SecurityPolicy.com.au
Home/ Australia/ Policy Library/ Acceptable use policy
Australia Policy Library Policy template Reviewed 2026-07-12

Acceptable use policy: a practical guide for Australian businesses

14 days
Standard prior surveillance-notice period in NSW and the ACT
Annual
ASD minimum review cadence for cyber security documentation
26 Aug 2025
Right to disconnect start date for small-business employees
Why this guide exists

Monitoring, personal use, AI tools and dismissal consequences recur across Australian workplace forums. Governance and review-cadence questions appear less often, but are critical implementation gaps.

What is an acceptable use policy, and does my business actually need one?

An acceptable use policy is the user-facing rulebook for company systems, accounts, devices, networks, internet access, email, data and approved online services. It tells employees, contractors and other authorised users what they may do, what they must not do and what they must report. There is no single national statute requiring every private business to use a document with this exact title, but monitoring laws, privacy duties, employment law, contracts and industry frameworks can make clear written rules practically or legally important. The AUP should sit under the master information security policy: the master policy sets governance and risk principles, while the AUP translates them into day-to-day behaviour.

How this differs by situation
  • business with employees, contractors or volunteers — Use one policy for every person who can access company systems or information, not only permanent employees.
  • organisation using the ASD Information Security Manual — The ISM expressly calls for a system usage policy and a separate general-purpose AI usage policy.
PUT THIS IN YOUR POLICY, EXACTLY

This policy applies to every employee, contractor, labour-hire worker, volunteer and other person authorised to use the organisation’s systems, accounts, devices, networks, data or online services. Users must use those resources only for authorised, lawful and reasonable purposes, follow all related security requirements, protect company and third-party information, and promptly report suspected loss, misuse, compromise or unauthorised disclosure.

What must it contain — the non-negotiable sections?

At minimum, state the policy’s purpose, scope, covered people and assets, allowed and prohibited use, access and password rules, personal-use limits, and rules for email, web, messaging, software, cloud services, personal accounts and devices. Add data handling, file transfers, removable media, remote work, AI tools, monitoring and logging, incident reporting, exceptions, ownership, review and consequences. Be specific about what is logged and who may access logs where workplace-surveillance law requires that detail. Also align after-hours contact and device expectations with the Fair Work right to disconnect rather than implying that a work phone creates permanent availability.

How this differs by situation
  • NSW or ACT workforce — Add a compliant surveillance notice and the computer or data-surveillance details required by the applicable Act.
  • business with annual turnover of $3 million or more, or another Privacy Act-covered entity — Link the AUP to privacy obligations for personal information, including information entered into AI systems.
PUT THIS IN YOUR POLICY, EXACTLY

This policy covers company and approved personal devices, user accounts, passwords and authentication, networks, internet and email, messaging and collaboration tools, software and cloud services, file transfers and removable media, remote access, social media, artificial intelligence tools, monitoring and logging, incident reporting, personal use, after-hours use and policy breaches. Any activity not expressly permitted must be approved in writing by the Policy Owner before it occurs.

What does the law require (surveillance-notice law, Fair Work enforceability)?

In NSW, employee surveillance generally requires prior written notice at least 14 days before it starts, unless a shorter period is agreed, and computer surveillance must follow a notified employer policy the employee can reasonably be assumed to understand. In the ACT, notified workplace surveillance generally also requires 14 days’ written notice, good-faith consultation, and a data-surveillance policy stating permitted and prohibited computer use, what is logged, who may access it and how compliance is monitored. Other states and territories have different and more fragmented surveillance and privacy rules, so a national employer should not assume one generic clause is enough everywhere. Under Fair Work principles, a clear policy breach may be a valid reason for discipline or dismissal, but the employer still needs a lawful and reasonable rule, evidence, proportionality and a fair process.

