Skip to main content
Table of contents

Acceptable use policy

Scope

This acceptable use policy covers the use of the Analytical Platform and all associated software and applications.

This policy applies in addition to the MoJ acceptable use policy.

Who this policy applies to

This policy applies to all users of the Analytical Platform (excluding users of apps hosted by the platform).

General principles

All users will:

  • report any security incidents, including a loss of data, in line with the relevant MoJ, HMPPS or HMCTS procedures;
  • report any breach of this acceptable use policy to the Analytical Platform team;
  • follow all relevant information governance procedures;
  • protect their login credentials appropriately;
  • create secure passwords following best practice guidelines (see here);
  • ensure that two-factor authentication is enabled when accessing GitHub and the Analytical Platform (see here the MoJ security guidance about multi-factor authentication);
  • sign out of the Analytical Platform when access is not required;
  • understand they and MoJ have a legal responsibility to protect personal and sensitive information;
  • understand that their use of the Analytical Platform may be monitored;
  • ensure that all transfers of data onto and within the Analytical Platform are conducted safely and securely;
  • not access the Analytical Platform from any non-MoJ IT system, such as a personal computer;
  • ensure your machine’s operating system is up to date and patched, according to the MOJ patching policy. You must use a supported version of the OS - meaning that security patches are still being released for it. If you have access to sensitive data you must install ‘critical’ or ‘high risk’ patches within 7 days.
  • not share their account or login credentials with any other person;
  • not use the same login credentials for more than one system or purpose;
  • not store any data on the Analytical Platform that is classified as SECRET or TOP SECRET;
  • not move any data to the Analytical Platform without completing a data movement form;
  • not attempt to access any data, apps or software on the Analytical Platform without the appropriate permission; and
  • not use the Analytical Platform to undertake any illegal activity or any activity that could harm MoJ’s reputation or compromise the security of data or IT systems.

App admins and data source admins will:

  • ensure that app and data source users have the correct read/write permissions;
  • ensure that app and data source users only have access to the minimum data required for them to perform their job; and
  • regularly review access permissions for app and data source users, including when users join or leave MoJ, or move within MoJ.

GitHub

In almost all cases, work must be stored in private repositories in the MoJ Analytical Services organisation. You may only store work in a public repository if you have:

  • verified that the work contains no sensitive information or secrets;
  • obtained prior written permission from your line manager; and
  • followed the guidance on making source code open and reusable.

GitHub may be used to store:

  • source code;
  • reports and documentation; and
  • small, non-sensitive data sets (on a temporary basis when alternatives such as S3 are not practical)

in accordance with the following restrictions.

All users will:

  • not store any large data sets (> 1,000 records) in GitHub;
  • not store any data, source code or documentation containing sensitive information in GitHub;
  • not store any data, source code or documentation containing personal information in GitHub;
  • not store any credentials or secrets, such as usernames, passwords, database connection strings or API keys in GitHub;
  • provide access to private repositories on a need-to-know basis;
  • store all MoJ work in the MoJ Analytical Services organisation;
  • not store any work in public repositories without obtaining prior written permission from their line manager;
  • verify that any work stored in public repositories does not contain any sensitive or personal information; and
  • follow the guidance on making source code open and reusable.