Information Security Golden Rules

  • We are all responsible for information security
  • We must all ensure we understand obligations as detailed in the Acceptable Use Policy and other relevant information security policies
  • Our use of eduserv assets, including information, must be respectable, honest and comply with both legislative and regulatory requirements
  • We must report any potential security events, suspicious activity, issues, incidents, policy breaches or near misses immediately, to Service Desk
  • We must not attempt to access, or enable others to access, anything we haven’t been explicitly authorised to access
  • We must not disable or attempt to bypass any security controls
  • We will take all appropriate precautions to prevent damage to or theft of any assets we are responsible for
  • We will use the confidential waste bins
  • We will follow the information classification rules
  • We will follow the password guidance in the AUP and protect our passwords
  • We will lock away our documents and lock our screen when away from our desk
  • We must not install software on our device without prior authorisation
  • We must not attach USB or mobile devices to our Eduserv workstation / laptop without prior authorisation
  • We will be mindful of tailgaters
  • We understand that eduserv reserves the right to view any material we produce or store on eduserv’s systems and networks for monitoring and measurement purposes


Regulation and legislation applicable to us all includes, but is not limited to:

  • Official Secrets Act
  • Rules of Investigatory Powers Act (RIPA)
  • Computer Misuse Act
  • Rules of Evidence
  • Data Protection Act / GDPR
  • Privacy and Electronic Communications Regulations
  • Freedom of Information Act (FOI)


Bribery can be defined very generally as a payment, benefit or gift offered or given with the purpose

of influencing a decision or outcome.  Under the Bribery Act, there are 4 main offences:

  • Active Bribery (offering to bribe another)
  • Passive Bribery (accepting/requesting a bribe)
  • Bribery of a foreign public official
  • Failure to prevent Bribery (committed by an organisation that fails to prevent bribery by any ‘person’ associated with it).

 If you fail to comply with this policy and/or with the Act it may result in:

  • disciplinary action up to and including dismissal;
  • criminal prosecution under the Act which may result in a fine and/or imprisonment for up ton10 years

 For Eduserv, any breach of this Policy by you or a business associate may result in Eduserv breaching

the Act, which may have the following impact:

  • Eduserv being subjected to fines;
  • A ban from bidding from public contracts;
  • Damage to reputation and loss of public trust and confidence

Eduserv prohibits employees or associated persons from offering, promising, giving, soliciting or accepting any bribe.  The bribe might be cash, a gift or other inducement to, or from any person or company, whether a public or government official, official of a state-controlled industry, political party or a private person or company, regardless of whether the employee or associated person is situated in the UK or overseas.  The bribe might be made to ensure that a person or company improperly performs duties or functions (for example, by not acting impartially or in good faith or in accordance with their position of trust) to gain commercial, contractual or regulatory advantage for Eduserv in either obtaining or maintaining Eduserv business, or to gain any personal advantage, financial or otherwise, for the individual or anyone connected with the individual.

The prohibition also applies to indirect contributions, payments or gifts made in any manner as an inducement or reward for improper performance, for example through consultants, contractors or sub-contractors, sponsors, partners, advisors, customers, suppliers or other third parties.

Facilitation Payments

A facilitation payment is defined as a small payment made to officials to secure or speed up the performance of routine or necessary action or level of service.

Facilitation payments constitute bribes and may not be made at any time irrespective of prevailing business customs in certain territories.

Due Dilligence

The following issues should be considered with care in any and all transactions, dealings with officials,

and other business matters concerning third parties:

  • Territorial risks, particularly the prevalence of bribery and corruption in a particular country;
  • Cross-border payments;
  • Requests for cash payment, payment through intermediaries or other unusual methods of payment;
  • Activities requiring Eduserv and / or any associated party to obtain permits or other forms of official authorisation;

Any due diligence must be completed before the contract is signed or the partnership undertakes any activities

Gifts, Hospitality and Entertainment

Employees are expected to conduct themselves with integrity, impartiality and honesty at all times.