How this differs by situation
  • New South Wales — Apply Workplace Surveillance Act 2005 sections 10 and 12 before commencing employee computer surveillance.
  • Australian Capital Territory — Apply Workplace Privacy Act 2011 sections 13, 14 and 16, including consultation and detailed logging disclosures.
  • other Australian states and territories — Check local surveillance-devices, privacy, listening-device and employment laws before relying on the policy.
PUT THIS IN YOUR POLICY, EXACTLY

The organisation may conduct lawful, proportionate monitoring of company systems, accounts, devices, networks and services for security, compliance, operational, investigation and legal purposes. Monitoring will only be conducted in accordance with applicable Commonwealth, state and territory law and any required prior notice or consultation. This policy does not authorise covert, unlimited or otherwise unlawful surveillance. A breach may result in proportionate action, but no outcome is automatic and the organisation will follow applicable employment law and a fair process.

Who owns it, and who has to sign it off?

Give the policy one accountable owner with authority to keep it current and answer exceptions, usually the security, IT or risk lead. The business owner, chief executive or delegated executive should approve it; in an ISM-aligned organisation, ASD assigns approval of organisational cyber security documentation to the CISO. HR should review employment, discipline, consultation and right-to-disconnect wording, while privacy or legal advisers should review surveillance and personal-information clauses. Users normally acknowledge receipt and agreement rather than approve the policy, although consultation may be legally required before surveillance in the ACT or under an award, agreement or workplace change process.

How this differs by situation
  • small business without a CISO — The owner or chief executive remains accountable and may nominate the IT provider or senior manager as Policy Owner.
  • ISM-aligned organisation — Organisational-level cyber security documentation is approved by the CISO; system-specific documentation is approved by the system authorising officer.
PUT THIS IN YOUR POLICY, EXACTLY

Policy Owner: [role]. Approver: [owner, chief executive, board or delegated executive]. The Policy Owner is responsible for implementation, questions, exceptions, training, monitoring of effectiveness and review. HR must review employment and disciplinary provisions, and suitably qualified privacy or legal advice must be obtained before introducing or materially changing workplace surveillance.

How does it actually get used by the team?

Issue the policy before granting access, explain it during induction and require a recorded acknowledgement. Train people with real examples: personal browsing, forwarding files, USB use, installing software, personal cloud storage, phishing, AI prompts and after-hours contact. Put the rules into technical controls and daily workflows instead of relying on a hidden PDF, and give users a simple route for approvals, exceptions and incident reporting. Re-communicate material changes and retain the version, approval, acknowledgement and training records.

How this differs by situation
  • business using employees, contractors and labour-hire workers — Include every user group in induction, access provisioning, acknowledgement and offboarding.
  • remote or hybrid workforce — Use scenario training for home networks, personal devices, shared workspaces, cloud file transfer and after-hours separation.
PUT THIS IN YOUR POLICY, EXACTLY

Access to company systems and information is conditional on the user receiving this policy, completing required training and acknowledging that they understand and will comply with it. Users must ask the Policy Owner before taking an action they are unsure about and must immediately report suspected mistakes, security events, loss, unauthorised access or disclosure. The organisation will notify affected users of material policy changes and may require renewed acknowledgement or training.

How does it cover AI tools like ChatGPT and Copilot?

Name the approved AI tools, approved account types and permitted use cases rather than saying only that staff may use AI responsibly. Prohibit users from entering confidential, personal, sensitive, client, credential, security, commercially sensitive or legally privileged information into public or unapproved tools. Require human review for accuracy, bias, harmful content, copyright, confidentiality and decision impacts, and state when AI use must be disclosed or recorded. Keep an AI register, assign accountability and provide an immediate reporting path for accidental prompts, uploads or disclosures.

