SNAK Restaurants Limited T/A McDonald’s

IT Acceptable Use Policy

The IT Acceptable Use Policy sets out SNAK Restaurants Ltd T/A McDonald’s policy in relation to the
use of its IT systems and devices.

This policy applies to all our people, Franchisees, contractors and secondees and anyone else that
accesses McDonald’s Systems, at all levels in our restaurants and offices and will be reviewed at
regular intervals to monitor its effectiveness.

This policy is also available to our agency workers, suppliers and couriers to view.

Crucial Bits
The following is a summary of the policy, which can be found in full below:

o Software - you should only use McDonald’s approved software on any McDonald’s device or
system, unless you have approval from your manager and IT
o Internet - access to the internet from McDonald’s systems and devices is for business use.
Reasonable personal use is permitted, provided it does not interfere with your job and that
all use is in line with the policy. The internet must not be used to access, view, download,
upload or send any inappropriate material, including material which could be illegal,
defamatory or offensive
o Email - the most common method for external viruses to attack our systems, so in order to
protect McDonald’s, do not open emails or attachments from addresses you do not recognise,
and report suspicious activity to IT. You must not send emails that are inappropriate,
including those that are abusive, defamatory or obscene or that are discriminatory or could
be construed as such. You must not send emails which bully, victimise or harass the recipient.
If sending confidential information, always take appropriate security measures (including
password protecting attachments)
o Laptops - do not share McDonald’s laptops or other devices without the approval of the
management and Franchisee.
o Removable media - avoid using removable media (such as USB sticks) except where necessary,
as it is more secure to send information by email or secure portal with appropriate security
measures. If removable media is used, it should be provided by McDonald’s IT and must be
securely wiped of all data after use
o Password security: It is your responsibility to ensure that you protect access to your accounts,
devices and any documents containing confidential, financial or personal data. Always use a
strong, secure password to do so.
 SNAK Restaurants Limited T/A McDonald’s

IT Acceptable Use Policy

A. Policy Statement
This policy applies to everyone who works for us at SNAK Restaurants T/A McDonald’s in all of our
restaurants and offices, and also to anyone (for example contractors) who may use the McDonald’s
Systems (as explained below), whether they are employed by McDonald’s or not. It also applies to all
staff employed or otherwise contracted to work in franchised restaurants, to the extent that they are
accessing McDonald’s Systems and data.

The policy applies mainly to the use (and the misuse) of computer equipment, email and other
software programmes, the Internet, telephones and mobile devices, but it also applies to the use of
photocopiers, scanners, electronic key cards and any other type of related equipment that is owned
or controlled by SNAK Restaurants T/A McDonald’s. For the purposes of this policy, all of these
elements make up the ‘McDonald’s Systems’.

The policy doesn’t form part of your contract of employment, service/supply contract or franchise
agreement and McDonald’s reserves the right to amend, update or revise it at any time. A breach of
this policy is a serious matter. For employees, it may lead to disciplinary action in accordance with the
Disciplinary Procedure; for contractors, it may result in the termination of their contract.

Any queries relating to the content of any message received from a McDonald’s System that a
recipient may be concerned about e.g. inappropriate language used or threatening content should be
reported immediately to a manager or the People Services Helpdesk.

B. Software
McDonald’s gives access to a library of licenced software on any laptops and desktops we provide to
individuals who work for us. This software can be accessed from the ‘Software Centre’ link provided
on the ‘Start’ menu of all SNAK Restaurants T/A as McDonald’s provided laptops and desktop devices.
The installation of any programmes available from the Software Centre can be done by the user of the
device independently.

If any software is needed for the performance of your role which is not available from the Software
Centre, a non-standard software installation request can be raised. Please speak to your Business
Manager about this.

Access rights to all McDonald’s machines are locked down to prevent the installation of any non-
standard software without the appropriate administrator privileges. You should note that it is strictly
forbidden to attempt to circumvent these settings, or to otherwise attempt to install software outside
of the procedures outlined above.

C. Internet
The policy and the examples provided are not exhaustive, so if you are unsure whether planned
Internet usage may breach the policy, you must speak to your Business Manager .

