1.1 This policy governs the use of the Organization's information technology infrastructure and communication systems, including but not limited to email, instant messaging platforms, telephony systems, video conferencing tools, collaboration applications, intranet portals, and file-sharing services. The policy establishes standards for professional, secure, and compliant communication across all channels, ensuring that the Organization's communication practices support operational efficiency while safeguarding information assets and complying with applicable data protection and electronic communications legislation. This policy is aligned with the Organization's information security management system and ISO 27001 requirements.

1.2 This policy applies to all employees, contractors, consultants, temporary workers, interns, and authorised third parties who use the Organization's IT infrastructure and communication systems for business purposes, whether on Organization premises, working remotely, or travelling. The policy covers all communication conducted through Organization-provided systems and accounts, as well as business communications conducted through personal devices or accounts where such communications relate to Organization business. All users are required to acknowledge and comply with this policy as a condition of access to the Organization's IT and communication resources.

1.3 The IT Department Head shall have overall responsibility for the administration, security, performance, and compliance of all IT and communication systems deployed within the Organization. The IT department shall provide technical support to all users, maintain system availability in accordance with defined service level agreements, implement and enforce security controls aligned with this policy, and manage vendor relationships for communication platforms and services. The IT Department Head shall report to the Chief Information Officer on system performance, security incidents, and compliance metrics on a quarterly basis, and shall coordinate with Human Resources on any disciplinary matters arising from policy violations.

2.1 All business email communications shall be conducted through Organization-provided email accounts using the Organization's approved email platform. Users shall not use personal email accounts, third-party email services, or unauthorised messaging platforms for Organization business, to transmit Organization data, or to communicate with clients, vendors, or partners in a professional capacity. Auto-forwarding of Organization email to personal accounts is strictly prohibited. The IT department shall enforce this requirement through technical controls including data loss prevention rules that detect and block the transmission of sensitive data to external email addresses. Users shall employ Organization-approved email signatures that comply with the corporate branding guidelines and include required legal disclaimers.

2.2 The Organization shall designate approved instant messaging and collaboration platforms as the primary channels for internal real-time communication, team collaboration, and file sharing. Users shall ensure that all messages, posts, and shared content on these platforms maintain professional standards consistent with the Organization's code of conduct. Confidential or Restricted data, as defined in the Organization's Data Management Policy, shall not be shared through messaging platforms unless the platform has been explicitly approved by the Information Security team for the handling of such data classifications. The IT department shall configure approved platforms with appropriate security controls, including encryption in transit and at rest, message retention policies, and access controls. Users shall not use unapproved messaging applications, including personal social media messaging, for Organization business communications.

2.3 Users shall be aware that email and messaging records created on Organization systems are the property of the Organization and may be subject to legal discovery, regulatory review, internal audit, and management oversight. All electronic communications shall be treated as potential business records and users shall exercise professional judgment in their content, tone, and language. Users shall avoid language that could be construed as discriminatory, harassing, defamatory, or legally prejudicial to the Organization's interests. The Organization shall retain email and messaging records in accordance with the Data Retention Schedule, and users shall not delete messages that are subject to a legal hold or regulatory preservation requirement. The IT department shall implement automated retention and archiving policies to ensure compliance.

3.1 Organization-provided telephony systems, including desk phones, softphones, mobile voice services, and unified communications platforms, shall be used for all business voice communications. Personal use of Organization telephony systems shall be limited to brief, incidental calls that do not interfere with business operations or incur significant costs. International calls for business purposes shall be made through the Organization's approved communications platform to ensure cost management and call quality. The IT department shall monitor telephony usage patterns and costs, and shall report any anomalies or excessive personal usage to the relevant department head. Users shall not use Organization telephony systems for any prohibited purpose as defined in the Acceptable Usage Policy.

3.2 Video conferencing and virtual meetings shall be conducted exclusively using Organization-approved platforms that have been evaluated and approved by the IT department and Information Security team for compliance with the Organization's security, privacy, and data residency requirements. Meeting hosts shall use security features including meeting passwords, waiting rooms, and participant authentication where available. Recording of video conferences shall comply with applicable consent laws, and all participants shall be notified before recording commences. Recorded meetings shall be stored in Organization-approved locations, classified according to the Data Management Policy, and retained in accordance with the Data Retention Schedule. The IT department shall provide training on secure video conferencing practices and shall maintain a configuration guide for each approved platform.

