A Framework for IT Policy Development

min read


EDUCAUSE Review, vol. 39, no. 2 (March/April 2004): 54–55.

Rodney J. Petersen

Colleges and universities often engage in policy development to come into compliance with external mandates such as new federal or state laws and regulations. Occasionally, institutional policies are established because of internal business needs. However, few institutions follow a consistent process when a new policy need arises, and even fewer have considered a framework that should guide the results.

The Association for College and University Policy Administrators has developed a Policy Development Process with Best Practices (http://process.umn.edu/ACUPA/projects/process/). Some of the most important decisions get made during the "predevelopment" phase, which includes identifying issues, establishing ownership, determining policy path, and assembling the drafting committee. There is a tendency for legal compliance and concerns for institutional liability to drive the process, cloud the issues, and unduly influence results. A legalistic approach to policy development may stifle creativity and emphasize "doing things right" as opposed to "doing the right thing." Therefore, colleges and universities should adopt a more holistic framework that takes into account considerations of law, values, ethics, and morality.

It Policies Framework
Click for larger view.


It would be unwise to ignore the legal context in which college and university policies operate. There is considerable jurisprudence about the application of constitutional principles in the higher education setting. Additionally, federal and state statutes and regulations dictate requirements for colleges and universities and often provide specific guidance on the elements that a policy should contain. Educational environments are increasingly regulated and operate within a society that is litigious. Consequently, liability may result from the absence of appropriate policies and procedures or from failure to follow policies and adhere to necessary standards of care.

A number of legal and compliance issues affect the use of information technology in colleges and universities. The Digital Millennium Copyright Act of 1988 (http://www.educause.edu/issues/issue.asp?issue=dmca) and the provisions that provide "limitations on liability relating to material online" sparked policy reviews and resulted in fine-tuning of institutional procedures for responding to complaints of copyright infringement. The Health Insurance Portability and Accountability Act of 1996 (http://www.educause.edu/issues/issue.asp?issue=hipaa) provoked a number of compliance activities, including the designation of privacy officers, the notification of privacy practices, and a host of new institutional policies and procedures. The Safeguards Rule of the Gramm-Leach-Bliley Act of 1999 (http://www.educause.edu/issues/issue.asp?issue=glb) stimulated security risk assessments and the formalization of IT security programs to protect financial information. Of course, preventing copyright infringement, protecting health information, and safeguarding financial information are arguably practices that colleges and universities should have put in place without being required to do so by law or regulation. Nonetheless, many institutions are now forced into a compliance mode and were unable to head off further regulation because they had not voluntarily taken on the task of developing policies that might support the values, ethics, or moral standards that are characteristic of institutions of higher education.


Colleges and universities embrace values that are important to the academy. All decisions that affect institutional governance and operations should be driven by those values. Institutions of higher education are characterized by a commitment to shared governance, academic freedom, safety and security of community members, and respect for individual privacy. Unfortunately, legal mandates do not always reflect what experts might determine to be the best way to address specific problems. Therefore, whenever possible, institutions should insert their own judgment and expertise, consistent with legal requirements, but they should be careful not to relinquish or compromise important academic values.

Historically, one of the least regulated areas of American society has been the establishment of national standards for privacy. Although this is quickly changing, colleges and universities still have a great deal of latitude to make choices about how much or how little privacy to afford individuals. For example, the report Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities (http://www.educause.edu/ir/library/pdf/PUB3102.pdf) identifies the privacy challenges and opportunities of technology advances, presents a set of primary principles that underlie fair information practices, and recommends a process whereby a full spectrum of campus constituencies can be involved in discussions that will lead to a better understanding of campus culture and values with regard to these principles. Another, more recent report, Principles to Guide Efforts to Improve Computer and Network Security for Higher Education (http://www.educause.edu/ir/library/pdf/SEC0310.pdf), describes higher education values and offers principles to serve as a starting point for campus discussions regarding computer and network security.


