When one thinks of policy documents, one tends to think of long, dull documents, hardly intelligible and written in legalese. Actually, for the most part policy and standards documents can be short statements that avoid sub clause hell.

One such category of policy regards internal content and data. That is to say, employees interacting with content and data published internally for them to hold, access and use. Rather than having one over-arching policy document which requires updating in its entirety, it is better to publish a series of shorter policy documents or statements, titled clearly and which have clarity of purpose. Then ensure that your employees have digitally complied by confirming they have read the latest version. Orchestra Read & Comply™ allows you to publish these policies quickly and then monitor the levels of employee compliance as an outcome. Simply emailing policies out to employee distribution lists can be a scatter gun approach which will not help reinforce compliance.

The following internal content policies are some of the key ones that your organisation should consider publishing to all employees:

Privacy Policy – tied directly to GDPR requirements, all organisations must seek to publish a comprehensive Privacy Policy which outlines the organisational commitment to respecting the privacy of all employees. The policy should establish how personal information is protected at all times. It should set out what information is collected, where it is stored and what it is used for. The policy should also set out how the employee can gain a copy of all personal information that is held. It is an employee’s responsibility to comply with how personal information is stored, accessed and used, particularly those in sensitive personnel-based and security roles. However it is the responsibility of all employees to ensure that they understand how the Privacy Policy affects them and why it is important.

Corrections and Amendments Policy – published content can and will change periodically, if not frequently. Traditional intranets for example are notorious for not remaining wholly accurate with the content they present.  It is an employee’s responsibility to understand that information may not always be 100% accurate or may be amended and they must make all efforts to check and keep up to date. Following incorrect procedures or using the wrong processes because they rely on advise from ‘John in the corner’ is no excuse. Organisations should seek to make a statement that they attempt to establish and meet high standards of content accuracy but corrections may and will be required occasionally and that employees should take this into account.

Brand, Trademark and Copyright Policy – there are a variety of common names for this policy including Brand Policy and Copyright and Quote Policy. This policy should clearly set out what is subject to trademark and copyright, where employees may find brand assets (templates, logos, images) that can be used internally and how they may be used externally and in what circumstances. As importantly, all employees must be helped to understand what they may or may not use and publish regarding the organisation brand and logos in social media channels and using other external services.

Use of Technology Policy – often published by an IT department but potentially now from a business division due to the easy availability of cloud services, this policy should clearly define how content is accessed using technology, what technology is made available and what can and cannot be stored or accessed through specific internal systems. For example, you may need to establish whether an employee can use the business email system for personal communications. It is also useful to define rules for mobile access, browser support, remote working and screen resolutions.

Fraudulent Communications Policy – in the modern technology age, internet and online fraud is an ever present danger, as is hacking and intellectual property/content theft. It is the responsibility of each employee to ensure that the organisation, its assets and content remain protected from outside threats. This important policy should set out what the common threats may be and how an employee should respond. For example, outside entities may attempt to contact a person and gain their trust before requesting that company information is shared. Communications may include company branding and images to try and represent agents, partners, known bodies or even other divisions of the company itself. This policy will clarify what an employee must do if they suspect fraud or an attempt to gain access to internal organisational content without permission.

Some organisations will treat such policies as ‘common sense’ and avoid detailing what employees can and cannot do in writing. Furthermore they will not be able to demonstrate who has received or read what. Therefore what employees actually understand is largely a matter of conjecture. This may be a serious mistake because the inference is that all employees have exactly the same level of awareness and understanding and know precisely what they can and cannot do. It is far simpler not only to agree how an employee engages with organisational content through policy publication but also guide them as to what to do when questions arise. When auditing occurs it is then far simpler to provide a Read and Comply report to demonstrate how internal content compliance has occurred and to what levels.