Digital Policies
Written by Policy Pros, UK Policy Writing SpecialistsLast reviewed Published

Email Acceptable Use Policy Writers

What are Email Acceptable Use Policies?

Email acceptable use policies outline the rules for using work email accounts responsibly, securely and in line with organisational and legal requirements.

These policies help protect company systems from misuse, maintain professional standards, and reduce the risk of data breaches or reputational harm caused by inappropriate communications.

What Do Email Acceptable Use Policies Cover?

An email acceptable use policy typically includes:

  • Rules for business and limited personal use

  • Prohibited content and unacceptable behaviour

  • Security measures such as password protection and encryption

  • Handling of confidential or sensitive information

  • Monitoring and access by the organisation

  • Retention, deletion and archiving of email data

  • Links to IT security, data protection and disciplinary policies

A clear policy ensures employees understand their responsibilities when using company email, supporting legal compliance and professional communication.

It also helps the organisation demonstrate accountability under data protection laws, particularly when emails contain personal or commercially sensitive information.

By promoting proper use of email systems, businesses can reduce IT security risks, maintain workplace standards and respond appropriately if a breach of policy occurs.

An effective email acceptable use policy supports a secure and respectful digital working environment and forms part of a wider approach to cyber awareness and information governance.

Legal Basis and Standards

Email acceptable use sits across UK GDPR (lawful processing of personal data in email), the Privacy and Electronic Communications Regulations 2003 (marketing communications), the Equality Act 2010 (harassment), the Defamation Act 2013, the Computer Misuse Act 1990, the Investigatory Powers Act 2016 (where employer monitoring is concerned), Cyber Essentials, and ISO 27001:2022 control 5.14 (information transfer).

Common Compliance Pitfalls

  • Monitoring of employee email without a documented lawful basis or notified privacy notice.
  • Auto-forwarding to personal addresses unrestricted.
  • Email retention defaulted to "forever", driving discoverability and breach risk.
  • External email banner missing, weakening phishing defences.
  • Marketing email sent without a PECR consent or soft-opt-in basis.

What Policy Pros Delivers

Our Email Acceptable Use Policy package includes the main policy, a monitoring procedure with employee privacy notice, a retention schedule, an external-email banner specification, a marketing email procedure aligned to PECR, an auto-forward control, and integration with the phishing and incident response procedures.

Frequently Asked Questions

Can we monitor employee email?

Yes if you have a documented lawful basis under UK GDPR, the monitoring is necessary and proportionate, and employees have been told via a privacy notice. Covert monitoring is only lawful in specific investigative contexts.

Is auto-forwarding to a personal email account a breach?

It can be. Auto-forwarding personal data outside the organisation usually breaches Article 32 (security) and is a recurring ICO enforcement theme. Most employers disable auto-forward to external addresses by policy and by Microsoft 365 / Google Workspace setting.

How long should we retain business email?

The default of "forever" is the highest-risk option. Most UK businesses retain general business email for 6-7 years (aligned to Limitation Act 1980 contract limits) and longer for specific categories such as HR records (6 years post-employment) or tax records (HMRC 6 years).

Get a QuoteView All Policy Services
Trustpilot Reviews - 5 Stars