Acceptable use of assets policy

Published: 09 October 2024
Freedom of information class: How we manage our resources

The RoS policy outlining acceptable use of information technology and systems.


1. Purpose and scope

1.1 The purpose of this policy is to ensure that Registers of Scotland (RoS) maintains its commitment to protect information assets by providing governance on the acceptable use of information technology (IT) and systems.

1.2 The scope includes the security and use of all our information systems and IT equipment, as well as the use of email, internet, voice and mobile devices.

1.3 This policy applies to all employees, contingent workers, and third-party suppliers (hereafter referred to as ‘individuals’).

1.4 This policy is subordinate to our overarching Information security policy.

2. Acceptable use

2.1 IT equipment and information systems are provided to allow individuals to perform their roles on behalf of the organisation. In doing so, all individuals are responsible for using information, equipment and systems in line with the requirements of their role, and in line with the required behaviours and conduct set out in the Civil Service Code.

Individuals must follow the policies and procedures which we publish and operate when using information, equipment and systems, and that use must be in line with the following:

2.1.1 Access to systems and information

Access to and use of our IT systems must follow the Access control policy.

2.1.2 Use of internet, email and telephony

We permit limited, personal use of our technologies where this does not affect the individual’s business performance and activities must remain compliant with all information security policies.

Where RoS equipment has been used to store personal user information:

  • We cannot guarantee the availability or integrity of non-business data
  • We reserve the right to remove non-business data if it is found to breach information security policies or where it impacts the performance of the equipment.

2.1.3 Clear desk and clear screen

We operate a clear desk and screen procedure which all individuals must comply with. This procedure also applies when working from home or non-office locations.

2.1.4 Working off-site

Hybrid working, and working away from our office locations, is now a regular occurrence. Individuals who make use of hybrid or remote working practices are required to read and comply with our procedures regarding remote access to digital systems and personal device use.

Individuals must not attempt to access the RoS network from out-with the UK, or take RoS-owned IT equipment outside of the UK. Any attempt to access RoS resources from outside the UK, using a RoS device or otherwise, are automatically blocked, and trigger security incidents which are fully investigated. Where exceptional circumstances require it, requests for such access or use can be pre-approved by a Director and must trigger a relevant service request to enable access.

2.1.5 Removable/portable storage devices

The use of removable or portable storage devices such as memory sticks, CDs, DVDs and removable hard drives is strictly prohibited without prior authority from IT Security. This includes any peripheral hardware with a data storage capability (ie printer, scanner, etc).

2.1.6 Software authorisation and installation

Only authorised software is permitted to be installed on our IT Equipment, and installation must be carried out, or authorised by, our IT Enablement function.

2.1.7 Security technologies

Individuals must not attempt to subvert any virus or malware protection, monitoring tools, or other security technologies operating on our IT equipment and information systems unless explicit prior authorisation by IT Security has been granted.

2.1.8 Actions upon termination of contract

As per employee and contingent workers agreements, all RoS IT equipment and information must be returned to IT Enablement at termination of contract following the formal leavers processes.

2.1.9 Unacceptable use

Appendix A sets out examples of unacceptable use – this list is not exhaustive.

3. Rights and expectations

3.1 All information created using our IT equipment and information systems is the property of RoS. Individuals should have no expectation of individual data privacy in respect of their use of these systems.

3.2 Wherever possible Registers of Scotland (RoS) will avoid opening and accessing colleagues personal emails and/or files held within RoS email accounts and/ or held on RoS IT equipment and information systems, but retain the right to do so, in line with relevant legislation, should the need arise.

3.3 The user activity of individuals is continuously monitored to support system security and operations, and to protect against misuse. Where there is reasonable suspicion of a breach of our policy, disciplinary investigation or action may result.

3.4 All monitoring activity follows audited processes and is carried out in accordance with the relevant legislation and regulation including UK Data Protection Act 2018, the Regulation of Investigatory Powers (Scotland) Act 2000 and the Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000.

4. Roles and responsibilities

4.1 All RoS employees and contingent workers are bound by the commitments of this policy, and:

4.1.1 Are required to effectively operate the range of procedures and controls which facilitate compliance in practice.

4.1.2 Must report any non-conformances of or improvement to policy requirements to the Security Practitioners Working Group SRA@ros.gov.uk.

4.2 Managers and Team Leads must ensure that all relative processes, products or service support compliance of this policy.

4.3 The Information Security Group has ownership of this policy and is responsible for enforcing its application.

4.4 The Information Security Assurance Group (ISAG) is accountable for Information Governance, which includes requirements for the protection and handling of RoS Information Assets.

4.5 Frameworks (or Agreements) must be in place to ensure that all partners within a supply chain are aware of the policy requirements and understand their responsibilities for compliance.

4.6 This policy should be part of the publication scheme. Internally all employees must be made aware of the policy, and it must be a mandatory read for all employees and contingent workers working for RoS.

5. Digital accessibility

5.1 RoS can authorise the use of digital accessibility tools in instances where such assistance is required. Support and advice are available through discussion with the Employee Enablement team.

6. Approval and review

6.1 This policy will be reviewed and approved by the Information Security Assurance Group annually, unless earlier review is appropriate.

AuthorInformation assurance advisor
ReviewedDirector of policy and corporate services and accountable officer
ClearedDirector of people
ApprovalInformation security assurance group (ISAG) Approval date July 2024
Policy version V 3
Review responsibilityInformation security assurance group (ISAG) Review date July 2025
Publication scheme Yes
Email to contactSRA@ros.gov.uk