A Model for IT Policy Development

Marilu Goodyear

Beth Forrest Warner

University of Kansas

Lawrence

Kansas

Abstract:ï¿½ IT policy development requires informed participation by a broad segment of the campus community.ï¿½ A critical element in the process is wide access to not only the policies, but the underlying legal foundations.ï¿½ The approach to IT policy at the University of Kansas provides a web-based model and policy framework for providing education and encouraging broad campus participation.

This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

Current Campus Environments and Rate of Technology Change

Higher education institutions are not known for their ability to change quickly.ï¿½ Given that it is the oldest modern institution (Harvard, the nationï¿½s first university, was founded in 1636), it is not surprising that change comes slowly to universities.ï¿½ One factor contributing to this apparent stability is the diffuse and collaborative nature of decision-making in universities.ï¿½ While the stability of its environment has served the university well in the past, this may no longer be the case given that changes are coming much faster, particularly in the information technology area.ï¿½ This rate of change coupled with differing rates of adoption and acceptance within the community provides a challenge to the university that is often posed as an opposition between its traditional environment and the forces of change.

However, there is a different way of thinking about technological change and the university.ï¿½ One of the reasons the university, as an institution, has been able to survive is that it holds resolutely to the values of learning and research.ï¿½ These core values provide a steadfast mission:ï¿½ teaching students and contributing to the growth of knowledge.ï¿½ This mission does, in fact, remain unchanged even though the means of implementation and the tools utilized change constantly (Duderstadt 2001).ï¿½ In fact, we believe that there is not an inherent conflict between the traditional values of the university and the change process needed to effectively incorporate information technology into the life of the university.ï¿½ A university can hold to its fundamental values AND move forward in the means and methods of achieving its goals.

This environmental factor is particularly important in developing policy for information technology.ï¿½ Policy must be incorporated into the daily life of the university in order to be effective.ï¿½ It must be consistent with the universityï¿½s traditional values and have consensus in order to gain compliance.ï¿½ A key ingredient in gaining consensus is full discussion of the issues involved.ï¿½ However, if the process is to result in success, the discussion must be productive in the sense that issues are explicit and participants are informed.ï¿½ï¿½

Some universities have begun their policy process by creating a list of complaints and problems with the use of technology.ï¿½ï¿½ Policy is developed to address these specific situations and then put into the university policy framework.ï¿½ Starting with reactive policy parameters can result in an immediate debate by the participants about the technology or specific wording of the policy which can in fact obscure what is really at the heart of the debate:ï¿½ a difference in values.ï¿½ If consensus is reached on values first, then the specifics of a policy can be worked out in relation to the long-term value objectives in conjunction with the current technology.ï¿½ Policy which starts with problematic use of technology risks a disconnect with core university values and can result in policy that is so specific to a particular technology that it quickly becomes out-of-date.ï¿½ï¿½ By contrast, policy that is developed by starting with university values in an appropriate framework has the potential to result in a more consistent and enduring policy.

Given these premises then, policy should be developed after two environments are established with participants:ï¿½ 1) a framework is established which reflects the articulated values of the university, and 2) participants are educated as to the broader context for policy development including legal parameters at the federal/state level and local Board and University policy parameters.ï¿½ This paper describes a process of policy development that utilized those two environments along with appropriate technologies for collaborative work.ï¿½

The KU Environment

First, just to set the stage, let us give you a little background on the University of Kansas and it’s technology environment. Opened in 1866, the University of Kansas is a comprehensive educational and research institution with 27,800 students and more than 2,000 faculty members. KU includes the main campus in Lawrence; the Medical Center in Kansas City, Kansas; the Edwards campus in Overland Park; a clinical campus of the School of Medicine in Wichita; and educational and research facilities throughout the state.

KU comprises 14 major academic divisions: the College of Liberal Arts and Sciences, the Graduate School, and the Schools of Allied Health, Architecture and Urban Design, Business, Education, Engineering, Fine Arts, Journalism and Mass Communications, Law, Medicine, Nursing, Pharmacy, and Social Welfare.

KU is classified as a Carnegie Research University I for its commitment to graduate education and research.

At KU-Lawrence, information technology services are somewhat decentralized and are delivered by a central Information Services division as well as by IT units dedicated to individual schools and departments. Central Information Services units provide a variety of services including:

Academic computing support
Email
University web services
Supercomputing
Enterprise system development and support (PeopleSoft)
Network and telephone system development and support
Datawarehouse development and support
Digital library services
Library services, and
Printing and mail services

Information policy issues are addressed through the Vice Chancellor for Information Services office. Issues encountered range from copyright infringement (DMCA) to email harassment to commercial services on the University’s network – and many other things in-between.