McDonald’s monitors Internet traffic and use at all times, both during and outside of normal working
hours. McDonald’s reserves the right to check searches which have been made on the Internet to
 SNAK Restaurants Limited T/A McDonald’s

ensure that the use is not in breach of this policy, to assist in any disciplinary investigation, or to comply
with any legal obligation. You will not receive advance notice of any monitoring.

McDonald’s Systems must not be used for the sending or storage of commercial or personal
advertisements, promotions, detrimental programmes such as viruses, political material, or anything
which is illegal, defamatory, offensive or infringes anyone else’s third party intellectual property rights
(as further explained below), or which may bring McDonald’s into disrepute.

McDonald’s allows employees and contractors to use the Internet for McDonald’s business purposes,
and as part of the normal performance of their work.

Reasonable personal use of the Internet is permitted, provided that you comply with the rules of this
policy, however employees should ensure that any personal use doesn’t impact on the time available
to do their job.

All rules regarding accessing pages from the Internet include access through a web browser, for
example Internet Explorer or Google Chrome, as well as access through a link within an email.

You must not use the Internet to access, view, download, upload or send:
• Any material which could be illegal, defamatory or considered in any way offensive, or that is
a breach of anyone else’s intellectual property rights (such as their music, writing, images or
other copyrighted material or trademarks)
• Any material of a pornographic nature, or which might adversely reflect on McDonald’s, bring
McDonald’s into disrepute, or damage its reputation if made public
• Any material that could offend the recipient and make them feel discriminated, harassed or
victimised in anyway. More information with examples included below under Cyber Bulling
and Harassment.

McDonald’s reserves the right to block access to certain websites. If you need to access a website for
legitimate work purposes which is blocked, please email the IT Customer Support Desk:
itcustsupport@uk.mcd.com.

If you accidentally access inappropriate material on your computer, you must immediately email the
IT Customer Support Desk: itcustsupport@uk.mcd.com to report this and to ask for advice on any
action you may need to take.

You must not use McDonald’s Systems, even in your own personal time, to make or post remarks on
any Internet chat room, message board, blog, or otherwise include content on the Internet that is
obscene, defamatory, threatening, harassing, discriminatory or hateful to another person or entity,
including McDonald’s, its Franchisees, its employees, its contractors, its partners, its suppliers, its
competitors and/or other business related individuals or organisations. Further guidance on the use
of blogs and other social media is included within the Social Media Policy. Further guidance around
what could be construed as bullying, threatening, discriminatory or hateful to somebody else can be
found in the Anti-Bullying and Harassment Policy and the Respect in the Workplace Policy.

You must not use McDonald’s Systems to participate in online gambling [or gaming], even in your own
personal time.
 SNAK Restaurants Limited T/A McDonald’s

D. Email
Some McDonald’s staff, secondees and contractors will be provided with a business email address, if
this is required for their particular role. This will be arranged during the process of on-boarding a new
employee, secondee or contractor, or when a staff member moves into a role that requires the use of
an email address.

Email is one of the most common methods used to attack individuals and organisations to steal data,
spread malware and compromise systems. Please see the following guidance on identifying and safely
dealing with suspicious emails:
• Always check that you know the sender before opening an email. Some modern computer
viruses can be transmitted just by clicking on an email in your Inbox. So, if you receive an email
from an unknown sender or see an email with a suspicious or unusual subject, do not click on
it. Email IT Security: CyberSecurity@uk.mcd.com and ask for their assistance
• Never open email attachments from a sender you don’t recognise, or if it looks otherwise
suspicious to you. If you recognise the sender but are still suspicious of the attachment,
contact the sender via an alternative method (such as giving them a call) to ask if they have
sent the email to you. If it is not genuine, email: CyberSecurity@uk.mcd.com and ask for their
assistance
• You should also be careful when clicking on a hyperlink contained in an email. Hovering your
cursor over the hyperlink will show where the link leads to, so you can do this to confirm
whether the link will send you to where it claims to be sending you. Again, if you are suspicious
of a hyperlink, email CyberSecurity@uk.mcd.com and ask for their assistance
• McDonald’s will never ask you to send your username or password details via email. Should
you receive an email requesting these details, do not respond to it. Email:
itcustsupport@uk.mcd.com for assistance

You should not use your McDonald’s email account to sign up to any websites or accounts that are
not directly required for work purposes.