How this differs by situation
  • Privacy Act-covered business — The APPs apply when the business handles personal information through AI, including collection, use, disclosure and accuracy.
  • business adopting general-purpose AI — Use an approved-tool list, use-case assessment, AI register, human oversight and incident process.
PUT THIS IN YOUR POLICY, EXACTLY

Users may only use artificial intelligence tools, accounts and use cases approved by the organisation. Unless expressly authorised for a protected enterprise service, users must not enter or upload personal information, sensitive information, confidential or client information, credentials, source code, security details, commercially sensitive material or legally privileged content. AI output must be checked by a competent person before it is relied on, sent, published or used to make or support a decision. Any accidental input, upload or disclosure must be reported immediately.

How often must it be reviewed — and what triggers an off-cycle review?

There is no universal statutory review interval for every Australian private-sector AUP, but ASD says cyber security documentation should be reviewed at least annually and carry a current-as-at date. Review sooner after a security or privacy incident, a repeated breach, an audit finding, a legal or regulatory change, a business restructure, or the introduction of new monitoring, AI, cloud, BYOD, remote-access or removable-media technology. Material changes must be approved, version-controlled and communicated to affected users. In NSW or the ACT, changing or starting surveillance may also require fresh notice and, in the ACT, consultation before the changed surveillance begins.

How this differs by situation
  • ISM-aligned organisation — Review at least annually and record the current-as-at date.
  • NSW or ACT employer changing surveillance — Assess whether a new notice period, revised policy and ACT consultation are required before implementation.
PUT THIS IN YOUR POLICY, EXACTLY

The Policy Owner must review this policy at least annually and whenever there is a material change to law, technology, business operations, workforce arrangements, monitoring, artificial intelligence use, information handling or threat conditions. An off-cycle review is also required after a material incident, audit finding, repeated breach or control failure. Every approved version must show its approval date, current-as-at date, owner and next review date, and material changes must be communicated before they take effect.

The common gaps and red flags?

Common gaps are vague scope, no distinction between company and personal accounts or devices, unclear personal-use limits, and silence on cloud storage, messaging, USB devices, remote work and AI. Legal red flags include claiming unlimited monitoring, treating a signature as blanket consent, failing to give NSW or ACT surveillance notice, and promising automatic dismissal for every breach. Operational red flags include a policy nobody has read, rules that conflict with actual technical settings, no approval or exception process, and no route for reporting honest mistakes. Also avoid wording that assumes employees must monitor work devices at all hours, because the right to disconnect now applies across national-system workplaces.

How this differs by situation
  • multi-state employer — Use a national core policy plus jurisdiction-specific surveillance notices or schedules.
  • small business with informal IT practices — Document personal-use, personal-account, device, file-transfer and AI boundaries instead of relying on unwritten expectations.
PUT THIS IN YOUR POLICY, EXACTLY

Nothing in this policy gives the organisation an unlimited right to monitor a person, device, account or communication. Monitoring, access to records and use of evidence must be authorised, necessary for a legitimate purpose, proportionate, restricted to appropriate personnel and conducted under applicable law and notice requirements. Possession of a work device or account does not, by itself, require a user to monitor or respond to contact outside working hours.

What happens when someone breaches it?

First contain the security, privacy or operational risk: disable access where necessary, preserve evidence and involve the incident-response or privacy process. Then investigate impartially, tell the person the substance of the allegation, give them a reasonable opportunity to respond and consider intent, seriousness, actual harm, training, consistency and prior conduct. Outcomes can range from coaching, retraining or a warning to access restrictions, formal discipline or dismissal. A breach can be a valid reason for dismissal, but it does not remove the need for a lawful, proportionate and procedurally fair decision.

How this differs by situation
  • small business employer under the Fair Work Act — Check the Small Business Fair Dismissal Code and obtain advice before dismissal.
  • business with an incident-response plan — Run containment and evidence preservation through the incident process before deciding employment consequences.
PUT THIS IN YOUR POLICY, EXACTLY

Suspected breaches will be assessed according to their nature, seriousness, intent, risk, actual or potential harm, the user’s training and prior conduct, consistency with comparable cases and any mitigating circumstances. The organisation may take proportionate action including guidance, retraining, removal of access, a warning, disciplinary action or termination of employment or engagement. No outcome is automatic. The user will be informed of the substance of the allegation and given a reasonable opportunity to respond before a final disciplinary decision, except where immediate protective action is reasonably necessary.