Implicit in an approach predicated upon "doing the right thing" is the consideration of ethical judgments of "right" and "wrong." A sense of ethics can guide us when laws are absent or when laws are silent on particular issues or when discretion is allowed. The insertion of ethics has been particularly useful in the field of information technology because the law has not evolved or matured to a stage sufficient to address all of the potential abuses. However, if colleges and universities are too slow to act or if they refuse to do "the right thing," the result can be legislative solutions that are often bureaucratic and usually undesirable.

Policies and practices that are based on ethical principles also afford greater flexibility and permit educational interventions that are sometimes impeded by legalistic or compliance-driven policies. Ethical decisions are typically not self-serving but instead consider what is best for the community rather than the individual. When it comes to policy enforcement, engaging students or employees in a conversation that measures their behavior against community standards or ethical norms can be instructional. Additionally, policies that are grounded in ethical principles help students and employees to become better citizens.

The advent of acceptable use policies (AUPs) in the mid-1990s provides an excellent illustration of how ethics or considerations of "netiquette" can influence campus policies. Although AUPs often contained provisions that prohibited illegal conduct, there was a great deal of uncertainty in the beginning about how existing criminal and civil laws would be applied to cyberspace. Additionally, efforts to develop new laws specifically designed to regulate Internet use (e.g., the Communications Decency Act of 1996) were overturned by courts or were considered too controversial to become law. Therefore, campus policies tended to appeal to "ethical" and "responsible" use. For example, AUPs described computing resources as "shared resources" and encouraged community members not to use more than their fair share or to unreasonably interfere with others' use of limited resources. The "Primary Principles" section of the University of Maryland Guidelines for the Acceptable Use of Computing Resources states: "Concomitant with free expression are personal obligations of each member of our community to use computing resources responsibly, ethically, and in a manner which accords both with the law and the rights of others. The campus depends first upon a spirit of mutual respect and cooperation to create and maintain an open community of responsible users" (http://www.umd.edu/aug).


A number of private colleges and universities have religious ties or traditions. Therefore, some decisions regarding institutional policies may have moral dimensions. Although ethics is sometimes described as a "moral philosophy," morality extends the concept to include judgment of the goodness or badness of human action and character. Morality is often associated with institutions that hold their members to a higher standard than necessary according to the law or to the values or ethics of society at large—usually holding them accountable to some higher authority.

Some of the most difficult areas to regulate or control on the Internet concern sexually explicit content. The presence of material that is indecent, obscene, pornographic, and offensive continues to be troubling to many and poses puzzling public-policy issues. Although colleges and universities are under obligations to prevent sexual harassment and prevent hostile educational or working environments, they must also consider the countervailing claims of academic freedom and free speech. State colleges and universities are legally obligated to uphold the First Amendment and are often caught in the middle of contentious battles over policy and practice. Somewhat immune from legal and constitutional considerations, private institutions, particularly religiously affiliated colleges and universities, are able to invoke moral grounds for preventing the use of the Internet to display or distribute sexually explicit content. Although blocking such use conflicts with important values such as academic freedom, this type of action is a plausible consideration for institutional policy and practice.

A Holistic Approach

Policy development is too important to leave to lawyers. The risks are too great to trust the vagaries of shared governance processes and autonomous faculty members or students. The growth of information technology use on campus is exercising institutional policies in new ways. The demand for new or revised policies and procedures affords colleges and universities a new opportunity to think holistically about policy development. A framework that considers law, values, ethics, and morality, combined with a process that is inclusive and comprehensive, affords higher education the greatest chance of developing IT policies that will achieve the purpose for which they are intended.

Rodney Petersen is a policy analyst with EDUCAUSE and is project coordinator for the EDUCAUSE/Internet2 Computer and Network Security Task Force. He is also a founding member of the Association of College and University Policy Administrators. Comments on this column can be sent to the author at [email protected].