Information Technology Policy Areas

In many universities, policy makers are seeking to formulate guidelines that both reflective of the university’s values and practical. There are a number of policy frameworks offered by associations who are made up of information professionals or who are interested in technology policy (Connolly and Webster 1993; American Library Association 1993; Firestone and Schement 1995). These documents have many elements in common as they outline rights and responsibilities of the user and the system provider. Implicit in these documents are underlying values that are reflected in the specific policy issues. These underlying values were also present in the development of information policy before the advent of modern technology. Frameworks were utilized to study federal and state information policy by Overman, Cahill and Goodyear (Overman and Cahill 1990; Goodyear, 1994, 1995). At the University of Kansas, we applied these frameworks to organize the values of the University into segments that could focus our policy discussions. With the goal of making our policy process as successful as possible, we developed a values framework based on seven dimensions: access, freedom of expression, privacy, intellectual property, security, effective use of resources, and records management.

Access

The first dimension, access, proposes an open flow of information. The ability of individuals to access any information they choose lies at the core of this area and reflects the long-held university value of intellectual freedom. It relates to the basic democratic value of freedom, only this freedom is focused on access to information. Included here are the concepts that access should be provided to all and should not be denied or removed without just cause. This dimension stands on the long tradition in democratic societies of providing public education, libraries, and freedom of information laws concerning government information.

We embodied this dimension in our policy with the following language:

“The University maintains access to local, national, and international sources of information and communication mechanisms for the expressed purpose of supporting the teaching, research, and service mission of the University. Information resources will be used by members of the community with respect for the public trust through which they have been provided and in accordance with the law and policies established by the State of Kansas, the Board of Regents, and the University and its operating units.”

Included in this area on our policy Web site are policies that relate to access to systems, i.e. who is eligible for service; domain name use; remote access; and solicitation.

Freedom of Expression

The companion policy dimension to access to information is that of openness, or freedom of expression. Each individual is encouraged to participate in the civil arena of discussion within the university. These freedoms are valued in the classroom and in research endeavors as well as in campus life. In the current technology environment these forms of discourse can the supplemented by discussions through electronic mail, in chat rooms, and within mediated course software. This unmediated discourse now supplements communication through the mediated channels provided by established print, radio, and television sources on campuses. The provision of technology for active participation in the electronic community of learners is an important role for universities.

Our policy language for this area indicates “Freedom of expression and an open environment to pursues scholarly inquiry and for sharing of information are encouraged, supported and protected at the University of Kansas. Censorship is not compatible with the goals of the University. The University will not limit access to any information based on its content, which meets the standard of legality.” This area of our policy Web site includes general parameters for freedom of speech and comments on exceptions for libel, slander, harassment, commercial and personal use of university resources, advertising, and illegal use relating to obscene communications.”

Privacy

Privacy, the claim of individuals to determine what information about themselves should be known to others, provides a significant measure of freedom within the university environment. Although not specifically addressed in the U.S. Constitution, privacy has been defended as a basic component of human interaction. The advent of the electronic environment holds particular challenges for privacy concerns. Information that is created or stored electronically is easy to access and move. Information stored in paper form presents a natural barrier to disclosure through the practical limitations of physical access. With electronic information, that barrier effectively no longer exists. Easy access to electronic information has brought a renewed focus to privacy concerns.

Although the University of Kansas is a public university and therefore privacy is mitigated by the legitimate needs for citizens to know university business, we have formulated a strong general privacy statement:

“The general right of privacy is extended to the extent possible to the electronic environment. The University and all electronic users should treat electronically stored information in individual files as confidential and private. Content should be examined or disclosed only when authorized by the owner, approved by an appropriate university official, or required by law.”

This privacy statement, along with discussion of the exceptions for Open Records, effective administration of university business, administrative review, and legal search warrant are included on the Web site.

Intellectual Property

The right of individuals to benefit or gain from their own creative and intellectual works is acknowledged in the Constitution with the words “promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors exclusive Rights to their respective Writings and Discoveries.” Balanced against this right is the ability to promote the growth of new knowledge by using others’ works in the creation of that knowledge. Both the right of individuals to control their own work and the right to utilize the work of others for teaching and research are fundamental to the university.

