Acceptable Use & Device Management Policy
Version: 2.2; 8 December 2021
Why Do We Need a Device Management and Acceptable Use Policy?
This document details the Device Management and Acceptable Use Policy related to all electronic devices that are used by Lush staff and within the Lush environment. This policy details behaviours and device usages that are acceptable, as well as those classified as unacceptable because they do not match Lush ethics, or they place Lush, its staff, customers, and their data at preventable risk.
What Is Covered by the Lush Device Management and Acceptable Use Policy?
This policy relates to any electronic devices, equipment or networks supplied, accessed, leased, used or owned by Lush for the delivery of Lush business. This includes, but is not limited to, physical devices such as computers, printers, tills, tablets, and phones. This covers all devices, regardless of whether they give access to internal Lush systems and networks, external third-party systems, online or cloud-based services, the internet, or downloaded applications. Where devices make connections to networks or services not provided by Lush, such as unrestricted WIFI networks, these are also within the scope of this policy.
Lush is committed to protecting its employees, customers, partners and the wider Lush network from illegal or damaging actions by individuals. All Lush colleagues and contractors are responsible for ensuring that any Lush device is only used in a professional, ethical and lawful manner.
This policy outlines a number of basic requirements to encourage data privacy and device security awareness.
How Do I Look After My Lush Devices?
Lush staff and third-party contractors that have been provided with Lush administered device, are responsible for following best-practice steps (to ensure the security and safety of the device and systems and data it accesses or stores), such as:
- using encryption, passwords or pins where they are available
- not displaying equipment in isolated or dangerous places
- storing equipment safely and in secure locations
- the removal, encryption and secure storage of any confidential or personal identifiable data (of customers, staff, or any person)
- ensuring that no unauthorised persons have use of or access to the device whilst it is in their care, locking devices when they are not in use
- when using a USB or similar external storage device, making sure that this device is encrypted and regularly scanned for viruses
- timely updates of authorised software
- clearing and removing cookies, browser history and documents downloaded on regular basis
- reporting lost or stolen device to your manager and Digital Services Team
Using Lush Google Licences
Every member of permanent staff has been given a Google Licence in order to facilitate better connection with different areas of the business. The Google Licence includes an Lush-administered Gmail account, which gives staff a secure way to communicate with one another and to access Lush systems and documentation.
Your Google Licence must:
- be used to access Lush documentation on Lush’s Google Drive
- be used to complete any relevant Lush-administered training or surveys
- be used for Lush communications and emails
- be used to post/access Lush’s Google Communities
Your Google Licence must not:
- be used for personal reasons
- be used to store personal documents
- be shared with other Lush users
- be shared with non-Lush users
Is There Anything I’m Not Allowed to Do?
Each member of staff that uses a Lush device, the Lush network or any Lush system, is responsible for ensuring that these resources are used ethically, and not used for anything that is:
- discriminatory or harassing
- derogatory to any individual or group
- obscene, sexually explicit or pornographic
- defamatory or threatening
- illegal or contrary to Lush’s ethics, policies or business interests
Lush also believes that Lush staff, departments and third-party contractors should respect the confidentiality of other individuals’ electronic devices and communications. It is therefore unacceptable to:
- use other peoples’ logins or passwords
- access the emails of another person without their consent
- monitor or intercept the files or communications of other Lush staff, customers, or third-parties
- hack or obtain unauthorised access to devices, software, systems or networks
- covertly breach or monitor networks and devices
Lush staff, departments and third-party contractors should also be aware that is unacceptable to:
- manipulate communications or records to hide the identity of a user, or to misrepresent a user as an alternate identity
- use Lush administered devices, systems, software and networks in a manner that is likely to cause increased security risks, damage, or congestion
- modify or destroy existing systems, programs, or data by negligence or with the intent of causing harm or disruption to Lush, its ethics, its staff, its customers, or its business operations
- use devices within the Lush environment to transfer any data relating to the business, its staff or its customers, without the relevant permission or authorisation. This includes unauthorised statements made on behalf of Lush, its staff and customer, and Lush affiliated groups
- use Lush devices to access video sharing sites that are not directly related to Lush work
Protecting Lush employees, customers, partners and the wider Lush network from illegal or damaging actions by individuals, either knowingly or unknowingly, is a core Lush value, so any breach of the Device Management and Acceptable Use Policy is viewed seriously.