How to write an acceptable use policy

Info · Vol/mo CA ~180 (est) · KD 10 (est) · Managed IT Services in Canada

In this guide & where to go next

Part of the Managed IT Services in Canada series. Related: What Is A Soc 2 Report What Is Dark Web Monitoring

Want it handled? IT Cares — hands-on managed IT across Canada.

To write an acceptable use policy (AUP), define the purpose and scope, list which systems and devices it covers, spell out permitted and prohibited activities, address security responsibilities and personal use, explain monitoring and privacy, and state the consequences of violations. A good AUP is clear, specific to your organization, signed by every employee, and reviewed at least annually.

What an acceptable use policy is for

An acceptable use policy sets the rules for how employees and contractors may use your company's technology — computers, email, internet, mobile devices, cloud apps, and data. It protects the business legally and technically by establishing clear expectations before something goes wrong.

A well-written AUP does several jobs at once:

Reduces security risk by banning behaviours that invite malware or data loss.
Protects you legally if an employee misuses systems or accesses inappropriate content.
Supports compliance with privacy obligations under PIPEDA and Quebec's Law 25.
Sets fair, consistent standards so discipline isn't arbitrary.

It's also one of the documents cyber insurers and auditors look for. Without a signed AUP, you have little recourse when someone clicks a malicious link, leaks data, or uses company systems irresponsibly. Think of it as the foundational rulebook your other security policies build on.

The essential sections to include

A complete acceptable use policy doesn't need to be long, but it should cover each of these areas clearly:

Purpose and scope — why the policy exists and who it applies to (staff, contractors, guests).
Covered assets — networks, email, devices, software, and cloud accounts.
Acceptable use — what systems may be used for.
Prohibited activities — illegal content, unauthorized software, sharing credentials, bypassing security, excessive personal use.
Security responsibilities — strong passwords, MFA, locking screens, reporting suspicious emails.
Personal use and BYOD — whether and how staff may use personal devices.
Monitoring and privacy — what the company may monitor and how.
Consequences — disciplinary steps for violations.

Tailor each section to how your business actually operates rather than copying a generic template.

Privacy and monitoring under Canadian law

The monitoring section deserves special care in Canada. Employers can monitor workplace technology, but employees retain a reasonable expectation of privacy, and the rules are stricter in some provinces. Under federal PIPEDA and Quebec's Law 25, you must be transparent about what you collect and why.

Your AUP should clearly state:

What is monitored — email, web activity, system logs, or device usage.
Why — security, compliance, and protecting company assets.
That employees consent to this monitoring by using company systems.

Being upfront protects you legally and builds trust. Vague or hidden surveillance can expose you to privacy complaints. If you operate in Quebec, align the language with Law 25's emphasis on transparency and purpose limitation. When in doubt, have the policy reviewed by someone familiar with Canadian employment and privacy law before rollout.

Rolling it out and keeping it current

A policy nobody reads protects nobody. Once your AUP is drafted, implement it properly:

Communicate it clearly — explain the why, not just the rules, so staff buy in.
Get a signed acknowledgement from every employee and contractor, and keep records.
Make it part of onboarding so new hires sign before getting access.
Pair it with training on phishing and password hygiene to reinforce the rules.
Review annually or whenever technology, tools, or laws change.

Treat the AUP as a living document. New cloud apps, remote work, and evolving threats all change what acceptable use means. Many organizations work with a managed IT provider to draft, distribute, and maintain the policy alongside the technical controls — MFA, filtering, device management — that actually enforce it. A signed policy plus enforced controls is far stronger than either one alone.

FAQ

Is an acceptable use policy legally required in Canada?

No single law requires an AUP, but it strongly supports compliance with privacy obligations under PIPEDA and Quebec's Law 25, and it's expected by cyber insurers and auditors. More importantly, it gives you a documented basis to act when employees misuse company systems or cause a security incident.

How long should an acceptable use policy be?

Most effective AUPs are two to five pages. The goal is clarity, not length — employees need to actually read and understand it. Cover the essential sections in plain language, and move highly technical procedures into separate supporting documents rather than cramming everything into the AUP.

Should an AUP cover personal devices (BYOD)?

Yes, if employees access company email or data on personal phones or laptops. The policy should state security requirements such as MFA, screen locks, and the company's right to remotely wipe business data. Clear BYOD rules prevent confusion and reduce the risk of data leaving your control.

How often should we update our acceptable use policy?

Review it at least once a year, and immediately after major changes — new software, remote-work shifts, or updates to laws like Law 25. Each time you revise it, have staff re-acknowledge the new version so your signed records stay current and enforceable.

Get expert help

Talk to IT Cares →