Controlling the use of intellectual property made available in electronic form is today one of the most controversial aspects of law in the United States. Intellectual property owners, led by major publishing associations, have played an active role in the review and revision of existing copyright law within the federal, executive, and legislative branches. Representatives of users and libraries have also tried to influence the process on the side of a strong provision for Fair Use. The passage of legislation and the deciding of court cases in this area will undoubtedly continue for some time to come before a national consensus is achieved. In the meantime, we provide for our University a fairly simple statement supporting the area of intellectual property:

“The University supports the production of intellectual property by faculty, staff and students for the benefit of the institution and society. All users of electronic information have a personal responsibility to recognize and honor the intellectual property of others.”

The core of our policy Web site on this area is the University’s Intellectual Property policy and its policy on the trademarks of the University name and symbols. In addition to these policies, we provide extensive information on the use of copyrighted works and Fair Use for the university community.

Security

Security pertains to the reliability and integrity of the systems of the University that store and utilize data. The ability of information technology professionals to provide consistently reliable systems depends on their expertise at securing and protecting our systems. In addition, user behavior is a large determining factor in the security of systems. Therefore, in the area of security, one of the most important factors is educating users and gaining their cooperation and compliance with information policy. Our security statement says:

“Academic and administrative information processing, telecommunications, and related technology are critical academic and business tools of the University of Kansas. Inappropriate exposures of confidential and/or sensitive information, loss of data, inappropriate uses of computer networks, and risks of physical damage can be minimized by compliance with reasonable standards, attention to the proper design and control of information systems, and the sanctions for violation of security policy.”

The security section discusses all the issues relating to ways to secure the campus information systems and seeks the community’s compliance with good practice for passwords, virus protection, and other means of protection.

Effective Use of Information Resources

The cost of information systems cannot be ignored and, therefore, is always an element in determining university policy. The benefits of providing electronic information systems have been clearly demonstrated – what remains for most universities is the analysis of the cost/benefit of specific systems and uses. As more faculty and students become active on university-provided systems, the pressure to increase computing capacity builds, making efficiency evermore important. On campuses across the nation, “responsible use” codes are being written to encourage computing practices that are compatible with the efficient use of systems. At the University of Kansas, we have chosen a somewhat different path by referring to this part of our policy as “effective” use. By using this term we hope to signal to users that there is a real cost/benefit ratio of use that results in the effective use of resources. As our general statement indicates:

“The University provides information technology resources to the campus community for everyone’s use. These assets should be used equitably and responsibly. The University expects all users to be effective network citizens. The University attempts to maintain high performance of these resources for the benefit of all. Individual users or processes may be identified as using an inordinate amount of resource. Priority is always given to activities that support the University’s mission of instruction, research, and service. Non-academic student use will receive a lower priority.”

Covered in this part of the policy is information on disruptive network traffic, limitations on broadcast messages, peer to peer software, and chain mail.

Records Management

The core value of preservation of our history – the record of our actions – is a fundamental value for universities. It flows from our interest in history and its proven ability to inform our current actions. However, often those who are responsible for the management of the university may not be sensitive to the fact that they are, in fact, “making history” and, therefore, to the need to preserve a record of their actions. In addition, a core democratic value underlies records management – that of the public’s right to know the actions of their government, including those of the public university. Therefore, our obligation to preserve, in effective systems, a record of our activities, is based on both a desire to preserve our history and a commitment to the public value of openness.

We chose these words for our policy statement: “New information technologies have transformed the ways Universities create, use, disseminate, and store information. These new technologies offer a vastly enhanced means of collecting information for and about members of the University community, communicating with state government, and documenting the business of the University. It is the University’s obligation to manage and preserve its records to document our history and to provide access to the citizens of Kansas.”

The records management section of our site provides information to the university community concerning the definition of public records, procedures that govern the open records process, information about records retention and policies about specific record groups.