What's my next step?

Common misconceptions

  • A signed acceptable use policy lets an employer monitor anything, anywhere and for any purpose. INFERRED
  • A policy breach automatically makes a dismissal fair. VERIFIED
  • The Privacy Act is a complete national workplace-surveillance code. VERIFIED
  • The right to disconnect makes every out-of-hours message unlawful. VERIFIED
  • A small business without an IT department does not need written system-use rules. INFERRED
  • Blocking public ChatGPT access is a complete AI governance program. INFERRED
  • An annual review date means the business can wait until next year after introducing new surveillance or AI tools. INFERRED

Obligations at a glance

The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.

OBLIGATION REGULATOR TRIGGER TIMEFRAME PENALTY
NSW prior written workplace-surveillance notice NSW Government; offences are dealt with summarily by the Local Court An employer proposes camera, computer or tracking surveillance of an employee while the employee is at work in NSW. Generally at least 14 days before surveillance starts; a shorter period may be agreed, and relevant new employees must be notified before starting work.
NSW computer-surveillance policy NSW Government; offences are dealt with summarily by the Local Court An employer conducts computer surveillance of an employee at work in NSW. The surveillance must follow an employer policy notified in advance so the employee can reasonably be assumed to be aware of and understand it.
ACT notified-surveillance notice and consultation WorkSafe ACT An employer proposes notified surveillance of a worker in an ACT workplace. Generally at least 14 days' written notice and good-faith consultation for not less than the notice period; relevant new workers must be notified before starting. Maximum 20 penalty units for failure to comply with section 13 notification requirements; the dollar value of a penalty unit changes over time.
ACT data-surveillance policy WorkSafe ACT An employer uses a data-surveillance device to monitor a worker in an ACT workplace. Before surveillance, the worker must be notified of a policy they can reasonably be assumed to understand; the policy must state computer-use rules, logged information, who may access it and how compliance is monitored. Maximum 20 penalty units for failure to comply with section 16; the dollar value of a penalty unit changes over time.
Fair Work right to disconnect Fair Work Ombudsman and Fair Work Commission An employee refuses to monitor, read or respond to employer or third-party contact outside working hours. Applied from 26 August 2024 for employees of non-small businesses and from 26 August 2025 for employees of small-business employers.
Fair process for disciplinary action Fair Work Ombudsman and Fair Work Commission An employer proposes disciplinary action or dismissal because of an alleged policy breach.
Privacy Act obligations for AI handling of personal information Office of the Australian Information Commissioner An organisation covered by the Privacy Act collects, uses, discloses or otherwise handles personal information through an AI system. Ongoing while selecting, testing, deploying and using the AI system.

Sources

  1. Guidelines for personnel security primary
  2. Guidelines for cyber security documentation primary
  3. Guidelines for media primary
  4. Workplace privacy best practice guide primary
  5. Right to disconnect primary
  6. Managing performance and warnings primary
  7. Conduct primary
  8. Workplace Surveillance Act 2005 No 47 primary
  9. Workplace Privacy Act 2011 primary
  10. About WorkSafe ACT primary
  11. Workplace monitoring and surveillance primary
  12. Guidance on privacy and the use of commercially available AI products primary
  13. Guidance for AI adoption: implementation guidance primary
  14. Using a Work Laptop for Personal Use forum
  15. Laptop monitoring forum
  16. Is anyone watching our Teams chats? forum
  17. Accidentally shared sensitive info and this triggered IT alert forum
  18. How often do you use Chatgpt for work? forum
  19. Used Porn on company laptop forum
  20. Has anyone actually been let go for using a work laptop for non-work purposes? forum
Not legal advice

This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.