Computer Equipment Policies for UK Organisations

Computer equipment policies outline how employees should use, care for and return company-provided technology such as laptops, monitors, mobile phones and accessories. In an era where hybrid and remote working have become standard practice, these policies are more important than ever. They help ensure that all IT equipment is used responsibly, securely and in a way that supports both operational needs and data protection requirements under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Why Every UK Business Needs a Computer Equipment Policy

A computer equipment policy is not merely a document about hardware. It sits at the intersection of several legal and regulatory obligations that UK employers must address. The Health and Safety (Display Screen Equipment) Regulations 1992 require employers to assess and reduce the risks associated with display screen equipment (DSE) workstations, including those used at home. This means employers must carry out workstation assessments for habitual DSE users, provide information and training on correct posture and usage, and arrange for eye tests and corrective appliances where necessary.

From a data protection perspective, the UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. A computer equipment policy supports this by establishing clear rules around device security, encryption, access controls and the handling of data on portable devices. Without such a policy, organisations risk data breaches that could lead to ICO enforcement action and fines of up to £17.5 million.

The Companies Act 2006 also imposes duties on directors to promote the success of the company, which includes safeguarding company assets. An equipment policy that covers asset tracking, responsible use and return procedures helps directors demonstrate due diligence in protecting organisational resources.

Acceptable Use of Company Computer Equipment

An acceptable use section should clearly define what employees may and may not do with company-provided technology. This typically covers the following areas:

Equipment must be used primarily for business purposes and in accordance with the organisation's values and legal obligations
Employees must not install unauthorised software, access prohibited websites or use equipment for illegal activities
Any use of company equipment for personal purposes must comply with the organisation's personal use policy (see below)
Employees must not attempt to bypass security controls, disable antivirus software or connect to unsecured networks
All use of company equipment may be monitored in accordance with the organisation's monitoring policy, which must itself comply with the UK GDPR and the Investigatory Powers Act 2016

Acceptable use policies should be written in plain language and communicated to all staff as part of induction. Employees should acknowledge receipt and understanding, ideally through a signed declaration or digital acceptance.

Personal Use Policy

Most organisations permit limited personal use of company equipment, provided it does not interfere with work duties, compromise security or create legal liability. A personal use policy should address:

Whether personal use is permitted and, if so, to what extent (for example, limited personal browsing during breaks)
Restrictions on storing personal files on company devices
The organisation's right to access and review all data on company equipment, including personal data, in certain circumstances
Prohibition on using company equipment for running a personal business or engaging in activities that could bring the organisation into disrepute

Clarity in this area prevents disputes and ensures employees understand that company equipment remains the property of the organisation at all times.

Asset Register Requirements

Maintaining an accurate IT asset register is both a governance necessity and a requirement under the Cyber Essentials scheme published by the National Cyber Security Centre (NCSC). The asset register should record:

The make, model and serial number of each device
The employee or department to whom it is allocated
The date of issue and expected replacement date
Software licences installed on each device
The physical location of the device (office, home, or mobile)
Any peripherals or accessories issued alongside the main device

A well-maintained asset register supports financial reporting, insurance claims, lifecycle management and audit compliance. It also enables the IT team to respond quickly to security incidents by identifying which devices may be affected.

Software Installation Rules and Cyber Essentials Compliance

Under the Cyber Essentials framework, organisations must control which software is installed on their devices. This is one of the five core technical controls that the scheme requires. A computer equipment policy should state that:

Only software approved by the IT department may be installed on company devices
Employees must not download or install applications from untrusted sources
All software must be licensed and recorded in the asset register
Unnecessary or end-of-life software must be removed promptly
Application whitelisting or other technical controls should be implemented where feasible

These controls reduce the risk of malware infections, software vulnerabilities and licensing non-compliance. For organisations seeking Cyber Essentials or Cyber Essentials Plus certification, documented software management procedures are essential. Our IT security policies provide comprehensive coverage of these requirements.

Patch Management Obligations

Patch management is another of the five Cyber Essentials controls and a critical element of any equipment policy. Organisations must ensure that:

Operating systems and firmware are kept up to date with the latest security patches
Patches rated as critical or high severity are applied within 14 days of release, as required by the Cyber Essentials scheme
Automatic updates are enabled where possible
Devices that can no longer receive security updates (end-of-life products) are removed from the network or isolated
A schedule of patch management activities is maintained and reviewed regularly

Failure to patch known vulnerabilities is one of the most common causes of cyber security incidents. The NCSC regularly publishes advisories on critical vulnerabilities, and organisations that fail to act on these risk both regulatory sanction and reputational damage.

Equipment Return and Secure Disposal

When an employee leaves the organisation, changes roles, or when equipment reaches end of life, the policy must set out clear return and disposal procedures. Under the UK GDPR, organisations remain responsible for personal data stored on devices, even after those devices are no longer in active use. Key requirements include:

All equipment must be returned on or before the employee's last working day
The IT department must verify that all company data has been backed up before the device is wiped
Devices must be securely wiped using approved data destruction methods (such as those meeting the NCSC's guidance on secure sanitisation)
Where devices are physically destroyed, this must be carried out by a certified disposal provider and documented with a certificate of destruction
Any equipment donated or recycled must be fully sanitised to prevent data recovery

Failure to securely dispose of equipment containing personal data constitutes a data breach under UK GDPR and can result in ICO enforcement action. Organisations should maintain records of all disposals as part of their accountability obligations.

Remote Working Equipment Provision

The shift to remote and hybrid working has created new obligations for employers. Under the Health and Safety (Display Screen Equipment) Regulations 1992, employers must assess home workstations for habitual DSE users. The policy should address:

What equipment the organisation will provide for home working (laptop, monitor, keyboard, mouse, chair)
Whether a home workstation assessment is required before equipment is issued
Arrangements for the delivery, collection and maintenance of home-based equipment
Insurance coverage for equipment used outside the office
Security requirements for home networks, including the use of VPNs, encrypted connections and secure Wi-Fi passwords
The employee's responsibility for the care and safekeeping of equipment at home

Employers should also consider whether to offer a financial contribution towards home office setup costs or to provide equipment directly. Whichever approach is taken, it must be documented in the policy and applied consistently. For further guidance on remote working security, see our remote access policy page.

How Policy Pros Can Help

At Policy Pros, we write computer equipment policies that are tailored to your organisation's size, sector and working arrangements. Whether you need a standalone acceptable use policy, a comprehensive IT asset management framework or a full suite of IT security policies aligned with Cyber Essentials, we can help. All our documents are written in clear, professional language and are fully referenced against current UK legislation and best practice standards. Get in touch to discuss your requirements or request a quote.