Organization of the Policy Web Site

Once the core values of the policy framework were delineated, we looked to develop a basic outline of the materials that not only presented the policy itself, but the contextual resources out of which the policy was developed. This background and contextual information is intended to accomplish the second requirement for effective policy development and compliance – informed participants. In general, the various sections are organized to include, as appropriate:

The policy statement
Copies or links to existing related University policy
Copies or links to existing related Board of Regents policy
Copies or links to relevant State laws and/or regulations
Copies or links to relevant Federal laws and/or regulations
Copies or links to relevant State or Federal court cases
Other relevant background information

Whenever possible, the actual information or link to the information is included as well as the source’s citation. A variety of authoritative online resources are referenced including:

THOMAS: U.S. Congressional information for text of bills and laws (http://thomas.loc.gov/home/thomas.html)
The Legal Information Institute hosted at Cornell University for text of federal laws and major court cases (http://www.law.cornell.edu/)
FindLaw: for links to federal and state law and court cases (http://www.findlaw.com)
U.S. Copyright Office (http://lcweb.loc.gov/copyright) for copyright law and information
University of Texas System Intellectual Property Information site for copyright information from a university perspective (http://www.utsystem.edu/ogc/intellectualproperty/), and
Local University and State websites for University, Regents, and State policy, regulations and laws.

Advantages of the Use of a Web site for Delivery of Policy

As noted before, the aim of IT policy development for KU is to not only provide the policy statements themselves, but to provide the context these policies exist within. We also want a delivery mechanism that provides easy access for the entire University community and is easily updated – given the volatile nature of information and technology laws and court actions. Given these requirements, the Web provides an ideal environment to deliver local policies, in context with the laws, regulations, policies, and court actions shaping these policies via links to original material, in an easily updated and navigable format. It also provides good mechanisms for gathering feedback on draft (and existing) policies through the use of email and feedback forms.

Policy Development Process

A critical aspect of effective policy development is the involvement of the affected communities to build consensus and acceptance of specific policies and outcomes. One of the first steps we undertook was to identify the various communities or stakeholders in the IT policy arena through a mind-mapping session with the campus IT Steering Committee (ITSC). As is reflected in the diagram (Fig. 1, http://www.ku.edu/~vcinfo/graphics/Policy%20Groups.gif), this list of stakeholders covers a broad range of constituencies both internal and external to the University.

Policy development itself involved an iterative process of identifying and linking to existing relevant University or State policies, laws and regulations; drafting new policy language as needed; inviting review and feedback from selected portions of the community via a protected website; and revising either explanatory text or policy wording as needed. By involving the various constituencies early in the process, we were able to address concerns with draft language and avoid similar issues as new material was added to the site. A full outline of the process can be found at http://www.ku.edu/~vcinfo/IT_policy/process.htm.

Conclusion

Overall, this approach to IT policy development has worked effectively to not only create essential technology-related policy language where it is really needed, but to highlight gaps in related non-IT policies, initiate discussions regarding responsibilities for related policy development and oversight, and build a stronger sense of shared ownership and responsibility for the information and technology environment on campus. All of these are important aspects in creating an atmosphere that recognizes technology is primarily a means to an end rather than the end itself – and develops policies aimed at guiding acceptable behavioral norms when interacting within the community, whether by technology-enhanced means or not. By starting with a framework of shared values within which to develop policy, rather than focusing exclusively on correcting specific technology-dependent incidents, we feel the resulting policy will stand the University in good stead for the foreseeable future.

References

American Library Association, Telecommunications and Information Infrastructure Policy Forum. 1993. Principles for the development of the national information infrastructure. Chicago: American Library Association.

Connolly, Frank W. and Sally Webster. 1993. Bill of rights and responsibilities for electronic learners. Educom Review 28, no. 3:24-27.

Duderstadt, James J.. 2001. Technology. Educause Review 36, no. 1:48-56.

Firestone, Charles M. and Jorge Reina Schement, eds. 1995. Toward an information bill of rights and responsibilities. Washington, D.C.: Aspen Institute.

Goodyear, Mary Lou. 1995. Information policies in the states: An application to electronic information. American Society for Public Administration. 1995 Annual Conference. Trinity Symposium on Public Management Research. San Antonio, Texas, July 23, 1995.

Goodyear, Mary Lou. 1993. Information and democracy: a study of the relationships between state information policies and democratic governance. PhD Dissertation.

The Harvard Guide, http://www.news.harvard.edu/guide/intro/index.html

Overman, E. Sam and Anthony G. Cahill. 1990. Information policy: A study of values in the policy process. Policy Studies Review 9, no. 4 (summer): 803-818.

University of Kansas. 2001. IT Policy Website, http://www.ku.edu/~vcinfo/IT_policy

Figure 1

A copy of the Educause 2001 presentation slides can be found at http://www.ku.edu/~vcinfo/EDUCAUSE2001slides.htm