliberate or accidental action or inaction by a controller and processor.
  • sending personal data to an unintended or wrong recipient.
  • devices being lost or stolen.
  • unauthorised alteration of personal data.
  • unauthorised sharing of personal data.
  • loss of availability or corruption of personal data.

Members and their staff:

  • please refer to Guidance and FAQs. If you require further help and advice on data protection, please contact the Information Management and Governance Team at: [email protected]

SPCB and contracted staff:

  • if you are aware of or concerned about a data breach you should alert your line manager to the incident or near miss.
  • contact the Data Breach Team immediately.

For further information please contact: IT Helpdesk on 0131 34 (86100) or by e-mail to [email protected].

(Last updated: November 2025)