The following general principles apply:

  • Gifts and hospitality may neither be given nor received as rewards, inducements or encouragement for preferential treatment or inappropriate or dishonest conduct;
  • Neither gifts nor hospitality should be actively sought or encouraged from any party, nor should the impression be given that the award of any business, custom, contract or similar will be in any way conditional on gifts or hospitality;
  • Cash should neither be given or received as a gift under any circumstances;
  • Gifts, entertainment and hospitality to or from relevant parties should be avoided at the time of contracts being tendered or awarded.
  • The value of all gifts and hospitality, whether given or received, should be proportionate to the matter to which they relate and should not be unusually high or generous when compared to prevailing practices in our industry or sector, for example it may be acceptable for a prospective partner to pay for reasonable travel and accommodation costs to enable a visit to their premises, first class flights or 5 star accommodation would not be acceptable.
  • Certain gifts which would otherwise be in breach of this Policy may be accepted if refusal would cause significant and/or cultural offence. If unsure, then this should be checked with the Chief Executive and Eduserv may decide to donate such gifts accepted for such reasons to a charity of its choosing.
  • You must declare to your manager and keep a record of all gifts and hospitality accepted or offered.
Political and Charitable Donations

Eduserv does not make political donations and is not affiliated with any political party, independent candidate, or with any other organisation whose activities are primarily political.

Employees and other associated parties are free to make personal donations provided such payments are not purported to be made on behalf of Eduserv and are not made to obtain any form of advantage in any business transaction.

Charitable donations are permitted only to registered (non-profit) charities.  No charitable donations may be given to any organisation which is not a registered charity.

Proof of receipt of all charitable donations must be obtained from the recipient organisation.

Under no circumstances may charitable donations be made in cash.

Reporting Bribery

Any employee who is concerned about any form of malpractice, improper action, or wrongdoing by Eduserv, employees or stakeholders are strongly encouraged to report the matter to HR.

We believe it is essential to create an environment in which you feel able to raise any matters of genuine concern internally without fear of disciplinary action being taken against you, that you will be taken seriously, and that the matters will be investigated appropriately and as far as practicable be kept confidential.

Employees suspected of bribery may be suspended from their duties whilst the investigation is being carried out.  Disciplinary procedures will be invoked where any employee is suspected of bribery up to and including dismissal.

Social Media

Eduserv recognises the value of posting content online (blogs, websites, tweets, status updates, forums, mailing lists, wikis, photos, videos, document sharing). We want to engage with our communities, to increase awareness of our expertise and to underline our focus on customer service.

We encourage you to get involved in digital engagement that positively promotes the professional profile of Eduserv. It’s important to remember that when you participate online, even if you believe it’s in a wholly personal capacity, this can impact on your obligations as an Eduserv employee. If you are unsure if what you are proposing to post is appropriate please ask your line manager or the marketing team for advice.

This policy applies to all employees, regardless of status or grade. It applies to all online activity, both in and out of working hours and regardless of whether Eduserv’s equipment is used.

Failure to comply with any aspect of this will result in disciplinary action, informal or formal depending on the severity. Serious breaches of the policy will be considered gross misconduct and could result in summary dismissal. 

In assessing the severity of any misconduct associated with the use of social media or online communication, Eduserv will consider the following factors:

  • the content / context of the posting(s);
  • how many people and who saw the posting(s);
  • how easily Eduserv can be identified;
  • whether any complaints have been received;
  • any other relevant factors.

Employees are required to immediately take down any posting if requested to do so by Eduserv.

Rules of engagement

The lines between public and private, personal and professional can become blurred in social networks. It’s important that you are aware that anything posted on social media is in the public domain. This includes any posts made with strict privacy settings in place or any postings made in a personal capacity.

In choosing your words and other content, it’s good practice to imagine that your manager and your family are reading everything you post. You should also be aware that content (photos, posts, etc) tagged with your name may turn up in search engine results.

When using any social networking site (such as: Facebook, WordPress, Blogger, Flickr, Twitter, Google+, YouTube, LinkedIn, chain emails, etc.) whether in a personal or professional capacity, the following rules apply:

  • Do not make disparaging remarks about Eduserv, work colleagues, clients (potential, current or former), or suppliers;
  • Do not make any personal attacks on anyone in the organisation, our clients and customers, or our suppliers;
  • Do not make any comment or display any image which could be defamatory or discriminatory and may reflect badly on Eduserv;
  • Do not engage in cyber bullying of a colleague or client and do not use social media to engage in harassment of a colleague or customer;
  • Do not make any comment or display any image which may bring Eduserv into disrepute (have a negative impact on the reputation of the organisation, our products or services);
  • Do not post any organisational materials which are for internal use only;
  • Do not post any pictures or images of other employees or clients without their consent;
  • Remove any pictures, images or information about colleagues if asked by them to do so;
  • Do not use your Eduserv email address (unless it is in a professional capacity);
  • Do not display any company logos (unless it is in a professional capacity);
  • Do not breach any other of Eduserv’s policies and procedures when using social media sites.

Please also ensure that your online activities do not interfere with your job or commitments to customers.

