Law is the floor, policy is the citizen threshold of our community. Thrilled to find these concepts of floor and citizenship at the etymological core of law and policy respectively, I have held onto it to inform my labors ever since. Institutionally, counsel sets the floor by saying, in the famous words of our first chief justice, "what the law is." Policy is that rule, or set of rules, which functions as the "law" of the institution. It cannot go below the level of the law, obviously, but it can rise above it. For example, if I find a fancy pen or expensive earring on the ground in the City of Ithaca, I can keep it. Finder's keepers, loser's weepers! Cornell does not have a policy on this point, but for the sake of discussion let's say that it did. For example, "Anyone who finds something of value on the Cornell campus must bring it to the lost and found department." Akin to an "honor code" (and both share the challenge of enforcement), these kinds of policies point to the fact that Cornell can establish a policy that is well above the floor of the law. Cornell has no redress against a visitor who finds and pockets my beautiful Sailor fountain pen (just give it back!!) or my diamond earring (please, give it back!!), but it does set a higher expectation of behavior for the citizens of its community.
So long as institutions can create whatever policy they want, why don't they set all kinds of proverbial high bars? There are many reasons, including making the environment so restrictive as to alienate people, but the most important one is that once a policy is made, an institution has to abide by it. The foundation of this notion in the courts derives mainly from "due process." It applies to employment cases in particular where the institution has a termination, tenure or promotion procedure and the plaintiff's claim would be that it was not followed properly, or that there was not the appropriate degree of due process in the final decision. Another theory might be contract, whereby existing policies may "imply" a contractual obligation between the institution and a member of the community. And other theories, including from tort law, may apply. The main point being that policies imply obligations on the institution's part. Therefore, colleges and universities cannot make them willy-nilly, but regarding means and ends should be both intentional and deliberate.
This background discussion brings me to the subject of aspirational policies. Policies based on regulatory compliance are, as we say in the law, res ipsa loquiter, or they "speak for themselves." Policies organic to the culture and tradition of a campus, such as an honor code might be for a mission-driven institution, are an extension of what makes American higher education great: its diversity. Policies that express an institution's aspirations are yet another flavor, and so before I go on allow me an example. Back a few years, we proposed a network registry policy. The law does not require registration of devices. It hardly constitutes as aspect of Cornell's particular mission (any person, any study might apply to a web accessibility policy, but don't get me started!). It was, however, a piece of the whole that comprised the approach that the IT Security Office wanted to take toward technical security of information technology resources. It made a lot of sense (i.e. in the law's eye's it was "reasonable.") How can you exercise security if you don't where or whose machine might be rogue? Nonetheless, the proposed policy produced tremendous push back. Arguments from anonymity to an aversion to centralization converged on, well, me for almost eighteen months. I'll spare you the details and jump to the point: even after it passed all the hurdles of our policy process (to be detailed in my blog on policy on policies), uptake was well below the usual 80/20 rule of thumb. Way below.
So I trooped up to my favorite member of university counsel (who shall not be named, her preference, not mine) and ask her what we should do. After careful consideration of the matter, she declared nothing more than continue to incorporate this administrative security issue into the other policy approaches, as well as the technical and physical ones, toward an IT security program. Wow! I guess it was the lawyer in me that thought we would have to scrap it. But that is an inexperienced lawyer in me indeed for not remembering that the law is often a matter of interpretation and not knowing that the "due process" and "contract" aspects of institutional policy were not the only considerations to be had in the total evaluation of an institutional policy. Okay, so I got a "B," and not an "A" on that exam, but experience is a good teacher!
Aspirational policies are those that set reasonable expectations, can be implemented procedurally as well as technologically and are an administrative arm of an institution's program or programmatic kind of direction. Local mileage may vary, check out how and in what ways an aspiration policy might work for your institution with stewards, stakeholders and counsel. But the key message of this blog is to say, "Don't be afraid of them." As an extension of citizenship, they may be a stretch today but the expectation to which you hope to bind your community, for good and just reasons, tomorrow.
Oh, and if anyone is interested in the Network Policy specifically, including all of the work that our IT staff to implement it, here is a good place to start: http://www.cit.cornell.edu/policies/university/security/netreg/