< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

A Framework for IT Policy Development

0 Comments

© 2004 EDUCAUSE

EDUCAUSE Review, vol. 39, no. 2 (March/April 2004): 54–55.

Rodney J. Petersen

Colleges and universities often engage in policy development to come into compliance with external mandates such as new federal or state laws and regulations. Occasionally, institutional policies are established because of internal business needs. However, few institutions follow a consistent process when a new policy need arises, and even fewer have considered a framework that should guide the results.

The Association for College and University Policy Administrators has developed a Policy Development Process with Best Practices (http://process.umn.edu/ACUPA/projects/process/). Some of the most important decisions get made during the "predevelopment" phase, which includes identifying issues, establishing ownership, determining policy path, and assembling the drafting committee. There is a tendency for legal compliance and concerns for institutional liability to drive the process, cloud the issues, and unduly influence results. A legalistic approach to policy development may stifle creativity and emphasize "doing things right" as opposed to "doing the right thing." Therefore, colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality.

It Policies Framework
Click for larger view.

Law

It would be unwise to ignore the legal context in which college and university policies operate. There is considerable jurisprudence about the application of constitutional principles in the higher education setting. Additionally, federal and state statutes and regulations dictate requirements for colleges and universities and often provide specific guidance on the elements that a policy should contain. Educational environments are increasingly regulated and operate within a society that is litigious. Consequently, liability may result from the absence of appropriate policies and procedures or from failure to follow policies and adhere to necessary standards of care.

A number of legal and compliance issues affect the use of information technology in colleges and universities. The Digital Millennium Copyright Act of 1988 (http://www.educause.edu/issues/issue.asp?issue=dmca) and the provisions that provide "limitations on liability relating to material online" sparked policy reviews and resulted in fine-tuning of institutional procedures for responding to complaints of copyright infringement. The Health Insurance Portability and Accountability Act of 1996 (http://www.educause.edu/issues/issue.asp?issue=hipaa) provoked a number of compliance activities, including the designation of privacy officers, the notification of privacy practices, and a host of new institutional policies and procedures. The Safeguards Rule of the Gramm-Leach-Bliley Act of 1999 (http://www.educause.edu/issues/issue.asp?issue=glb) stimulated security risk assessments and the formalization of IT security programs to protect financial information. Of course, preventing copyright infringement, protecting health information, and safeguarding financial information are arguably practices that colleges and universities should have put in place without being required to do so by law or regulation. Nonetheless, many institutions are now forced into a compliance mode and were unable to head off further regulation because they had not voluntarily taken on the task of developing policies that might support the values, ethics, or moral standards that are characteristic of institutions of higher education.

Values

Colleges and universities embrace values that are important to the academy. All decisions that affect institutional governance and operations should be driven by those values. Institutions of higher education are characterized by a commitment to shared governance, academic freedom, safety and security of community members, and respect for individual privacy. Unfortunately, legal mandates do not always reflect what experts might determine to be the best way to address specific problems. Therefore, whenever possible, institutions should insert their own judgment and expertise, consistent with legal requirements, but they should be careful not to relinquish or compromise important academic values.

Historically, one of the least regulated areas of American society has been the establishment of national standards for privacy. Although this is quickly changing, colleges and universities still have a great deal of latitude to make choices about how much or how little privacy to afford individuals. For example, the report Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities (http://www.educause.edu/ir/library/pdf/PUB3102.pdf) identifies the privacy challenges and opportunities of technology advances, presents a set of primary principles that underlie fair information practices, and recommends a process whereby a full spectrum of campus constituencies can be involved in discussions that will lead to a better understanding of campus culture and values with regard to these principles. Another, more recent report, Principles to Guide Efforts to Improve Computer and Network Security for Higher Education (http://www.educause.edu/ir/library/pdf/SEC0310.pdf), describes higher education values and offers principles to serve as a starting point for campus discussions regarding computer and network security.

Ethics

Implicit in an approach predicated upon "doing the right thing" is the consideration of ethical judgments of "right" and "wrong." A sense of ethics can guide us when laws are absent or when laws are silent on particular issues or when discretion is allowed. The insertion of ethics has been particularly useful in the field of information technology because the law has not evolved or matured to a stage sufficient to address all of the potential abuses. However, if colleges and universities are too slow to act or if they refuse to do "the right thing," the result can be legislative solutions that are often bureaucratic and usually undesirable.

Policies and practices that are based on ethical principles also afford greater flexibility and permit educational interventions that are sometimes impeded by legalistic or compliance-driven policies. Ethical decisions are typically not self-serving but instead consider what is best for the community rather than the individual. When it comes to policy enforcement, engaging students or employees in a conversation that measures their behavior against community standards or ethical norms can be instructional. Additionally, policies that are grounded in ethical principles help students and employees to become better citizens.