Transparency and honesty

We believe in transparency and honesty so if you are blogging about your work for Eduserv, we encourage you to use your real name, be clear who you are, and identify that you work for us.

When speaking about your work at Eduserv, you’re urged to provide worthwhile information and perspectives. Have an opinion, and speak in the first person. Our brand is best represented by our people but it’s important to remember that what you publish may influence people’s perceptions.

If you are expressing a personal opinion about issues relevant to our work then you must make it clear that it is your personal opinion that is being expressed. Usually this will be clear from the context, but if there is any scope for doubt, state explicitly if it is a personal view.

Nothing gains you more notice in social media than honesty – or dishonesty. If you have a vested interest in something you are discussing, be the first to point it out. Similarly, if you make an error, be upfront about your mistake and correct it quickly. In a blog, if you choose to modify an earlier post, make it clear that you have done so (use ‘Update’ to make your revision clear).

Code Fixes

In the general use of social media, Eduserv encourages transparency. However, when using public forums for code fixes, then the protection of confidentiality is paramount. Eduserv requires employees to use pseudonyms when entering a public forum for advice on code fixes.

Don’t reveal confidential information

If you do post about Eduserv, by all means talk about your work and make meaningful connections with your readers, but you must respect the privacy and confidentiality of our organisation, its clients and communities.

You must not expose Eduserv or another's confidential information, intellectual property rights, or other proprietary information (for example future business performance, business plans or prospects). Confidential information also includes any information that would be useful to a person with malicious intent, such as: details of architectures, security controls or source code.

You must not cite or obviously reference clients or other stakeholders without their permission, and never discuss confidential client details. You can discuss general details and use non-identifying pseudonyms as long as the information provided does not violate any non-disclosure agreements that are in place with the client. You should only include examples of work we carried out (screen grabs, etc.) with the written permission of your manager and the client.

Be considerate and respectful

Remember that Eduserv is a company of over 160 employees and thousands of customers, partners and other stakeholders that reflect a diverse set of values and points of view. Be yourself, but do so respectfully. This includes not only the obvious (no discrimination, personal insults, obscenity etc) but also proper consideration of privacy and of topics that may be considered objectionable or inflammatory.

You must protect the dignity of clients or partners by not participating in discussions that reflect negatively on them, even if they are not named.

There will always be people who criticise; knowing what to respond to and what to ignore is important. If you notice that Eduserv is being seriously misrepresented, you are encouraged to point out any factual inaccuracies. However, you should avoid kneejerk reactions and discuss your response with the Marketing Manager or another member of Marketing.

If you speak about a competitor, you must make sure that what you say is factual and that it does not criticise the competitor (to avoid potentially libelous comment). Avoid arguments.

Copyright and fair use laws

For Eduserv's protection as well as your own, it is critical that you show due respect for the laws governing copyright and fair use of copyrighted material owned by others, including our own copyrights and brands. You should never quote more than short excerpts of someone else's work, and it is good general practice to link to others' work. Images and other material used should be credited (unless license permits use without attribution).

Eduserv channels

This policy also applies when using Eduserv digital channels, such as our blog or Twitter account, where additional controls are in place. Blog posts are approved by the Marketing Manager or another member of the marketing team before going live. Access to the Eduserv Twitter account is limited to particular employees and may be revoked if abused.

If you are planning to use the Eduserv name or one of our product names in a username when setting up a social media account, you must obtain approval from the marketing team first.

Corporate Social Responsibility

Eduserv recognises the importance of supporting, encouraging and developing its employees. We are committed to providing clear terms and conditions of employment, fair remuneration and opportunities for personal and professional progression for all our staff.

We think it’s important to give back to the communities in which we work and live. Many of our employees contribute to a range of good causes and community activities in their free time. To support this Eduserv offers employees 2 paid days per calendar year to volunteer for a good cause. 

We have in place a health and safety system to ensure the well-being of all of our employees. We are certificated to the ISO 18001 standard by a UKAS-accredited auditor and also regularly conduct our own health and safety internal audits.

Eduserv have a dedicated environmental policy detailing our commitment to minimising our environmental impact. We are certificated to the ISO 14001 standard by a UKAS-accredited auditor on an annual basis and also conduct our own internal audits to ensure continued compliance and improvement.

Equality and Mutual Respect

We are committed to the principle of equality in employment. At Eduserv our aim is to attract, retain and motivate high quality individuals and to provide equality of opportunity in order to maximise the benefit to the organisation from the diversity of its workforce. Diversity expresses itself in many different ways, - by age, gender, race, culture, physical and mental ability, religion, - and these differences are celebrated.