3.3 Users shall exercise caution when participating in voice or video communications from public spaces, shared work environments, or remote locations to prevent the inadvertent disclosure of confidential or sensitive information. When discussing Confidential or Restricted matters, users shall use headsets or earphones rather than speakerphone, ensure that screens displaying sensitive content are not visible to unauthorised individuals, relocate to a private room or area where conversations cannot be overheard, and verify that screen-sharing is limited to the intended content before presenting. Users working remotely shall ensure that their home office environment provides adequate privacy for business communications. The Organization shall provide guidance on secure remote communication practices as part of its remote working policy and training program.

4.1 Access to IT systems, communication platforms, and data resources shall be provisioned based on the principle of least privilege, ensuring that users are granted access only to the systems, applications, and data necessary for the performance of their assigned job duties. Access provisioning shall follow a formal request and approval process managed through the IT service desk, with approval from the user's line manager and, for systems containing Confidential or Restricted data, the relevant data owner. The IT department shall conduct access reviews at least quarterly to verify that user access rights remain appropriate and shall promptly revoke or modify access when an employee changes role, transfers department, or leaves the Organization. Privileged access accounts, including system administrator and root accounts, shall be subject to enhanced controls including multi-factor authentication, session logging, and periodic certification by the IT Department Head.

4.2 All Organization-issued computing devices, including laptops, desktops, tablets, and mobile phones, shall be configured by the IT department in accordance with approved security baselines that include operating system hardening, full-disk encryption, endpoint protection software, automated patch management, and remote wipe capability. Users shall not alter device configurations, disable or circumvent security software, install unauthorised applications, or connect unauthorised peripheral devices without prior written approval from the IT department. Lost or stolen devices shall be reported to the IT Help Desk immediately, and the IT department shall initiate remote lock and wipe procedures within 1 hour of receiving the report. The IT department shall maintain an asset register of all Organization-issued devices and shall conduct a physical inventory reconciliation at least annually.

4.3 Upon termination of employment, expiry of contract, or completion of engagement, all IT access rights shall be revoked by the IT department on or before the individual's last working day, unless an earlier revocation is required due to disciplinary circumstances or security concerns. The departing individual shall return all Organization-issued devices, including laptops, mobile phones, security tokens, access badges, and any storage media, to the IT department in accordance with the offboarding checklist. The IT department shall verify that all Organization data has been removed from any personally owned devices used under the BYOD program. The departing individual's email account shall be disabled on the last working day, and an auto-reply or forwarding arrangement shall be configured for a period determined by the individual's manager, not to exceed 90 days. The IT department shall coordinate the offboarding process with Human Resources to ensure that access revocation is completed for all systems simultaneously.

5.1 The IT department, in coordination with the Internal Audit function, shall conduct periodic audits of IT and communication system usage to ensure compliance with this policy. Audits shall assess email and messaging compliance, access control effectiveness, device management adherence, telephony usage, and video conferencing security practices. The audit program shall include both automated monitoring through technical controls and manual reviews of a representative sample of user activity. Audit results shall be compiled into a formal report and presented to the IT Department Head and, where material violations are identified, to the Head of Human Resources for disciplinary consideration. Departments with recurring compliance gaps shall be required to implement corrective action plans within 30 days.

5.2 Any violation of this policy, whether by act or omission, shall be subject to disciplinary action proportionate to the nature and severity of the violation. Disciplinary measures may include restriction or revocation of specific IT and communication privileges, mandatory retraining on the relevant policy provisions, formal written warning, suspension from employment, or termination of employment. In cases involving suspected criminal conduct, such as unauthorised access to systems, data theft, or distribution of illegal content, the Organization shall report the matter to the appropriate law enforcement authorities. All disciplinary actions shall be documented in the individual's personnel file and coordinated between the IT department and Human Resources.

5.3 This policy shall be reviewed comprehensively at least once every 12 months by the IT Department Head, in consultation with the Information Security team, Human Resources, Legal Counsel, and relevant business stakeholders. Reviews shall assess the policy's effectiveness in addressing current technology trends, evolving communication practices, emerging security threats, and changes in applicable legislation. Interim reviews shall be triggered by the deployment of new communication platforms, significant security incidents, regulatory changes, or organizational restructuring. Amendments shall be approved by the Chief Information Officer, communicated to all users at least 14 calendar days before the effective date, and acknowledged by all users through the Organization's compliance management system. A version history shall be maintained as an appendix to this policy.