What Is Policy?

The term policy covers a vast number and type of concepts. For the purposes of a discussion about institutional policy, allow me to identify three types: Big “P” or national policy; Little “P” or institutional policy; and operational “policy,” a term of particular relevance to technologists, although it could also be used to in the context of “procedures” within any type of policy.

“Big “P” policy concerns those matters that rise to the level of national policy. In the information technology arena, let’s take broadband deployment as an example. What is higher education’s “policy” on broadband deployment? To answer that question we would do well to look to the expertise of national organizations such as the American Council on Education (“ACE”) or EDUCAUSE. They manage national policy issues on behalf of American’s colleges and universities. These national associations are in communication with a president and his or her office, or, if large enough of a school, an office of government affairs. Together these offices follow legislation to be sure that it is informed if not shaped by the needs and interests of higher education. Returning to our example, it would seem on balance higher education would support broadband deployment because it provisions distributed education specifically and undergirds our missions in general. Consequently, national associations such as EDUCAUSE have backed the concept no matter who is in the White House or sitting on the Commission of Federal Communications. It is not a political issue in the sense of party politics but it is a part of the national political discourse.

Higher education becomes involved in these issues because, “Ivy Tower” metaphors notwithstanding, it is an institution deeply integrated into the history, society and culture of our county. Moreover, Big “P” policy sometimes has a direct impact on institutional policy. Let’s take another example: the peer-to-peer provisions in the Higher Education Opportunity Act of 2008. Knowing that the content industry lobbied Congress heavily for the most invasive forms of content filtering, EDUCAUSE, among other associations including the national library organizations, geared its Policy Office to educate legislators about the impact that overly invasive content filtering would have on higher education’s missions. Had these organizations not brought a countervailing presence to the debate, we might all have had to deploy fingerprinting content devices on our networks to detect copyright protected entertainment material! I can image few other measures to have such a deleterious effect on free inquiry vital to research, teaching and outreach. Instead, thankfully, we have four choices that offer reasonable options to fulfill the “technology” component of the HEOA peer-to-peer provisions (more information about this issue may be found here.

Little “p,” or institutional policy, is a set of rules that addresses broad institutional need, has wide application around the university, often is in service of external compliance (but not always, a subject addressed below under the heading of “aspirational policies”), if not then it otherwise requires some kind of compliance within the institution, and ultimately preserves and protects institutional interests and assets.

If you are working on something – an idea, rule or project – that fails to meet this test, you may not have an institutional wide policy. It might be a project (e.g., implementation of Google Apps?); a procedure, which may or may not be connected to an institutional policy (e.g., “go to the HelpDesk to get your NetID”); a unit or departmental policy (e.g., “everyone in the Investment Office has to use two factor authentication,” which is one factor higher than the institution’s technical security requirements); or, for technologist in particular, an operational policy, which is often also a “back line” procedure, one that does not need to be stated in the policy explicitly but is for the benefit of the responsible office to “operationalize” (e.g., all requests for three part domain names, which will be allowed only if they follow the rules of the university policy, should be forwarded to the Director of IT Policy,” or, in the HR arena, “all immediate terminations will be reviewed by university counsel.”).

The definition of little “p” policy lends itself to a discussion of the difference between a “policy” and a “procedure.” Probably the many “policies on polices” that are in place around the country would be a better source than my musings, but here is my take on it. The “policy” is the rule; the procedure is how you accomplish or abide by it. A procedure should not be a masked rule, nor, on the other side of its definition, should it include operational or back line handling. Institutional policy does not require the spelling out of every single step, only those procedures that apply to institutional community generally. In other words, it should have as much information for the user to be able to know where to go in physical or cyberspace or do whatever it is they need to do to comply with the rule. How the responsible office handles matters behind the scenes, whether it be in loading mail services for a bulk mail or directing a request for the disclosure of an email to the appropriate institutional steward, is neither a necessary nor desirable element of an institution wide policy.

The “responsible office” is as vital a part of a policy as is a procedure. A responsible office is not always the responsible executive of a policy. For example, the responsible executive for Family Education Rights Privacy Act (“FERPA”) policies might be the institutional counsel. The registrar, often under the Student Affairs office, acts as the responsible office. The members of university counsel who set the rules are not the people who handle transcripts, send out the annual notices to students, write or act on the procedures for access to transcripts or set the administrative, logical or physical rules for security of this information. Thus distinguishes an executive from a responsible office, even as they work together to realize the goal of the policy.

Here is another example, this one from the information technologies. The Office of University Communications (“UC”) is the Responsible Executive of our mass electronic communications policy, but IT joins them as a responsible office because of the responsibilities that IT has to execute an electronic communication. Think about the proposition from the contrary perspective. Let’s say that UC stands alone. Uniformed by process or technology, they create a policy that states “electronic mail blast will go out to the entire university community (of, say, 50,000 people) within five minutes of receipt of a request for mailing.” I have intentionally made the rule absurd to reveal the flaws: that is not enough time to authenticate the request, load the servers or allow them operate in such a way as not to impede traffic on the network. Therefore, it is critical at the outset to have both offices work on the policy to assure proper coordination of efforts to fulfill the needs of the university for mass communications using the campus network system. Note in this example that the IT Office is not just a stakeholder, or someone who has reasonable interest in the direction and implementation of the policy. The Offices of Students, Alumni, Human Resources are stakeholders in this example because they do care about how messages go out from their offices and how their constituents receive them, but they are not crucial to the function of the policy.

Okay, that should be enough of a lesson for today! J Tomorrow I will write about aspirational policies, or how I learned to love the bomb!