We aim to maximise everyone’s potential by harnessing these differences and creating a productive environment in which all are valued, where talents are fully utilised, and where the goals of the organisation are achieved. We strive to treat everyone fairly and to apply equitable practices in all that we do.

Accordingly, when carrying out recruitment, selection, training, development and promotion activities we aim to ensure that no job applicant or employee receives less favourable treatment on the above grounds. Eduserv’s objective is to ensure that individuals are selected, promoted and otherwise treated solely on the basis of their relevant aptitudes, skills and abilities.

Eduserv commit to encouraging equality and diversity in the workplace, and all employees should be aware that they, as well as Eduserv, can be held liable for acts of bullying, harassment, victimisation and unlawful discrimination, in the course of their employment, against fellow employees, customers, suppliers and the public.

We do not tolerate bullying or harassment, and any complaints will be taken seriously and dealt with under the grievance procedure and/or as gross misconduct. Further details on what constitutes bullying and harassment can be found on the link:

Working lawfully

The following policies apply to you and you will need to ensure that you are familiar with them, as any breach may result in disciplinary action, including a gross misconduct dismissal – it is that serious, so please do read them as soon as you can!

  1. Acceptable usage
  2. Anti-bribery
  3. GDPR/data protection
  4. Health and safety
  5. Equality and mutual respect

Being the best you can

  • Continuous feedback for continuous improvement - Through our HR system, BambooHR, you will be able to receive continuous feedback from your peers and manager on how you are doing.
  • Meaningful learning opportunities – We will ensure you have the appropriate technical skills to meet our operational needs now, and in the future. We will also provide you with appropriate soft skills training and knowledge dissemination to ensure you have all the skills you need to carry out your role to the best that you can.

When your expectations aren’t met


Informal process: We would hope that most complaints can be dealt with informally. If you want help mediating a conflict, speak to your manager or HR. If your complaint concerns your manager, speak to their manager or the talent and organisational excellence team.

We follow the ACAS code of practice for formal grievances. Please find further information here.


If you wish to make a protected disclosure, you can find further advice what that means and what protection it offers you here. We would hope that you would be able to inform a member of the exec team, or a trustee, before going outside of the organisation. If you make a protected disclosure, as set out on the website, we will ensure that you are not put at a detriment.

When our expectations aren't met

Misconduct & gross misconduct

We follow the ACAS code of practice on disciplinary and grievance procedures, which sets out what we must do to ensure the process is fair. Further information can be found here

The definitions we use to distinguish misconduct from gross misconduct are as follows:

Misconduct: where an employee’s actions are such that they fall outside of what is generally, and reasonably agreed to be acceptable standards.

Gross misconduct: where an employee behaves in such a way that we cannot reasonably be expected to allow that behaviour or action to be repeated, for example, Illegal activities, serious breach of our policies, gross negligence, serious insubordination, or offensive behaviour.

Performance management

Unfortunately, if your performance doesn't meet the level required for your role, and informal attempts to help your performance improve don't work, you will be subject to the performance management process.

This closely follows the three-step process under the misconduct procedure, but with performance review meetings, and first and final warnings being replaced with improvement notices. As with misconduct meetings, you will have the right to be accompanied by a work colleague or trade union representative.

The time between reviews will vary depending upon the nature of the improvements needed, but will ensure sufficient time to put into action any remedial action, and to demonstrate improvement.

If there is no improvement following the final improvement notice, it may result in dismissal due to poor performance. If this occurs, an appeal to the decision will be offered.

Sickness management

If your absence levels are deemed unreasonable, you will be notified of the need to improve. If your absence levels continue to be unsatisfactory, or a pattern emerges, we will begin the absence management process.

The absence management process mirrors the three-step disciplinary process, in that there are formal meetings at which you can be accompanied by a work colleague or trade union rep.

If you are dismissed because of poor absence, you may appeal this decision.


If you are unable to undertake the role you have been hired to do due to either continued ill health or incapacity, we will ensure we have exhausted any possible reasonable adjustments before making any decision to dismiss.

You will be given the right to be accompanied by a trade union rep or work colleague during formal review meetings. The number of review meetings needed will be dependent upon the circumstances of the case, however we will do what we reasonably can to help you retain employment with Eduserv.

You may be required to attend either an occupational health review, or will be asked for permission for Eduserv to contact your GP. If we do not have sufficient medical information, we would be required to make a decision without all of the facts, which ultimately may be to your detriment.

You may appeal any decision to dismiss due to capability.