The advent of acceptable use policies (AUPs) in the mid-1990s provides an excellent illustration of how ethics or considerations of "netiquette" can influence campus policies. Although AUPs often contained provisions that prohibited illegal conduct, there was a great deal of uncertainty in the beginning about how existing criminal and civil laws would be applied to cyberspace. Additionally, efforts to develop new laws specifically designed to regulate Internet use (e.g., the Communications Decency Act of 1996) were overturned by courts or were considered too controversial to become law. Therefore, campus policies tended to appeal to "ethical" and "responsible" use. For example, AUPs described computing resources as "shared resources" and encouraged community members not to use more than their fair share or to unreasonably interfere with others' use of limited resources. The "Primary Principles" section of the University of Maryland Guidelines for the Acceptable Use of Computing Resources states: "Concomitant with free expression are personal obligations of each member of our community to use computing resources responsibly, ethically, and in a manner which accords both with the law and the rights of others. The campus depends first upon a spirit of mutual respect and cooperation to create and maintain an open community of responsible users" (http://www.umd.edu/aug).

Morality

A number of private colleges and universities have religious ties or traditions. Therefore, some decisions regarding institutional policies may have moral dimensions. Although ethics is sometimes described as a "moral philosophy," morality extends the concept to include judgment of the goodness or badness of human action and character. Morality is often associated with institutions that hold their members to a higher standard than necessary according to the law or to the values or ethics of society at large—usually holding them accountable to some higher authority.

Some of the most difficult areas to regulate or control on the Internet concern sexually explicit content. The presence of material that is indecent, obscene, pornographic, and offensive continues to be troubling to many and poses puzzling public-policy issues. Although colleges and universities are under obligations to prevent sexual harassment and prevent hostile educational or working environments, they must also consider the countervailing claims of academic freedom and free speech. State colleges and universities are legally obligated to uphold the First Amendment and are often caught in the middle of contentious battles over policy and practice. Somewhat immune from legal and constitutional considerations, private institutions, particularly religiously affiliated colleges and universities, are able to invoke moral grounds for preventing the use of the Internet to display or distribute sexually explicit content. Although blocking such use conflicts with important values such as academic freedom, this type of action is a plausible consideration for institutional policy and practice.

A Holistic Approach

Policy development is too important to leave to lawyers. The risks are too great to trust the vagaries of shared governance processes and autonomous faculty members or students. The growth of information technology use on campus is exercising institutional policies in new ways. The demand for new or revised policies and procedures affords colleges and universities a new opportunity to think holistically about policy development. A framework that considers law, values, ethics, and morality, combined with a process that is inclusive and comprehensive, affords higher education the greatest chance of developing IT policies that will achieve the purpose for which they are intended.

Rodney Petersen is a policy analyst with EDUCAUSE and is project coordinator for the EDUCAUSE/Internet2 Computer and Network Security Task Force. He is also a founding member of the Association of College and University Policy Administrators. Comments on this column can be sent to the author at rpetersen@educause.edu.

Rodney Petersen

Rodney Petersen is Managing Director of the EDUCAUSE Washington Office and a Senior Government Relations Officer. He also directs the EDUCAUSE Cybersecurity Initiative and is the lead staff liaison for the Higher Education Information Security Council. Prior to joining EDUCAUSE, he served as the Director of IT Policy and Planning in the Office of the Vice President and Chief Information Officer at the University of Maryland. He previously held the position of Campus Compliance Officer in the Office of the President at the University of Maryland where he mediated disputes and handled grievances under the Human Relations Code, including claims of discrimination or harassment that increasingly involved misuse of the Internet. He also completed one year of service as an Instructor in the Academy for Community Service for AmeriCorps National Civilian Community Corps where he taught alternative dispute resolution and facilitated service learning projects. He began his professional career in higher education as the Resident Student Life Director at Michigan State University. He is the co-editor of a book in the EDUCAUSE Leadership Strategy Series entitled "Computer and Network Security in Higher Education". He is also a founding member of the Association of College and University Policy Administrators and the author of "A Primer on Policy Development for Institutions of Higher Education" and "A Framework for IT Policy Development". He writes and speaks regularly on topics related to higher education cyber law and policy. He received his law degree from Wake Forest University. He also received a certificate as an Advanced Graduate Specialist in Education Policy, Planning, and Administration from the University of Maryland.

 

Tags from the EDUCAUSE Library

Most Popular

Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on designing the future of higher ed, digital engagement, and new business models. Share your work and ideas with EDUCAUSE Review Online.

E-mail us >

Purchase

EDUCAUSE Members: $4.00
Non-Members: $4.00
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.