What Is an Acceptable Use Policy?

An acceptable use policy (AUP) is a document that sets out how employees may use company equipment, networks, and data - and which uses are prohibited. It is the agreement behind every handed-over laptop and phone: the organisation provides the kit, and the user accepts the rules that come with it. Because most of that kit is a data-bearing device, the AUP is as much about protecting data as protecting hardware.

What an AUP covers

The typical policy addresses, in plain language:

• Equipment care and custody - the device stays with the named holder, gets reported promptly if lost, damaged, or stolen, and comes back at the end of employment.
• Permitted and prohibited use - whether reasonable personal use is allowed, and the hard bans: illegal content, harassment, unlicensed software, side businesses on company kit.
• Security behaviour - locking screens, not sharing credentials, not disabling protections, not plugging in unknown drives.
• Data handling - what may be stored locally, what must stay in approved systems, and what may never leave the organisation.
• Monitoring and consequences - what the employer may inspect or log, and what happens when the rules are broken.

Common rules for laptops and phones

The clauses that earn their keep are the boring ones. No personal cloud accounts for work files - because that is where data goes missing when someone leaves. No family members using the work laptop - because “my kid installed it” is a real incident category. Report damage immediately rather than at return - because a cracked screen discovered eleven months later is unattributable. And return the device itself, not a factory-reset shell: wiping is the organisation’s job, done through proper data sanitization, so that evidence and data are handled deliberately rather than destroyed by a well-meaning leaver.

Why staff sign at equipment handover

An AUP works through acknowledgement. The standard pattern: the policy is signed during onboarding, at the same moment the laptop, phone, or toolkit changes hands, so the rules and the responsibility start together. The signature does two jobs - it makes the rules enforceable, and it removes the “nobody told me” defence. The handover record matters as much as the signature; in AMPthilly, checkouts capture who received which asset and when, with returns logging condition and notes, which pairs naturally with a signed AUP kept on file.

The AUP at end of employment and end of device

The policy’s last clauses bite at exit. Equipment is returned and inspected against the handover record; anything unreturned is chased while the leaver is still reachable. Returned devices then leave AUP territory and enter disposal territory: data is sanitized or the device is routed through ITAD, with destruction evidenced rather than assumed. A good AUP states plainly that company data on personal devices is deleted at exit too - the clause everyone forgets until it matters.

Common mistakes

• One policy for every audience. Office staff, field engineers, and contractors use equipment differently; a single generic AUP fits nobody.
• Unfindable signatures. A signed AUP that cannot be located three years later might as well not exist.
• Rules with no handover trail. “You are responsible for your equipment” is unenforceable if nobody recorded what equipment they actually have.
• Set-and-forget. An AUP that predates remote work, or the tools people actually use, gets ignored - and selectively ignored policies are the hardest to enforce.

Related terms

• Data-Bearing Device - the equipment class an AUP mostly exists to protect
• Data Sanitization - what happens to a device’s data after the AUP’s custody ends
• ITAD - the disposal route for returned IT equipment
• Certificate of Destruction - proof that a returned device’s data was destroyed
• E-Waste - where retired equipment must not casually end up