You should note that emails or instant messages (including any recoverable deleted emails or instant
messages) may be used as evidence in disciplinary, grievance or legal proceedings in the same way as
paper documents.

You must not send emails that are abusive, obscene, discriminatory, harassing, derogatory,
defamatory, racist, sexist, of a pornographic nature, or which infringe anyone else’s intellectual
property rights or which may cause embarrassment to McDonald’s, its customers or any other
employees if made public. In addition, you must not send or forward chain mail, junk mail, offensive
images, offensive jokes or offensive gossip.

If confidential information is being sent via email, the appropriate security measures should be taken
as per the McDonald’s Information Security Guidance. It is important to note that as of April 2018 it is
not possible to encrypt the content of email messages, but it is possible to encrypt documents and
also therefore email attachments. McDonald’s IT requires the following methods for sharing
documents marked as Restricted and Highly Restricted (as defined in the McDonald’s Information
Security Guidance).

• Most secure method: Encrypt the document(s) and share via an email link to a shared drive
which has access controls applied
• Next best method: Encrypt the document(s) and send as email attachments
 SNAK Restaurants Limited T/A McDonald’s

Documents marked as Internal Use may be shared via either of the above methods or via the following
method. Save the document(s) to a shared drive which has access controls applied and share via an
email link.

You must not send messages from another user’s computer or under an assumed name, unless you
have been specifically authorised to do so. Some job roles require delegated access to send emails on
behalf of others. If this is required in your role, prior written approval is needed from the owner of the
relevant account and a request for the access should be emailed to the IT Customer Support Desk:
itcustsupport@uk.mcd.com.

McDonald’s reserves the right to monitor emails and to block the transmission of email messages. We
may retrieve messages to monitor whether the use of the email system is in accordance with this
policy, to find lost messages, to assist in disciplinary investigations, or to comply with any legal
obligation.

Your McDonald’s email account should not be accessed from public or shared computers.

Information and/or files should not be shared outside of McDonald’s and our trusted
partners/suppliers. Files should not be sent to your own personal email account, unless this is
absolutely necessary for a business purpose and does not include confidential, sensitive or personal
data.

-Private Email Accounts

Access to a private email account from any other McDonald’s device, including but not limited to
desktop computers, laptops, phones and tablets is done so on the understanding that this policy still
applies.

Cyber Bullying and Harassment

Just so that you are aware, this is using technology, such as mobile phones, social media and the
internet, to bully or harass another person, both during and/or outside of work time. Some examples
of cyber bullying and harassment are (this list it not exhaustive):

o emailing or texting someone threatening or nasty messages

o emailing an embarrassing or humiliating image or recording of someone, posting it on social
media, or forwarding it onto others
o harassing someone by repeatedly sending texts or instant messages in a chat room
o posting or forwarding someone else’s personal information or images without their
permission
o creating false social media accounts to impersonate, intimidate or mock an individual

If you feel that you have been harassed, bullied or victimised, or are offended by material received
from someone via email or phone, or you believe that an email is in breach of this policy or the
Diversity and Inclusion Policy, the Respect in the Workplace Policy or the Anti-Bullying and Harassment
Policy, you should inform your manager.

Bullying, harassment and/or victimisation is not tolerated and will be dealt with in accordance with
the Disciplinary Procedure. Remember, if it’s not ok to say something to someone’s face or behind
their back, it’s not ok to say it online. If this happens to you during and/or outside of work tell your
manager or contact People Services Helpdesk straight away.
 SNAK Restaurants Limited T/A McDonald’s

E. The use of Computers and other Equipment

You are responsible for the security of equipment allocated to or used by you, even when it is used
for personal use. You must ensure that the equipment isn’t used by anyone other than in accordance
with this policy.

You must not interfere with or remove any equipment covered by this policy (other than mobile
equipment as detailed below in the section ‘Mobile Devices’) without permission from your Manager
or via the IT Customer Support Desk by emailing: itcustsupport@uk.mcd.com.

Specifically, you must not move or tamper with computers or cabling for telephones or computer
equipment without first obtaining approval by emailing the IT Customer Support Desk:
itcustsupport@uk.mcd.com.

Using personal devices to perform any of the following activities is strictly prohibited:
• Joining or attempting to join the McDonald’s corporate wireless network, or plugging in to
physical network points. A separate wireless network is provided at McDonald’s office
locations for personal devices
• Accessing or attempting to access McDonald’s Shared Drives
• Accessing or attempting to access any internal McDonald’s applications which may contain
personal or confidential data

Personal devices may be used to access the following McDonald’s services:

• Reward Gateway
• MyStuff 2.0 (Webmail, MySchedule, MyProfile)
• Expenses
• Workplace

Public devices such as computers available for communal use in Internet cafés, libraries or other public
areas should never be used to access McDonald’s Systems.

F. Telephones
The use of McDonald’s landline phones, Teams and McDonald’s owned mobile phones (together
referred to as ‘telephones’) is for business purposes only. Where there is a need to make personal
calls, these must be kept to a minimum and the use should not interfere with your work or the work
of any of your colleagues.

You must not use telephones for any illegal, objectionable or inappropriate activities, including
harassment or bullying examples are listed above under Cyber Bullying and Harassment.

Calls to and from Customer Services and some helpdesks operated by McDonald’s (or for McDonald’s
by external contractors) are routinely monitored, in order to determine facts relevant to the business
and/or for evaluation and training purposes.

McDonald’s reserves the right to monitor and record calls for the purpose of preventing or detecting
crime, for evaluation and training purposes, and for investigating and detecting any unauthorised use
of the system, including as part of disciplinary investigations. With the exception of some Service Desk
calls (as referenced above), McDonald’s does not routinely monitor or record telephone
conversations, although it does monitor and record the extension number making and receiving calls,
the number dialled and the time, duration and (where applicable) the cost of the call.
 SNAK Restaurants Limited T/A McDonald’s

G. Laptops
Your laptop must not be swapped or lent to others without the authority of your Manager. You must
not allow any family members or friends to use your laptop.

Where possible, don’t store any confidential, financial or personal data on your laptop’s desktop or C:
drive – use password protected shared drives instead.

If you do need to save a confidential document to your laptop, you should ensure that you encrypt
and password-protect the document. Advice on this is available on the Information Security page of
the McDonald’s Intranet.

H. Removable Media
If any McDonald’s data needs to be shared outside of the Company, it should be emailed with the
appropriate security controls such as encryption applied to the data.

Should removable media such as a USB stick or a writeable CD or DVD need to be used, it must be
provided by SNAK Restaurants T/A McDonald’s.

Once they have served their purpose, USB sticks must be wiped of all data and returned to your
Business Manager. CDs or DVDs should be securely disposed of.

Removable Media should not be used to move McDonald’s information or files to personal devices,
unless this is absolutely necessary for business purposes and doesn’t include confidential,
commercially sensitive or personal data. Once the business purpose has been fulfilled, the information
must be securely deleted from both the Removable Media and the device.

If a USB stick has been inserted into a personal device it must not then be inserted back into a
McDonald’s provided device until it has been fully virus scanned and securely formatted by the IT
Customer Support Desk. Contact the IT Customer Support Desk regarding this by emailing:
itcustsupport@uk.mcd.com.

I. Password Security
You have a personal responsibility to protect access to McDonald’s computer systems and
information. You should have your own confidential password for this purpose. It is your responsibility
to keep your password secret.

Your login credentials (username and password) should never be shared with anyone else. New
accounts should be requested for any new joiners who need to access the McDonald’s Systems and
for staff moving roles who had previously not had access to the McDonald’s Systems but will require
it in their new roles.

You must ensure you are using a strong, secure password for your mobile device and PC login, and for
any documents containing confidential, financial or personal data. The Global Password Policy states
that a password must be at least 8 characters long and contain three of the following four-character
types:
• Lowercase letters
• Uppercase letters
• Numbers
• Special Characters such as ! ? or @
 SNAK Restaurants Limited T/A McDonald’s

You must never write your password down, or have it on a piece of paper in your bag, or near your
desk.

You must never pass on or give anyone your password. The only exception to this is if it is requested
by a member of the IT Customer Support Desk in person.

When leaving your computer unattended, always use a password-protected screen lock, or log off
completely.

Your Global password, used to log in to laptops/email etc., expires every 90 days. When changing your
password, create a completely new one rather than implementing a minor change to your existing
one.

J. Security and Antivirus Measures

IT security threats are evolving all the time and as such, updates to the operating system, applications
and antivirus software on McDonald’s Systems are required to keep the business safe from these
threats. Updates can often be performed without interruption to users, however on occasion they will
require systems to be restarted, which will cause periods of downtime.

IT will always endeavour to minimise the disruption to restaurants from any updates to McDonald’s
Systems and will perform these either when restaurants are closed, or in quiet periods for 24-hour
restaurants. When disruptive maintenance is required, restaurants will be given as much notice as
possible and will be walked through the process by the IT Customer Support Desk. It is imperative that
restaurants allow maintenance to be performed when requested by the IT Customer Support Desk.

Some Franchisee owned restaurants contain IT equipment such as CCTV systems which are accessed
via the McDonald’s network, but are not owned or maintained by McDonald’s IT. Franchisees must
ensure that these devices have regular security updates applied, have an acceptable level of antivirus
protection operating on them and don’t provide a publicly accessible route into the McDonald’s
Systems. McDonald’s reserves the right to cut network access to any machine or software which
displays signs of virus infection until it can be proved to be clean and updated to appropriate security
standards.

Managers have additional responsibilities for IT security in their area. This includes ensuring, with
assistance as appropriate by emailing the IT Customer Support Desk: itcustsupport@uk.mcd.com,
that:
• Staff, contractors and relevant suppliers are made aware of and follow this policy
• Security defects and failures, including computer viruses, are reported and corrective action
is taken
• Any requests from McDonald’s IT to perform maintenance, including but not limited to
antivirus updates, operating system updates, application updates and computer restarts are
complied with as required

Appendix – Personal Mobile Devices

When you’re using your personal device to access McDonald’s Systems or websites which do not
require a network log-in please follow the guidance set out below:

A minimal level of security settings should be available and operating. These are that the device must:
• Require a password or PIN of at least 6 characters
 SNAK Restaurants Limited T/A McDonald’s

• Have the capability of being remotely wiped

• Locally encrypt data in storage on the device
• Have a maximum 20-minute time-out setting enabled

Lost or stolen devices must be reported immediately if you believe there is any McDonald’s
confidential, sensitive or personal information stored on the device, speak to your Business Manager
or email the IT Customer Support Desk: itcustsupport@uk.mcd.com.

Non-McDonald’s provided devices will not be supported by the IT Department, but assistance in
relation to work-related matters may be given on a reasonable effort basis.

Users acknowledge that should they become involved in litigation or any action requiring McDonald’s
to respond to internal investigation, or a court order pertaining to Corporate data, any device,
regardless of ownership, may be treated as a Corporate asset and as such, is subject to laws
surrounding e- discovery and evidence preservation, regardless of ownership.

Use of a personal devices

Moreover, if anyone bullies, harasses or victimises anyone using their personal device whilst at work,
this will still be treated as a disciplinary issue, irrespective of the fact that it was carried out on a
personal device.

Users who intend to sell or otherwise dispose of a personally owned device that has been used to
access McDonald’s sites not on the network are responsible for deleting all McDonald’s confidential
information (including but not limited to any and all information, material or documents relating to
McDonald’s, its affiliates and franchisees, each of their businesses, assets, finances and financial
condition, personnel, individual salaries, operations, products, promotions, technical, marketing and
business information, customer and supplier relationships, trade secrets, know-how, strategies and
prospect) from the device prior to its disposal or the termination of employment.

Further Support
If you’ve got any questions, speak to your manager or get in touch with our People Services Helpdesk
on 0345 606 0321 or email peopleserviceshelpdesk@uk.mcd.com

Please be aware that this policy isn’t contractual and may be amended at any time.